As part of our firewall reimplementation, I have been struggling with understanding the exact port needs of the services on our hosts. Previously, I discussed a procedure for discovering all network shares being served by the servers you manage:
http://www.uvm.edu/~jgm/wordpress/?p=96
Today, I used this procedure as a jumping off point for discovering all servers using high-order RPC ports, and the RPC end-point mapper. I followed the procedure above to discover all available hosts in a subnet. Next we use the excellent SysInternals tool “PSExec” to gather “netstat” information on this list of hosts. Here is the command:
for /f %c in (availablehosts.txt) do echo %c >> epmsys2.txt && psexec.exe \%c -e netstat -ano | find “135” >> epmsys2.txt
Taking it apart…
- Start a “for” loop for each server listed in the “available hosts” file.
- Start each pass though the loop by “echoing” the host name, and appending the output to a capture file.
- Next, use PSEXec to execute “netstat” on each host. Use “-e” to reduce resources used on the target host (does not load user environment remotely).
- Pipe netstat output though “find”. Filter for port 135 (the DCE RPC Endpoint Mapper).
- Direct output from psexec/netstat to the same file.
I ran this command two times… once for TCP Port 135, and then again for TCP port 6150 (which is the first “high order” RPC port available on our servers). The result is a file content like this:
WINUPDATE.campus.ad.uvm.edu
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 692
printers.campus.ad.uvm.edu
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 692
TCP 132.198.102.14:135 132.198.92.189:2917 TIME_WAIT 0
TCP 132.198.102.14:135 132.198.92.189:2918 TIME_WAIT 0
TCP 132.198.102.14:135 132.198.92.189:2919 TIME_WAIT 0
TCP 132.198.102.14:135 132.198.92.189:2920 TIME_WAIT 0
Every server listens with the EPM, but only a few have active connections. These are the ones that are actually using the service. As we expected, the Domain Controllers have many active EPM connections. What I did not expect is that the print server is also very busy… I wonder why?