fortypoundhead.com

IP and Port Info Using Netstat

Posted On 2011-07-27 by FortyPoundHead
Keywords:
Tags: Networking Security Tutorial Windows 7 Windows Windows XP
Views: 3960


Ever wonder if there is any easy way to find out what your computer is listening for? Want to know where it is connecting to? NetStat can tell you.

Use of Netstat


To open Netstat you must do the following: Click on the Start button then click Programs then look for Ms-Dos Prompt. If you're running Vista or Windows 7, you could simply press the Windows key, type CMD, then press Enter.

Netstat is a very helpful tool that has many uses. I personally use Netstat to monitor what ports my computer is listening on, as well as find out what remote computers my machine is talking to. Also you can use Netstat go monitor your port activity for attackers sending syn requests (part of the TCP/IP 3 way handshake) or just to see what ports are listening/Established. Look at the example below for the average layout of a response to typing Netstat at the command prompt.
C:\WINDOWS>netstat

Active Connections
ProtoLocal AddressForeign AddressState
MyComputer:25872RemoteComputer:1045ESTABLISHED
MyComputer:25872sy-as-09-112.free.net:3925ESTABLISHED
MyComputer:31580RemoteComputer:1046ESTABLISHED
MyComputer:2980205.188.2.9:5190 ESTABLISHED
MyComputer:303924.66.10.101.on.wave.home.com:1031 ESTABLISHED



Now look above at the example. You will see Proto on the top left. This just tells you if the protocol is TCP/UDP etc.

Next, to the right you will see Local Address this just tells you the local IP/Hostname:Port open.

Moving a bit further to the right, you will see Foreign Address this will give you the remote computers IP/Hostname and port in the format of IP:Port with ":" in between the port and IP.

And finally you will see State Which simply states the STATE of the connection. This can be Established if it is connected or waiting connect if its listening.

Now with this knowledge we will dive into deeper on how to use this for monitoring and port activity and detecting open ports in use.

Detecting Open ports


Now so you are noticing something funny is going on with your computer? Your cd-rom tray is going crazy... opening and closing when your doing nothing. And you say What the heck is going on. Or you realize someones been messing with a trojan on your computer. So now your goal is to locate what trojan it is so you can remove it right? Well your right. So you go to your command prompt. There are many ways to use Netstat and below is a help menu. Look through it.

I've reformatted it a bit here, to make it more readable
C:\WINDOWS>netstat ?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

-a Displays all connections and listening ports.

-e Displays Ethernet statistics. This may be combined with the -s option.

-n Displays addresses and port numbers in numerical form.

-p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP.

-r Displays the routing table.

-s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default.

interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once.


I personally like using Netstat -an, which Displays all connections and listening ports in the form of IP instead of Hostname. Netstat -an combines two of the options at once no need for -a -n.

So now that you know how to use netstat to view all your connections and listening you can search for common ports like 12345(old Netbus Trojan), 1243(subseven) etc. This becomes very handy for everything you will soon find out.

Take a break on your couch and relax for about 5 minutes and let all this soak in then come back ready to learn more. Go ahead, I'll wait.

SYN and ACK


When you here SYN and ACK you do not think of the communication of packets on your system. Well let me tell you what SYN and ACK do.
  • SYN - SYN in common words is a request for a connection used in the 3-way handshake in TCP/IP. Once you send a SYN out for a connection, the target computer will reply with a SYN and ACK. So basically when you see in [State] catagory Syn that means you are sending out a request to connect to something.

  • ACK - Now the ACK is a ACKnowledgement to the request made by a computer that is trying to connect to you. Once a Syn is sent to you you need to ACK it, then Send back another syn to the computer requesting connection to confirm the packet sent was correct. I sure hope that helped you understand a little more about SYN and ACK.

If you have further questions try looking for texts on TCP/IP. Now onto the fun stuff.

Using Netstat it for ICQ and AIM


Let's say you are chatting with someone via ICQ or AOL Instant Messenger. Now let's say that you, for some reason, want to know the remote IP address of the system you are talking to. With NetStat, we can discover that remote IP address.

I'm not picking on AIM or ICQ here, just demonstrating the a utility. Don't flame me with random "But I love AIM!" messages. If you use these communications tools, that's your choice, not mine.
  • AIM - With AIM you can not usually find the exact IP address without some trial and error because most of the time it seems to open up all online users on Port 5190. So Less users online easier it is. So goto Ms-Dos Prompt and type netstat -n here you will see under [Foreign Addresses] a IP:With port 5190. Now one of those IP's connected to you with 5190 is going to be your target aim user. Just use trial and error to find out is ussually the easiest way.

  • ICQ - To get a IP using netstat of a ICQ user is easy before talking to the person on ICQ you must open ms-dos prompt and do netstat -n to list all IP's and ports.Write them down or copy them somewhere you will remember to look back. Now it's time to find out his IP. Message the user witha single message now quickly do Nestat -n. And you will have a new added line of a IP address, just search for the new one on the list under foreign and once you find it you now have your buddys ip without any patches or hacks.

Other Uses


Netstat can be used to get IPs of anything and anyone, as long as there's a direct connection between you and the target (i.e. direct messages, file transfers or ICQ chats in ICQ, DCC (Direct Client Connection) chat and file transfers in IRC etc etc).

Quick Tips


  • Sometimes Netstat can generate very long lists, which are especially confusing for newbies. If you're having difficulties, just run netstat, and then make a direct connection of some sort to your target, or make it connect to you (ICQ, IRC etc, you get the picture) and run netstat again. There should be a new line - this is what you're looking for.

  • If netstat's output is too long, type 'netstat -an > c:\some-directory\some-file.txt' (without the quotes, and you can replace the parameters -an and the filename and it's path with anything you'd like). This will dump the output to that file for easy viewing, and will also let you copy & paste.


About the Author

FortyPoundHead has posted a total of 1974 articles.

 


Comments On This Post

No comments on this post yet!


Do you have a thought relating to this post? You can post your comment here. If you have an unrelated question, you can use the Q&A section to ask it.

Or you can drop a note to the administrators if you're not sure where you should post.


Your IP address is:54.156.39.44

Before you can post, you need to prove you are human. If you log in, this test goes away.



Recent Forum Posts

New security implemented
dwirch posted on July 23, 2017 at about 6:58 in Site News

Fold Code Manager into main KB?
VB6Boy posted on July 22, 2017 at about 14:42 in Site News

Fold Code Manager into main KB?
dwirch posted on July 22, 2017 at about 14:41 in Site News

Fold Code Manager into main KB?
dwirch posted on July 21, 2017 at about 22:46 in Site News

Fold Code Manager into main KB?
dwirch posted on July 20, 2017 at about 7:55 in Site News

Job Spammer: Sam Mallon
dwirch posted on July 18, 2017 at about 18:36 in Spammers