端口查询 (PortQry.exe)(Port Query (PortQry.exe))是Windows操作系统中的一个命令行实用程序,可用于帮助解决 TCP/IP 连接问题。该工具报告您选择的计算机上TCP和UDP端口的端口状态。(UDP)在这篇文章中,我们将向您展示如何使用端口查询(Port Query)工具进行网络侦察或取证活动。
(Port Query)Windows 11/10端口查询( PortQry.exe ) 工具
Windows有许多工具可用于诊断TCP/IP网络中的问题(ping、telnet、pathping 等)。但并非所有这些都允许您方便地检查状态或扫描服务器上打开的网络端口。PortQry.exe实用(PortQry.exe)程序是一个方便的工具,用于检查主机上TCP/UDPTCP/IP网络中各种网络服务和防火墙的操作相关的问题。大多数情况下,Portqry实用程序用作 telnet 命令的功能更强大的替代品,并且与 telnet 不同,它还允许您检查打开的UDP端口。
计算机(Computer)系统使用TCP和UDP进行大部分通信,并且所有版本的Windows都打开了许多端口,这些端口提供了有用的功能,例如文件共享和远程过程调用 ( RPC )。但是,诸如特洛伊木马之类的恶意程序可以恶意地使用端口为攻击者打开进入您计算机系统的后门。无论您是需要对必要的网络服务进行故障排除还是检测不需要的程序,您都需要能够了解和管理网络上计算机之间的流量。这样做的一个基本步骤是确定哪些程序正在侦听您的计算机系统的网络端口。
如何使用端口查询工具(Port Query Tool)(PortQry.exe)
您可以在服务器上本地和远程使用端口查询。(Port Query)要使用Portqry.exe,您需要下载该工具。下载(download)PortQry.exe后,解压缩PortQryV2.exe存档,然后打开命令提示符并运行以下命令以转到包含实用程序的目录:
cd c:\PortQryV2
或者,您可以导航到将工具下载到的文件夹,然后按Alt + D组合键,键入CMD并按Enter以在目录中启动命令提示符。
您现在可以继续使用该工具。
远程使用端口查询(Port Query)( PortQry.exe ) 工具
端口查询(Port Query)可以扫描远程系统,但与其他端口扫描器相比,它速度慢且简单。例如,与Nmap不同,PortQry.exe不允许您执行使用指定数据包标志(例如SYN、FIN)的扫描。
例如,要从客户端检查DNS服务器的可用性,您需要检查其上是否打开了53 个TCP和UDP端口。(UDP)端口检查命令的语法如下:
PortQry -n server [-p protocol] [-e || -r || -o endpoint(s)]
在哪里:
- -n是服务器的名称或 IP 地址,您正在检查哪个可用性;
- -e 是要检查的端口号(从 1 到 65535);
- -r 是要检查的端口范围(例如,1:80);
- -p 是用于检查的协议。它可以是TCP、UDP或BOTH(默认使用TCP )。
在我们的示例中,命令如下所示:
PortQry.exe –n 10.0.25.6 -p both -e 53
PortQry.exe可以查询单个端口、有序的端口列表或连续的端口范围。PortQry.exe通过以下三种方式之一报告TCP/IP
- 侦听(Listening):一个进程正在侦听您选择的计算机上的端口。Portqry.exe收到来自端口的响应。
- Not Listening:目标系统上的目标端口上没有进程正在侦听。Portqry.exe收到来自目标UDP端口的(UDP)Internet 控制消息协议(Internet Control Message Protocol)( ICMP )“无法访问目标 - 无法访问端口”消息。或者,如果目标端口是TCP端口,Portqry 会(Portqry)收到一个TCP确认数据包,并设置了Reset 标志。
- 已过滤(Filtered):您选择的计算机上的端口正在被过滤。Portqry.exe没有收到来自端口的响应。进程可能正在或可能不在端口上侦听。默认情况下,TCP端口被查询 3 次,UDP端口被查询 1 次,然后报告表明该端口被过滤。
本地使用端口查询(Port Query)( PortQry.exe ) 工具
PortQry缺乏远程扫描功能,它以其独特的本地机器功能弥补了这一点。要启用本地模式,请使用-local开关运行PortQry 。当-local是唯一使用的开关时,PortQry会枚举所有本地端口使用情况和端口到PID的映射。PortQry不是按开放端口对数据进行排序,而是根据PID列出数据,让您快速查看哪些应用程序具有开放的网络连接。
要查看端口 80,您将运行以下命令:
portqry -local -wport 80
使用 PortQryUI
还值得一提的是,微软还为(Microsoft also made available)PortQry提供了一个图形前端,称为PortQryUI。
PortQryUI包括一个版本的 portqry.exe 和一些预定义的服务,这些服务仅由要扫描的端口组组成。
PortQueryUI包含几个预定义的查询集,用于检查流行的Microsoft(PortQueryUI)服务(Microsoft)的可用性:
- 域和信任(检查Active Directory 域控制器上的ADDS服务)(ADDS)
- 交换服务器
- SQL 服务器
- 联网
- IP 安全
- 网络服务器
- 网络会议
要使用 PortQryUI,请输入远程服务器的DNS 名称(DNS name) 或 IP 地址(IP address) ,选择预定义服务之一(查询预定义服务(Query predefined service)),或指定手动端口检查的端口号(手动输入查询端口(Manually input query ports)),然后单击 查询(Query) 按钮。
上图中突出显示了PortQueryUI(PortQueryUI)中可能的返回码:
- 0 (0x00000000) - 连接已成功建立并且端口可用。
- 1 (0x00000001) – 指定的端口不可用或被过滤。
- 2 (0x00000002) – 检查(2)UDP连接可用性时的正常返回代码,因为不返回ACK响应。(ACK)
希望这可以帮助。
阅读下一篇(Read next): 如何检查哪些端口是打开的(How to check what Ports are open)?
