Netstat Made Easy By Ankit Fadia
ankit@bol.net.inA lot of times, I hear people asking questions like, how to find out the IP of a friend? Or how to find out your own IP? How do I know, which ports are open on my system? How do I make sure whether my system is infected with a Trojan or not?
Well, for all above questions (and more) there is one simple answer: The Netstat command.
Microsoft has this weird tendency of hiding or making sure that such ‘useful’ utilities are not easily accessible to the users. However, they fail to understand that putting a utility in the Windows directory and not listing it anywhere does not make it hidden.
The ‘Netstat’ command is accessible through the command line prompt. Simply launch MSDOS and:
C:\cd windows
C:\windows>
NOTE: Normally, well, almost always, DOS opens by default in the Windows directory, however, for those of you whose default DOS directory is not Windows, the above would prove helpful.
Anyway, before we move on, we need to understand what exactly the Netstat command is used for. This command is by default used to get information on the open connections on your system (ports, protocols being used etc), incoming and outgoing data and also the ports of remote systems to which we are connected. ‘Netstat’ gets all this networking information by reading the kernel routing tables in the memory.
According to the RFC on Internet Tool Catalog, ‘Netstat’ is defined as:
‘Netstat is a program that accesses network related data structures within the kernel, then provides an ASCII format at the terminal. Netstat can provide reports on the routing table, TCP connections, TCP and UDP "listens", and protocol memory management.’
Anyway, now that we know what Netstat is all about, we are in a position to start using it. Once, you have launched MSDOS, you can read the MSDOS help on Netstat by giving the following command:
C:\WINDOWS>netstat /?
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports. (Server-side connections are normally not shown).
-e Displays Ethernet statistics. This may be combined with the -s option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto may be tcp or udp. If used with the
-s option to display per-protocol statistics, proto may be tcp, udp, or ip.
-r Displays the contents of the routing table.
-s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p
option may be used to specify a subset of the default.
interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to
stop redisplaying statistics. If omitted, netstat will print the current configuration information once.
However, like always, the help provided by MSDOS, can be used only as a reference, it is not at all sufficient for a complete newbie.
So, let us try out each command and see the result and also understand what exactly happens when we execute it and what all the results displayed mean.
Firstly, we will start with the Netstat command with the –a argument.
Now, the ‘–a’ option is used to display all open connections on the local machine. It also returns the remote system to which we are connected to, the port numbers of the remote system we are connected to (and the local machine) and also the type and state of connection we have with the remote system.
For Example,
C:\windows>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED
TCP ankit:1036 dwarf.box.sk:ftp-data TIME_WAIT
TCP ankit:1043 banners.egroups.com:80 FIN_WAIT_2
TCP ankit:1045 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP ankit:1052 zztop.boxnetwork.net:80 ESTABLISHED
TCP ankit:1053 mail2.mtnl.net.in:pop3 TIME_WAIT
UDP ankit:1025 *:*
UDP ankit:nbdatagram *:*
Now, let us take a single line from the above output and see what it stands for:
Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED
Now, the above can be arranged as below:
Protocol: TCP (This can be Transmission Control Protocol or TCP, User Datagram Protocol or UDP or sometimes even, IP or Internet Protocol.)
Local System Name: ankit (This is the name of the local system that you set during the Windows setup.)
Local Port opened and being used by this connection: 1031
Remote System: dwarf.box.sk (This is the non-numerical form of the system to which we are connected.)
Remote Port: ftp (This is the port number of the remote system dwarf.box.sk to which we are connected.)
State of Connection: ESTABLISHED
‘Netstat’ with the ‘–a’ argument is normally used, to get a list of open ports on your own system i.e. on the local system. This can be particularly useful to check and see whether your system has a Trojan installed or not. Yes, most good Antiviral software are able to detect the presence of Trojans, but, we are hackers, and need to software to tell us, whether we are infected or not. Besides, it is more fun to do something manually than to simply click on the ‘Scan’ button and let some software do it.
The following is a list of Trojans and the port numbers which they use, if you Netstat yourself and find any of the following open, then you can be pretty sure, that you are infected.
Port 12345(TCP) Netbus
Port 31337(UDP) Back Orifice
For complete list, refer to the Tutorial on Trojans at: hackingtruths.box.sk/manuals.htm
***********************
HACKING TRUTH: Some of you might me wondering, as to what the high port numbers after the local machine’s name stand for?
Eg. ankit:1052
Port Numbers upto 1024 normally have a specific kind of service running on it. Infact there is a complete RFC on Assigned Port Numbers- RFC 1700.
However, port numbers over 1024 are used by your system to connect to remote computers. For Example, say your browser wants to establish a connection with
http://www.hotmail.com/, then what it will do is, it will take up a random port number above 1024, open it and use it to communicate with the Hotmail server.***********************
OK, now let us move on further, to a variant of the above command, the Netstat –n
The Netstat –n command is basically the numerical form of the Netstat –a command. The main and probably the only difference between the two is that the former shows the addresses of the local and remote systems in numerical form (Hence –n) while the latter shows the addresses in non-numerical form.
Let us see an example to understand better:
C:\>netstat -n
Active Connections
Proto Local Address Foreign Address State
TCP 203.xx.251.161:1031 194.1.129.227:21 ESTABLISHED
TCP 203.xx.251.161:1043 207.138.41.181:80 FIN_WAIT_2
TCP 203.xx.251.161:1053 203.94.243.71:110 TIME_WAIT
TCP 203.xx.251.161:1058 194.1.129.227:20 TIME_WAIT
TCP 203.xx.251.161:1069 203.94.243.71:110 TIME_WAIT
TCP 203.xx.251.161:1071 194.98.93.244:80 ESTABLISHED
TCP 203.xx.251.161:1078 203.94.243.71:110 TIME_WAIT
Although this too gives us similar results, but there are some differences, mainly-:
If you read the alt.2600 newsgroup regularly or any other newsgroup for that, they you would probably have seems atleast 2-3 daily posting whose body read: How do I find out my own IP?
