IP and Port Info Using Netstat
Ever wonder if there is any easy way to find out what your computer is listening for? Want to know where it is connecting to? NetStat can tell you.
Use of Netstat
To open Netstat you must do the following: Click on the Start button then click Programs then look for Ms-Dos Prompt. If you're running Vista or Windows 7, you could simply press the Windows key, type CMD, then press Enter.
Netstat is a very helpful tool that has many uses. I personally use Netstat to monitor what ports my computer is listening on, as well as find out what remote computers my machine is talking to. Also you can use Netstat go monitor your port activity for attackers sending syn requests (part of the TCP/IP 3 way handshake) or just to see what ports are listening/Established. Look at the example below for the average layout of a response to typing Netstat at the command prompt.
Now look above at the example. You will see Proto on the top left. This just tells you if the protocol is TCP/UDP etc.
Next, to the right you will see Local Address this just tells you the local IP/Hostname:Port open.
Moving a bit further to the right, you will see Foreign Address this will give you the remote computers IP/Hostname and port in the format of IP:Port with ":" in between the port and IP.
And finally you will see State Which simply states the STATE of the connection. This can be Established if it is connected or waiting connect if its listening.
Now with this knowledge we will dive into deeper on how to use this for monitoring and port activity and detecting open ports in use.
Detecting Open ports
Now so you are noticing something funny is going on with your computer? Your cd-rom tray is going crazy... opening and closing when your doing nothing. And you say What the heck is going on. Or you realize someones been messing with a trojan on your computer. So now your goal is to locate what trojan it is so you can remove it right? Well you're right. So you go to your command prompt. There are many different ways to use NetStat. I've excerpted the help file below, which includes the syntax, as well as an explanation of the switches.
NETSTAT [options] [-p protocol] [interval]
|Display all connections and listening ports.
|Display Ethernet statistics. (may be combined with -s)
|Display addresses and port numbers in numerical form.
|Display the routing table.
|Display the owning process ID associated with each connection. (XP only)
|protocol Show only connections for the protocol specified; may be either: TCP or UDP. Windows 2K/XP also allow: TCPv6 or UDPv6. If used with the -s option then the following protocols may also be specified: IP, IPv6, ICMP,or ICMPv6.
|Display per-protocol statistics. By default, statistics are shown for IP, ICMP, TCP and UDP. Windows 2K/XP will also display: IPv6, ICMPv6, TCPv6 and UDPv6 The -p option may be used to specify a subset of the default.
|Redisplay statistics, pausing interval seconds between each display. (default=once only) Press CTRL+C to stop.
I personally like using Netstat -an, which Displays all connections and listening ports in the form of IP instead of Hostname. Netstat -an combines two of the options at once no need for -a -n.
So now that you know how to use netstat to view all your connections and listening you can search for common ports like 12345(old Netbus Trojan), 1243(subseven) etc. This becomes very handy for everything you will soon find out.
Take a break on your couch and relax for about 5 minutes and let all this soak in then come back ready to learn more. Go ahead, I'll wait.
SYN and ACK
When you here SYN and ACK you do not think of the communication of packets on your system. Well let me tell you what SYN and ACK do.
- SYN - SYN in common words is a request for a connection used in the 3-way handshake in TCP/IP. Once you send a SYN out for a connection, the target computer will reply with a SYN and ACK. So basically when you see in [State] catagory Syn that means you are sending out a request to connect to something.
- ACK - Now the ACK is a ACKnowledgement to the request made by a computer that is trying to connect to you. Once a Syn is sent to you you need to ACK it, then Send back another syn to the computer requesting connection to confirm the packet sent was correct. I sure hope that helped you understand a little more about SYN and ACK.
If you have further questions try looking for texts on TCP/IP. Now onto the fun stuff.
Using Netstat it for ICQ and AIM
Let's say you are chatting with someone via ICQ or AOL Instant Messenger. Now let's say that you, for some reason, want to know the remote IP address of the system you are talking to. With NetStat, we can discover that remote IP address.
I'm not picking on AIM or ICQ here, just demonstrating the utility. Don't flame me with random "But I love AIM!" messages. If you use these communications tools, that's your choice, not mine.
- AIM - With AIM you can not usually find the exact IP address without some trial and error because most of the time it seems to open up all online users on Port 5190. So Less users online easier it is. So goto Ms-Dos Prompt and type netstat -n here you will see under [Foreign Addresses] a IP:With port 5190. Now one of those IP's connected to you with 5190 is going to be your target aim user. Just use trial and error to find out is ussually the easiest way.
- ICQ - To get a IP using netstat of a ICQ user is easy before talking to the person on ICQ you must open ms-dos prompt and do netstat -n to list all IP's and ports.Write them down or copy them somewhere you will remember to look back. Now it's time to find out his IP. Message the user witha single message now quickly do Nestat -n. And you will have a new added line of a IP address, just search for the new one on the list under foreign and once you find it you now have your buddys ip without any patches or hacks.
Netstat can be used to get IPs of anything and anyone, as long as there's a direct connection between you and the target (i.e. direct messages, file transfers or ICQ chats in ICQ, DCC (Direct Client Connection) chat and file transfers in IRC etc etc).
- Sometimes Netstat can generate very long lists, which are especially confusing for newbies. If you're having difficulties, just run netstat, and then make a direct connection of some sort to your target, or make it connect to you (ICQ, IRC etc, you get the picture) and run netstat again. There should be a new line - this is what you're looking for.
- If netstat's output is too long, type 'netstat -an > c:\some-directory\some-file.txt' (without the quotes, and you can replace the parameters -an and the filename and it's path with anything you'd like). This will dump the output to that file for easy viewing, and will also let you copy & paste.
About this post
Viewed: 4,769 times
No comments have been added for this post.
You must be logged in to make a comment.