How to use Port Query Tool (PortQry.exe) in Windows 11/10
Port Query (PortQry.exe) is a command-line utility in the Windows operating system that you can use to help troubleshoot TCP/IP connectivity issues. The tool reports the port status of TCP and UDP ports on a computer that you select. In this post, we will show you how to use the Port Query tool for network reconnaissance or forensic activity.
Port Query (PortQry.exe) tool in Windows 11/10
Windows has many tools for diagnosing problems in TCP/IP networks (ping, telnet, pathping, etc.). But not all of them allow you to conveniently check the status or scan opened network ports on a server. The PortQry.exe utility is a convenient tool to check the response of TCP/UDP ports on hosts to diagnose issues related to the operation of various network services and firewalls in TCP/IP networks. Most often, the Portqry utility is used as a more functional replacement for telnet command, and unlike telnet, it also allows you to check open UDP ports.
Computer systems use TCP and UDP for most of their communication, and all versions of Windows open many ports that provide useful functionality such as file sharing and remote procedure call (RPC). However, malicious programs such as Trojan horses can use ports nefariously to open a back door for attackers into your computer system. Whether you need to troubleshoot a necessary network service or detect unwanted programs, you need to be able to understand and manage the traffic between computers on your network. A basic step toward doing so is determining which programs are listening on your computer systems’ network ports.
How to use Port Query Tool (PortQry.exe)
You can use Port Query both locally and remotely on a server. To use Portqry.exe, you will need to download the tool. Once you download PortQry.exe, extract the PortQryV2.exe archive, then open command prompt and run the command below to go to the directory with the utility:
cd c:\PortQryV2
Alternatively, you can navigate to the folder where you downloaded the tool to, and press Alt + D key combo, type CMD and hit Enter to launch command prompt within the directory.
You can now proceed to use the tool.
Remotely use Port Query (PortQry.exe) tool
Port Query can scan remote systems, but it’s slow and unsophisticated compared with other port scanners. For example, unlike Nmap, PortQry.exe doesn’t let you perform scans that use specified packet flags (e.g., SYN, FIN).
For example, to check the availability of a DNS server from a client, you need to check if 53 TCP and UDP ports are open on it. The syntax of the port check command is as follows:
PortQry -n server [-p protocol] [-e || -r || -o endpoint(s)]
Where:
- -n is the name or IP address of the server, which availability you are checking;
- -e is the port number to be checked (from 1 to 65535);
- -r is the range of ports to be checked (for example, 1:80);
- -p is the protocol used for checking. It may be TCP, UDP or BOTH (TCP is used by default).
In our example, the command looks like this:
PortQry.exe –n 10.0.25.6 -p both -e 53
PortQry.exe can query a single port, an ordered list of ports, or a sequential range of ports. PortQry.exe reports the status of a TCP/IP port in one of the following three ways:
- Listening: A process is listening on the port on the computer that you selected. Portqry.exe received a response from the port.
- Not Listening: No process is listening on the target port on the target system. Portqry.exe received an Internet Control Message Protocol (ICMP) “Destination Unreachable – Port Unreachable” message back from the target UDP port. Or if the target port is a TCP port, Portqry received a TCP acknowledgment packet with the Reset flag set.
- Filtered: The port on the computer that you selected is being filtered. Portqry.exe did not receive a response from the port. A process may or may not be listening on the port. By default, TCP ports are queried three times, and UDP ports are queried one time before a report indicates that the port is filtered.
Locally use Port Query (PortQry.exe) tool
What PortQry lacks in remote scanning features it makes up for with its unique local-machine capabilities. To enable local mode, run PortQry with the -local switch. When -local is the only switch used, PortQry enumerates all local port usage and port-to-PID mapping. Instead of sorting the data by open port, PortQry lists it according to PID, letting you quickly see which applications have open network connections.
To watch port 80, you’d run the command below:
portqry -local -wport 80
Using PortQryUI
It’s also worth mentioning that Microsoft also made available a graphical front end to PortQry, called PortQryUI.
PortQryUI includes a version of portqry.exe and some predefined services, which consist simply of groups of ports to scan.
The PortQueryUI contains several predefined sets of queries to check the availability of the popular Microsoft services:
- Domain and trusts (checking ADDS services on an Active Directory domain controller)
- Exchange Server
- SQL Server
- Networking
- IP Sec
- Web Server
- Net Meeting
To use the PortQryUI, enter the DNS name or IP address of the remote server, select one of the predefined services (Query predefined service), or specify the port numbers for manual port check (Manually input query ports) and click the Query button.
Possible return codes in PortQueryUI is highlighted in the image above:
- 0 (0x00000000) – the connection has been established successfully and the port is available.
- 1 (0x00000001) – the specified port is unavailable or filtered.
- 2 (0x00000002) – a normal return code when checking the availability of a UDP connection, since ACK response is not returned.
Hope this helps.
Read next: How to check what Ports are open?