netstat- Cool Tool!

I really don’t know how I missed the netstat DOS command. I mean all you do is head to your start menu and click run. When the box pops up type in Command, command or cmd. It just doesn’t matter as a black DOS window will open. Type in netstat -an and get your results. You can do it with your browser open or closed. Better yet do it both ways. It shows you all the IP addresses that are open and the ports they connect to. With the browser closed, it will look something like the following:

C:\Documents and Settings\Compaq_Owner>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING
TCP 192.168.0.101:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1100 *:*
UDP 0.0.0.0:1107 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:9370 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1099 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.0.101:123 *:*
UDP 192.168.0.101:137 *:*
UDP 192.168.0.101:138 *:*
UDP 192.168.0.101:1900 *:*

As previously discussed, 0.0.0.0 is a firewall bypass and port 0 is sort of a garbage port number which means give me any unused port to make the connection. IP 127.0.0.1 is a local server on my machine and IP 192.168.0.101 is my machine IP. Now the only really weird thing at this point is that I don’t have a known server on my machine and the local server IP does not show up on the Microsoft netstat example.

Next we can run “netstat -a” without the “n” in the DOS window in order to get the IP names and find out who’s controlling the action. ( Note, I wouldn’t have identified the localhost operating if I ran this command alone.)

The results will look as follows:

C:\Documents and Settings\Compaq_Owner>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP Whatever:epmap Whatever:0 LISTENING
TCP Whatever:microsoft-ds Whatever:0 LISTENING
TCP Whatever:1026 Whatever:0 LISTENING
TCP Whatever:1025 Whatever:0 LISTENING
TCP Whatever:1027 Whatever:0 LISTENING
TCP Whatever:1032 Whatever:0 LISTENING
TCP Whatever:netbios-ssn Whatever:0 LISTENING
UDP Whatever:microsoft-ds *:*
UDP Whatever:isakmp *:*
UDP Whatever:1100 *:*
UDP Whatever:1107 *:*
UDP Whatever:4500 *:*
UDP Whatever:9370 *:*
UDP Whatever:ntp *:*
UDP Whatever:1099 *:*
UDP Whatever:1900 *:*
UDP Whatever:ntp *:*
UDP Whatever:netbios-ns *:*
UDP Whatever:netbios-dgm *:*
UDP Whatever:1900 *:*

All of these requests go from anywhere on my machine (“whatever”) through specified ports to pretty much anywhere (*.*) on any port. Less than half of these requests are identified Microsoft processes and the rest can only be identified by a tedious port by port search. A good place to start is at http://www.grc.com/ and use their free Shield’s UP! product.

Now my machine is know to have a serious unremovable infection and the Port search shows the potential for several know Trojans and a Remote Administrative Tools (RAT) but an external port scan, shows that I am protected by my hard wired firewall and Internet router except for one closed port which flags my machine. I’m sure if I misbehave, it won’t be much of a challenge for Carnivore to eat my firewall for lunch and actively monitor my activity. But for now, I guess I’m sort of in a state of remission with no active Trojans giving away information or planting evidence.

Advertisements

3 Responses to “netstat- Cool Tool!”

  1. stingwasp Says:

    Of course, there’s also nmap for Windows. Nmap comes from the linux community, and has been ported.

  2. Simon Philips Says:

    World of Warcraft Power Leveling Guide

    Great post man, very rare you get good content now days, keep up the good work

  3. c2go Says:

    Great informations .. thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: