Foot-printing your environment is the first step to identifying ways in which intruders can penetrate your network. Thankfully, we offer a free utility that helps with precisely this task! In this Snip, Anthony Howell shows you how to use WhatsUp PortScanner to scan a host machine for open ports, then he'll show you how to harden your system using the host's firewall.
Big thanks to TechSnips for the video. TechSnips is a new (and totally free) IT career development platform that offers video how-to's on dozens of IT technologies and techniques. Adam Bertram and company have covered tons of technologies, like cloud computing, programming, system administration, and a whole lot more. Check it out!
Full Transcript
Let's check out the WhatsUp Port Scanner. This is a free piece of software that Ipswitch puts out. So the scenario today is that we've got a server on the network. It's a new environment— we don't know what this server is or what it does, but we have an IP address. So I want to put the IP address into the targets textbox here and over here on the right we have the type of scan that we want to do, so the first thing we'll do is a discovery scan. And it's gonna come back and see that—okay we’ve got the host name here so whoever named this server was obviously a Lord of the Rings fan—so let's see what's going on with the server.
So we've got a couple of different types of scans, UDP scans are kind of sketchy in the results they return so we're not going to get into that, we're just gonna do a TCP scan here. And for the ports, you can either type in all the ports you want here or they've got a couple of presets here. I'm gonna stick with the well-known ports, just for simplicity, and so you can see that they fill in a whole bunch of common ports here. Then we're just going to click on the scan button, and that's gonna give us a list of all the open ports all the closed ports and then a couple other options as well.
And so if we hit the plus sign here next to this host we can see it looks like they had quite a bit going on the server. It's a bit of FTP, an email server, a web server, DNS server, all on the same server and of course remote desktop 3389 there. So let's say let's get remoted into that server, assuming we know the password, which we do because I planned ahead.
So on this server, I’ve got server manager pulled up. This is the server we just scanned the ports on. So let's say we want to start shutting those ports down. We don't want them to be accessible. So the first thing you wanna check is the firewall, so I'm gonna type in firewall into the the Start Menu here and bring up the Windows Firewall.
Oh shocker! The firewall’s turned off! This person was lazy. So let’s turn that firewall back on. So if we click on the turn Windows Firewall on or off and then just select the turn fire wall on, and then hit ok and now if we go back to our Port Scanner… So let's see how many of these ports are now going to be open. We went from nine open to seven. So it looks like a few of them are actually allowed through the firewall. So that's kind of interesting.
So let's fix a couple of these here. Let's check out the FTP and SMTP as well as our webserver ports. So 80 and 443. So let's switch back over to the server here, the other application we have from managing the Windows Firewall is the Windows Firewall with advanced security. So this is where we can take a look at all the rules that are in the firewall currently. So specifically we care about inbound rules.
So the first we'll look for is the SMTP— There we go, so Simple Mail Transfer Protocol. So we can see that there is actually a rule here set to enable it. So we can see over here in the local port column we can see port 25. So I'm going to right click on this and I'm going to disable it. And then if we swing back over to our Port Scanner we see 25 is listed there. We're gonna scan that again and now we went from 7 open ports down to 6.
Ok so that's a good start and so we're assuming that these ports aren't being used. And of course if they're you don't really close them down. But back over to the server, and bring up FTP Server Traffic In, so we got port 21 over here in the local ports. I'm going to disable that one as well. We don't need people using FTP on the server. And let's see if we can get to the web server as well. Here we go world wide web services traffic in HTTP. So we got port 80. You can see port 80 in the local port as well as port 443. Anyway disable both of these and then let's swing back over and rescan with our WhatsUp Port Scanner.
We went from six and now we're down to three. And let's see 3389 we're using at the endpoint mapper port 135 there. And in case you're wondering, no I don't have all these ports memorized I just know how to look them up. And then port 53 there is DNS server so we're gonna assume that that DNS server is what we want running on this server. So that's just a quick introduction to using the WhatsUp Port Scanner a free piece of software and then of course how to close up some of those holes in your firewall.