question

MarcoBono-1103 avatar image
0 Votes"
MarcoBono-1103 asked PauloJuliani-7623 answered

Cannot obtain ownership information - Netstat

I looked at the other threads and cannot find the original thread that brought me here, but it basically said to share screenshots.

Reasons for concern:
I just had this computer system restored.

Still have these port issues (port 4 - Hypervisor is especially concerning)

I know many are just listening ports but a few are established including my lsass credential port.

Any help would be appreciated.

123231-screenshot-1.png123223-screenshot-2.png123174-screenshot-3.png123224-screenshot-4.png123225-screenshot-5.png123226-screenshot-6.png123186-screenshot-7.png123204-screenshot-8.png



Feel free to be as technical as necessary. I really want to understand this. I am studying Ethical Hacking (Mike Meyers-Udemy). The shop working on my computer first suspected I had played with permissions, which I did, again to better learn windows OS but with a reset i am perplexed.

windows-apiwindows-10-networkwindows-10-application-compatibility
screenshot-1.png (207.3 KiB)
screenshot-2.png (222.6 KiB)
screenshot-3.png (223.1 KiB)
screenshot-4.png (213.8 KiB)
screenshot-5.png (236.1 KiB)
screenshot-6.png (241.0 KiB)
screenshot-7.png (205.2 KiB)
screenshot-8.png (202.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MotoX80 avatar image
0 Votes"
MotoX80 answered

I'm not exactly sure what your question is, but take a look at this post.

https://social.technet.microsoft.com/Forums/en-US/b286dcc3-75b9-4cf3-aa42-5ae1c7bff09c/the-list-of-open-ports-the-process-and-the-name-of-the-service

Scroll down to the bottom and look at the Powershell script that I modified. It shows the listeners, process names, and the service name if one exists.

As I noted, port 80 shows up as "system PID 4". On my PC that is really IIS and I wanted to see if I could find more info about the "system listeners". I found that netsh would show that info.

 netsh.exe http show servicestate view=requestq

I started hacking around to see if I could parse that output and possible incorporate it into the ShowListeners.ps1 script. I just left it as a second script. This may show you some of the "ownership information".

This is "work in progress" script.

 # Script: ShowSystemListeners.ps1 
 # Author: MotoX80
 cls
 $r = (netsh.exe http show servicestate view=requestq) -join ""     # make it one long string
 $r = $r -replace "    Request queue name", "============"      # we only want these that are not indented
 $ra = $r -split "Request queue name: "                         # create an array of each entry to be processed
 $idx = 1         # skip over header
 while ($idx -lt $ra.count) {
     $tf = $ra[$idx] -match '(Process IDs:).*(URL groups:)'
     if ($tf) {
         #$matches[0]                # uncomment to see what we found.
     } else {
         #"No pids???"               # we didn't find the headings. not sure what kind of entry this is.
         $idx++                      # go to next entry 
         continue
     }
    
     $ids = $matches[0].split(" ")    # get pids, but we only process the first one. I have not seen 2 pids on my machine
     $p = ($ids -match "^\d+$")[0]
     if ($p -eq $null) {
         #"No pids2???"      
         $tf = $ra[$idx] -match '(Controller process ID:).*(Process IDs:)'
         if ($tf) {
             #$matches[0]                # uncomment to see what we found.     
         } else {
             #"No pids???"               # we didn't find the headings. not sure what kind of entry this is.
             $idx++                      # go to next entry 
             continue
         }    
            
    
         $ids = $matches[0].split(" ")    # get pids
         $p = ($ids -match "^\d+$")[0]    # our pid
                     
         #$idx++      # I think that each listener must have a controlling pid 
         #break
         #continue
     }
     "======================== $idx ======================================================================="
        
     $tf = $ra[$idx] -match   '(Registered URLs:).*(Server session)'
     if ($tf) {
         #$matches[0]
     } else {
         "No HTTP addresses???"
         #$ra[$idx]
         $idx++
         #continue
     }
     $http = $matches[0].split(" ")
     $http -match ':/'
     ""
     "Process ID: $p"
    
     $s = Get-CimInstance win32_service -FIlter "ProcessId=$p"
     ""
     (Get-Process -Id $p -IncludeUserName| Format-List -Property Path, company, Description, Username | Out-String).trim()
     "ComandLine  : {0}" -f (Get-CimInstance win32_process -FIlter "ProcessId=$p").Commandline
     ""
     if ($s) { 
         (Get-Service -Name $s.name | Format-Table -AutoSize  | Out-String).trim()
         ""
     }
        
     $idx++
 } 


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PauloJuliani-7623 avatar image
0 Votes"
PauloJuliani-7623 answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.