Quickly Find Remote Open Ports
If you want to see all the used and listening ports on a remote computer use the PORTQRY.EXE command, which is available on any Windows 2000, XP or Windows Server 2003 computer.
PORTQRY.EXE reports the status of a TCP/IP port in one of the following three ways:
Listening – A process is listening on the port on the computer that you selected. PORTQRY.EXE received a response from the port.
Not Listening – No process is listening on the target port on the target system. PORTQRY.EXE received an Internet Control Message Protocol (ICMP) "Destination Unreachable – Port Unreachable" message back from the target UDP port. Or if the target port is a TCP port, Portqry received a TCP acknowledgement packet with the Reset flag set.
Filtered – The port on the computer that you selected is being filtered. PORTQRY.EXE did not receive a response from the port. A process may or may not be listening on the port. By default, TCP ports are queried three times, and UDP ports are queried one time before a report indicates that the port is filtered.
PORTQRY.EXE can query a single port, an ordered list of ports, or a sequential range of ports.
Also, PORTQRY.EXE displays "extended information" that is returned from some ports. PORTQRY.EXE looks for "extended information" on ports where SMTP, POP3, IMAP4, and FTP services listen.
An example is SMTP. By default, SMTP listens on TCP port 25. When PORTQRY.EXE finds that TCP port 25 on a target computer is LISTENING, it returns any "extended" information that the answering service provides.
Scanning one port
C:'WINDOWS>portqry -n petri.com -p tcp -e 80 Querying target system called: petri.com Attempting to resolve name to IP address... Name resolved to 18.104.22.168 TCP port 80 (http service): LISTENING
Scanning a range of ports
You can also query a range of ports:
portqry -n server1.dpetri.net -p tcp -r 21:143
The above command will scan server1 for any open port in the range of 21 to 143.
Note: This is NOT a quick operation, and scanning a whole range of ports in this manner will take a considerable amount of time. Microsoft makes it clear that this tool is not a "security verification tool," but rather it is a troubleshooting tool, much like Ping, Traceroute, and other built-in Windows network utilities.
Performing LDAP queries
Portqry is also capable of querying an LDAP service. It knows how to send an LDAP query (by using UDP and TCP) and interpret an LDAP server response to the query. The response from the LDAP server is parsed, formatted and returned to the user.
You run the following command:
portqry -n server1.dpetri.net -p udp -e 389
PORTQRY.EXE automatically resolves UDP port 389 by using the systemroot’system32’drivers’etc’services file that every NT/W2K/XP/Win2003 computer has. If it resolves the port to the LDAP service, it sends an unformatted user datagram to UDP port 389 on the target computer. PORTQRY.EXE does not receive a response from the port as the LDAP service only responds to a properly-formatted LDAP query. PORTQRY.EXE does report that the port is LISTENING or FILTERED. PORTQRY.EXE then sends a properly-formatted LDAP query to UDP port 389. If it receives a response to the query, it returns the entire response to the user, and reports that the port is LISTENING. If PORTQRY.EXE does not receive a response to the query, it reports that the port is FILTERED.
UDP port 389 (unknown service): LISTENING or FILTERED Sending LDAP query to UDP port 389... LDAP query response: currentdate: 09/03/2001 05:42:40 (unadjusted GMT) subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=eu,DC=reskit,DC=com dsServiceName: CN=NTDS Settings,CN=myserver,CN=Servers,CN=eu,CN=Sites,CN=Configuration,DC=eu,DC=reskit,DC=com namingContexts: DC=redmond,DC=eu,DC=reskit,DC=com defaultNamingContext: DC=eu,DC=reskit,DC=com schemaNamingContext: CN=Schema,CN=Configuration,DC=eu,DC=reskit,DC=com configurationNamingContext: CN=Configuration,DC=eu,DC=reskit,DC=com rootDomainNamingContext: DC=eu,DC=reskit,DC=com supportedControl: 1.2.840.113522.214.171.1249 supportedLDAPVersion: 3 supportedLDAPPolicies: MaxPoolThreads highestCommittedUSN: 4259431 supportedSASLMechanisms: GSSAPI dnsHostName: myserver.eu.reskit.com ldapServiceName: eu.reskit.com:[email protected] serverName: CN=MYSERVER,CN=Servers,CN=Sites,CN=Configuration,DC=eu,DC=reskit,DC=com supportedCapabilities: 1.2.840.1135126.96.36.1990 isSynchronized: TRUE isGlobalCatalogReady: TRUE ======== End of LDAP query response ======== UDP port 389 is LISTENING
In the preceding example, port 389 is listening and from the output, you can determine which LDAP service is listening on the port and some details about its configuration. This information may also be useful in troubleshooting various problems.
How to use the utility
Here are the various switches you can pass this utility from the command line:
-n [server]—IP address or name of server to query
-p [protocol]—TCP or UDP or BOTH (default is TCP)
-e [endpoint]—single port to query (valid range: 1-65535)
-r [endpoint range]—range of ports to query (start:end)
-o [endpoint order]—range of ports to query in an order (x,y,z)
-l [logfile]—name of log file to create
-s—"slow link delay" waits longer for UDP replies from remote systems
-I—bypasses default IP address-to-name lookup; ignored unless an IP address is specified after -n
-q—"quiet" operation runs with no output