Well, this option of Netstat is most commonly used to do just that, find out your own IP. Also, some people somehow seem to feel more comfortable with numbers, than with understandable hostnames.
This form of Netstat does make life easier for us, as the port numbers are displayed, which makes relating to everything easier.
Getting the IP of a person is all, that one needs to be able to damage his system. So, basically Hiding your IP from hackers and getting the IP of the victim is some of the most important things that people are concerned with. Using IP Hiding facilities has become increasingly popular. However, are these so called IP Hiding totally anonymous services or software truly and perfectly Anonymous? There is only one answer: they are nowhere near totally anonymous. Consider the following example, to understand how lame some of such utilities are.
I Seek You or ICQ is one of the most popular chatting software around. With it not only comes easy pastime, but also security concerns. ICQ has an inbuilt IP Address Hider, which when enabled is supposedly able to hide your IP from the users you are chatting with. However, like most IP Hiding software, this too is nowhere near good. You can find out the IP Address of any ICQ user, even if IP Hiding has been enabled, by following the below process.
1.) Launch MSDOS and type Netstat –n to get a list of already open ports and the IP’s of the machines with which a connection has been established. Note down this list somewhere.
2.) Now, launch ICQ and send a message to the victim.
3.) While you are still chatting, go back to DOS and again give the Netstat –n command. You will find that a new IP signifying a new connection. This would be the IP Address of the victim. Get it?
Till now, both with the ‘-a’ and ‘-n’ argument, we saw that the connections returned or displayed on the screen, were not of a particular protocol. This means that connections of TCP, UDP or even IP were shown. However, say you want to see only those connections which belong to UDP, then you make use of the ‘-p’ argument.
The general format of the Netstat command with the ‘-p’ argument is as followed:
Netstat –p xxx
Where xxx can be either UDP or TCP. The usage of this argument will become clearer with the following example, which demonstrates how to view only TCP connections.
C:\>netstat -p tcp
Active Connections
Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED
TCP ankit:1043 banners.egroups.com:80 FIN_WAIT_2
TCP ankit:1069 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP ankit:1078 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP ankit:1080 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP ankit:1081 www.burstnet.com:80 FIN_WAIT_2
TCP ankit:1083 zztop.boxnetwork.net:80 TIME_WAIT
This is basically nothing but a variation of the ‘-a’ and ‘-n’ commands.
Anyway, so let us move on to the arguments associated with ‘netstat’.
Now, we come to the ‘-e’ option of ‘netstat’. Let us set what DOS returns, when this command is given:
C:\>netstat -e
Interface Statistics
Received Sent
Bytes 135121 123418
Unicast packets 419 476
Non-unicast packets 40 40
Discards 0 0
Errors 0 0
Unknown protocols 0
Well, sometimes the number of data packets sent and received is not shown properly by some faulty or un-compatible modems. During, such cases, this command comes handy. The output returned by it, is quite obvious. Also, it can be used to check for faulty downloads, or errors, which might have occurred during the TCP/IP, transfer process.
With this we come to the last argument associated with Netstat, the ‘-r’ argument. This is not commonly used, and is a bit difficult to understand. I will simply give you an example of it in this manual. A proper and detailed description would be provided in another manual. Hacking using Routing Tables is considered to be very elite and not many people are comfortable using it. However, like all things associated with computers, it is not as difficult as it is projected to be.
C:\windows>netstat -r
Route Table
Active Routes:
Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 203.94.251.161 203.94.251.161 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
203.94.251.0 255.255.255.0 203.94.251.161 203.94.251.161 1
203.94.251.161 255.255.255.255 127.0.0.1 127.0.0.1 1
203.94.251.255 255.255.255.255 203.94.251.161 203.94.251.161 1
224.0.0.0 224.0.0.0 203.94.251.161 203.94.251.161 1
255.255.255.255 255.255.255.255 203.94.251.161 203.94.251.161 1
Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 203.94.251.161 203.94.251.161 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
203.94.251.0 255.255.255.0 203.94.251.161 203.94.251.161 1
203.94.251.161 255.255.255.255 127.0.0.1 127.0.0.1 1
203.94.251.255 255.255.255.255 203.94.251.161 203.94.251.161 1
224.0.0.0 224.0.0.0 203.94.251.161 203.94.251.161 1
255.255.255.255 255.255.255.255 203.94.251.161 203.94.251.161 1
Active Connections
Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED
TCP ankit:1043 banners.egroups.com:80 FIN_WAIT_2
TCP ankit:1081 www.burstnet.com:80 FIN_WAIT_2
TCP ankit:1093 zztop.boxnetwork.net:80 TIME_WAIT
TCP ankit:1094 zztop.boxnetwork.net:80 TIME_WAIT
TCP ankit:1095 mail2.mtnl.net.in:pop3 TIME_WAIT
TCP ankit:1096 zztop.boxnetwork.net:80 TIME_WAIT
TCP ankit:1097 zztop.boxnetwork.net:80 TIME_WAIT
TCP ankit:1098 colo88.acedsl.com:80 ESTABLISHED
TCP ankit:1099 mail2.mtnl.net.in:pop3 TIME_WAIT
Well, I hope you liked this manual. Even if not, then you better do. ; ) Bye.
Ankit Fadia
ankit@bol.net.in (I answer all my mails, however, not promptly.)
To receive tutorials on everything you dreamt of written by Ankit Fadia, join his mailing list, by sending an email to: programmingforhackers-subscribe@egroups.com