Note- This tutorial may bear a resemblance to tutorials written by other authors. I have acknowledged to tutorials or articles that I referred before writing this tutorial. It is possible that there may be other tutorials I have not referred and are similar to my tutorial. It is not possible for me to give acknowledgment to such tutorials and hence there must be no copyright or legal issues regarding this tutorial.
Dear reader
In this tutorial I am going teach how to use a very useful command netstat. By using netstat you will be able to find out the ip address of your computer and of the remote computer connected to your computer and most importantly you will be able to know what ports are open on our computer - this will help you know if your computer is infected by a Trojan. Let us see how to launch netstat command. netstat is a MS-DOS based command, you can not use mouse to interact with this utility. To launch this command simply run MS-DOS prompt. To do this just click on 'Run...' after clicking on Start button and then type command and press enter key. Alternatively you can select MS-DOS prompt from Start menu if you are using windows 98 or from accessories if you are using windows NT,2000 or XP. After launching command prompt you will get
C:\windows>
or
C:\>
To launch netstat type netstat -a and press enter key.
C:\windows>netstat -a
This will give output similar to this.
Active Connections
Proto Local Address Foreign Address State
TCP gaurav:1753 www.ethicalhackers.tk:http ESTABLISHED
TCP gaurav:1081 ftp.mycgiserver.com:ftp ESTABLISHED
TCP gaurav:1036 ftp.mycgiserver.com:ftp-data TIME_WAIT
TCP gaurav:1145 mail.sec33.com:pop3 ESTABLISHED
Let us try to understand this output in some detail.
Proto Its full name is Protocol. A protocol is simply a set of rules that your computer follows to communicate to other computers.
The TCP shown under the heading Proto shows that our computer is using the TCP (Transfer Control Protocol ) to communicate to the other computer. An other type of protocol is UDP
Local Address This is the address of our computer. Under this heading we can see gauarv:1081. gaurav is the name of our computer. This is the name asked by windows setup during installation.1081 is our local port number and is randomly generated. A port is simply a virtual 'road' on which internet data 'travels'
Foreign Address This is very important for us. Under this heading we can see ftp.mycgiserver.com This shows that our computer is connected to computer having name ftp.mycgiserver.com
State This tells about the state of our connection. Following table will help you in understanding these.
| STATE | WHAT DOES IT MEAN |
| CLOSED | There is no connection between your computer and remote host. |
| CLOSING | Your computer and remote computer have both agreed to close connection. |
| CLOSE WAIT | The remote computer has initiated to close the connection |
| ESTABLISHED | There is a connection. |
| FIN WAIT 1 | The software using connection (like msn messenger) has finished using the connection |
| FIN WAIT 2 | The remote computer has agreed to close connection. |
| LAST ACK | The connection is waiting for all the data packets to destroy. |
| LISTEN | Your computer is listening for incoming connection |
| SYN RCVD | Remote computer is sending a request for connection |
| SYN SENT | Your computer has initiated to open a connection |
| TIMED WAIT | same as LAST ACK |
Now let us see some other options available with the netstat command. If you want to know the options available you can pass /? as an argument to the netstat command i.e.
c:\windows>netstat /?
We will get the following output.
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports. (Server-side connections are normally not shown).
-e Displays Ethernet statistics. This may be combined with the -s option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto may be tcp or udp. If used with the
-s option to display per-protocol statistics, proto may be tcp, udp, or ip.
-r Displays the contents of the routing table.
-s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p
option may be used to specify a subset of the default.
interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to
stop redisplaying statistics. If omitted, netstat will print the current configuration information
once.
Before we explore all the options let us apply the knowledge we have just gathered. Let suppose we want to find out if our computer is infected with a Trojan. For those who don't know about Trojans I would like to tell them that Trojans malicious programs that may have come in form of a email attachment or in the form of infected software. These Trojans generally listen on some port for connections and after accepting the connection the remote computer user may execute any command on your computer. The most popular trojan is Back Orifice
So if you want to check out whether your computer is infected with Back Orifice you will run command netstat -a and if it shows that your computer is listening on port 31337 you must download some Trojan removal software. Please note that these Trojans have options that allow the remote attacker allow to change default port for accepting connections. For example a remote attacker may have changed the default port from 31337 to 54871. So you must look for suspicious ports. Click here to get a list of such Trojans and the default ports on which they accept connections.
Now let us explore all the options available with the netstat command. We have already used -a option that shows all the connections and listening ports. Let use explore -n option.
The netstat -n command will display the numbers in place of the names i.e. instead of name of our computer we will get the ip address of our computer. This option is helpful if we want to know the ip address of our computer and of the remote computer connected to our computer.
The netstat -p command is used to get information related to a particular protocol. Suppose we want to know only about the connections using UDP we will use command netstat -p udp and netstat -p tcp for connections using tcp. Please note that we can combine options. For example the command netstat -a -p udp and this will give us information about all the connections using UDP.
The netstat -s and netstat -e command are used to display detailed statistics about the different protocols. These commands are generally to correcting network problems.
The netstat -r is used to display routing tables. We need not go in details but I would like to tell you that routing table is used by computers to figure out by which route they should pass on the data. If a computer can not find out a suitable route it will discard the data packet.
Now before I end this tutorial let us see the use of interval option. If you specify a number in place of interval the netstat command will run again and again after that period of seconds. e.g. netstat -a 1 To exit from the command you will have to press CTRL+C.
0 comments:
Post a Comment