How to Find User Uploading Using Netstat

How to use a netstat command in Windows to scout open ports

Mike Cobb shows how a simple command line tool tin can provide invaluable information about what's happening on your organization

Netstat, the TCP/IP networking utility, has a simple set up of options and identifies a computer'southward listening ports, along with incoming and approachable network connections. This data can be very helpful if you're trying to resolve a malware issue or diagnose a security problem.

I take to admit, I much prefer graphical user interfaces when information technology comes to working on a computer. I've never been a big fan of command line tools, but occasionally some, such as Netstat, practice come into their own.

Some other reason I find Netstat such a useful tool is that it can be establish on almost whatsoever computer by default, from Unix and Linux machines through to Windows and Macs. The fact yous don't accept to install and run a separate diagnostic tool can be a life saver when dealing with a client'southward PC or a quarantined car.

Every open port on your computer is an entry indicate that can be exploited to proceeds covert admission. So if you demand to know what connections a machine has to the net and what services may exist open and running, Netstat can chop-chop tell y'all.

Allow me explain how to Netstat command in Windows. First, only open a command prompt window and type:

netstat -an

The -a parameter lists all the estimator's connections and listening ports, while the -n parameter displays addresses and port numbers in numerical format. A typical (truncated) result from Netstat -an looks like this:

Active Connections

Proto Local Address	Foreign Accost	State
TCP 0.0.0.0:21	0.0.0.0:0	LISTENING
TCP 0.0.0.0:25	0.0.0.0:0	LISTENING
TCP 0.0.0.0:80	0.0.0.0:0	LISTENING
TCP 0.0.0.0:135	0.0.0.0:0	LISTENING
TCP 0.0.0.0:443	0.0.0.0:0	LISTENING
TCP 0.0.0.0:445	0.0.0.0:0	LISTENING
TCP 0.0.0.0:1035	0.0.0.0:0	LISTENING
TCP 0.0.0.0:3351	0.0.0.0:0	LISTENING
TCP 127.0.0.ane:1040	0.0.0.0:0	LISTENING
TCP 127.0.0.1:1049	0.0.0.0:0	LISTENING
TCP 127.0.0.1:1059	127.0.0.1:27015	ESTABLISHED
TCP 127.0.0.one:1085	0.0.0.0:0	LISTENING
TCP 127.0.0.i:1434	0.0.0.0:0	LISTENING
TCP 127.0.0.1:5152	0.0.0.0:0	LISTENING
TCP 127.0.0.i:5152	127.0.0.1:3414	CLOSE_WAIT

The outset cavalcade (proto stands for protocol) lists all of the transmission command protocol (TCP) and user datagram protocol (UDP) connections on the machine running Netstat. The second cavalcade is the machine's local IP address and port number, while the third is the remote or foreign address and port number. The final column is called State, which is the country that the connection, or potential connection, is in.

Built-in Windows commands that can find hack attempts

"LISTENING" shows a archetype open up port listening for inbound connections. "ESTABLISHED" means in that location's an bodily connection betwixt your auto and the remote IP and port that is able to exchange traffic. Occasionally, y'all'll encounter "CLOSE_WAIT" in this column, which is a country TCP goes into while ending an established connection.

As you can encounter, in that location are enough of entries with a local address of 0.0.0.0 plus a port. This designation means the port is listening on all network interfaces and volition take any incoming connection on that port number.

The local address entries beginning 127.0.0.1 are processes listening for connections from the PC itself, not from the Cyberspace or network. If the IP address in this column is your local network IP, then the port is only listening for connections from your local network. The port is listening for connections from the Internet if it displays your online IP address.

A quick glance through Netstat's output tin alert you to many potential problems. For example, if your security policy bans the utilise of net relay chat (IRC), simply there are numerous connections to port 6667 (the default IRC port) on a remote automobile, then there'southward a chance that the PC has a Trojan connected to a remote IRC server waiting to receive commands. Although Netstat only takes a snapshot, yous tin use the interval option to refresh the output every so many seconds. Use the Netstat command below, for example:

netstat –an 1 | find "3333"

The command will check every 2d and print the results if a process starts listening on TCP port 3333.

If you want to find out which process on a machine is sending out packets to a particular machine you tin run:

netstat –ano 1 | find "Dest_IP_Addr"

The -o parameter outputs the process ID (PID) responsible for the connection. You lot can then observe the program associated with a PID past typing "tasklist" at the Netstat command prompt. You can too apply netstat's -b flag, which outputs the EXE and its associated DLLs that are using the TCP and UDP ports. Finally, if you lot want to know when another arrangement, such equally a bot controller, connects to a automobile listening on a particular TCP port, such as port 4444, you tin can run:

netstat –an i | find "4444" | find "ESTABLISHED"

In this case, Netstat will not display an output until it finds an established connection on port 4444, and information technology volition include the source IP accost connected to the port, a helpful chip of information in an investigation.

You can, of course, achieve more accurate and detailed results using a port scanner such every bit Nmap.

All the same, Netstat is already built in and the commands are quick and piece of cake to apply. Yous may also be interested in Microsoft's Sysinternals Process Monitor tool, an avant-garde monitoring utility for Windows that shows real-fourth dimension file arrangement, Registry and process/thread activity.

*Annotation: The –b and –o options are not available on Windows 2000 and be aware that running them with the interval option would be a drain on a system'due south resource.

About the author: Michael Cobb, CISSP-ISSAP is the founder and managing managing director of Cobweb Applications Ltd., a consultancy that offers IT grooming and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.