Walking on water with netstat

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Jesus, my savior. Teach me the ways of Netstat (Windows, not Linux in this tutorial).

Firstly, open Command Prompt or PowerShell as an administrator.

Display all listening connections and ports along with the executable and skip hostname lookups (much faster).
Code:
netstat -abn

You will notice at the speed of lightning, a list of all TCP/UDP connections. This could be used for example before a process is launched, then after to check for possibly suspicious opened connections.

Let's do that now:
Code:
netstat -abno > 1.txt

Now if we launch TeamSpeak's process and connect to a server, then:
Code:
netstat -abno > 2.txt

Now we could perform a file compare to see if any port activity was opened (Windows alternative of diff):
Code:
fc 1.txt 2.txt

Find UDP:
Code:
netstat -an -p udp -o

Find TCP:
Code:
netstat -an -p tcp -o

Now here are some cool TCP tricks:
Code:
netstat -an -p tcp -o | findstr "LISTENING"
netstat -an -p tcp -o | findstr "ESTABLISHED"
netstat -an -p tcp -o | findstr "TIME_WAIT"
netstat -an -p tcp -o | findstr "CLOSE_WAIT"

2202

Code:
tasklist /FI "pid eq 8664"

2201

We can know this process listening on 443 is through chrome.exe, if we search up the IP address we will find this is Cloudflare https://ipinfo.io/104.27.188.206

What if we are within a developer's machine for example and know they use SSH and want their FQDN e.g. dev.example.com:ssh?
Code:
netstat -f | findstr ":ssh"

Want a system MAC address for potential spoofing purposes?
Code:
getmac
::or
netstat -r

Also useful to check IP addresses (copy this result over here http://software77.net/geo-ip/multi-lookup/ ):
Code:
netstat -nt

---

What does the help command show?
Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-x] [-t] [interval]

-a Displays all connections and listening ports.

-b Displays the executable involved in creating each connection or
listening port. In some cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in [] at the bottom, on top is the component it called,
and so forth until TCP/IP was reached. Note that this option
can be time-consuming and will fail unless you have sufficient
permissions.

-e Displays Ethernet statistics. This may be combined with the -s
option.

-f Displays Fully Qualified Domain Names (FQDN) for foreign
addresses.

-n Displays addresses and port numbers in numerical form.

-o Displays the owning process ID associated with each connection.

-p proto Shows connections for the protocol specified by proto; proto
may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s
option to display per-protocol statistics, proto may be any of:
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.

-q Displays all connections, listening ports, and bound
nonlistening TCP ports. Bound nonlistening ports may or may not
be associated with an active connection.

-r Displays the routing table.

-s Displays per-protocol statistics. By default, statistics are
shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
the -p option may be used to specify a subset of the default.

-t Displays the current connection offload state.

-x Displays NetworkDirect connections, listeners, and shared
endpoints.

-y Displays the TCP connection template for all connections.
Cannot be combined with the other options.

interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.

P.S.

One way you could utilize Netstat would be:
1. Get a free IP to country database like https://lite.ip2location.com/database/ip-country // https://software77.net/geo-ip/?DL=2 (other formats) // https://dev.maxmind.com/geoip/geoip2/geolite2/ // http://www.ip2nation.com/ip2nation/Download
2. Setup an API bulk IP lookup to query any new IP addresses listed from Netstat. Any traffic outside your country or trusted countries? This could be somewhat of a red flag to point your sniffer (bloodhound nose).
3. You could also possibly just scrub the IP addresses by an IP blacklist checker:
https://www.virustotal.com/gui/ip-address/104.244.42.3/relations (API)

Another thing you could possibly do is port scan all the IP addresses for possible malicious open ports like 21/22/3389 open could indicate a script-kiddie "hacking" you, although this is not a guarantee. Just some default ports sometimes used in attacks. Another common port could be 25 or 587 (mail). Reason? 21 is for FTP, some attackers use this to move files off your machine. 22 is SSH, some attackers use this to remotely control their servers although this is just a default SSH port and any other server could have this default configuration albeit insecure. Port 25 (and 587) is for insecure mail, attackers may send keystroke logs and other information out via mail. Lastly, 3389 could be noticed if an attacker is using a default configured Windows host.

You could also scan for 80 and 443, then fetch all of the websites and scan for words like "hack", "1337", and such. Sometimes hackers host defacement pages on servers that harvest information with. An attacker may also be using the server as a VPN (OpenVPN), you could detect port 1194 open in this case.

Keep in mind port scanning may not be legal (gray area), you take full liability and responsibility.
 
Last edited:
Top