Netstat is a tool for both Windows and Linux systems, used to examine real-time network connections on a machine. This is useful for several reason. For one, imagine an attacker has some sort of process on your machine acting as a backdoor so he/she can easily gain access later. This could be in the form of netcat or an IRC bot or some other rogue application, but no matter the backdoor method, it is important to discover this. Using netstat is one way of discovering open ports which should not be open. Granted, not all of us know which ports are valid and which are not, as there may be many ports active or open on a machine. However, through some port research and other tools I will cover in future posts, this can be a critical step in the forensics process. If, for example, you see a connection from your computer to another device on port 6667 and you are not aware of running any form of IRC, your computer may be infected with an IRC bot and most likely part of some larger botnet. This is good information to have.
To view all the TCP connections on your machine (not just the active ones, but open/listening ports as well), use the -a flag with netstat in the form of:
To view connections as raw IP addresses instead of Fully Qualified Domain Names (FQDN), use the -n flag as well, like so:
*There are many other flags/options which can be used with netstat. See the “More Information” section at the bottom for more details.
How to Use in Forensics Investigation
Netstat is a great tool to have in your toolbox. When used in conjunction with FPort (Windows) or lsof (Linux), you can actually find the executables that opened the suspicious port(s) you’re looking into. If you don’t recognize the executable, a quick Google search should tell you if it’s malicious or not. Some malware or malicious users will alias an executable so it looks like a legitimate program. This is where noticing a strange port can come in handy as it gives you more of a reason to look deeper into that program. For example, one forensics lab I was assigned in school had aliased a netcat backdoor as something completely different. Only by accessing the process memory (which I’ll cover in a future post) was I able to discover what the process truly was.
TCP vs. UDP
Along with the netstat output, you should see either TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) defined as the protocol being used for the connection as well. Don’t let this throw you off. TCP means that there is a connection between you computer and whatever you’re connecting to. UDP is a connection-less protocol, meaning that packets are being thrown, but there is no guarantee that they will arrive. Video streaming, for example, since it needs to be fast and doesn’t care if a few packets are lost, is almost always UDP. Your computer gets sent packets, but there is no connection established to guarantee the arrival of those packets. This is why there is no “foreign” address for the UDP listings in netstat.
Try it out!
Open up a web browser and go to your favorite website. Now open up a command prompt, type in “netstat -an” or simply and look for a “foreign” address (if on Windows at least) with the port of 80 (HTTP) or 443 (HTTPS). There may be more than one if you have some background Internet connections up.
When I first discovered netstat, I thought it was one of the coolest things ever. It was the first tool I was introduced to that could shed some light on whether my computer was vulnerable to an attack through some open port, or if I may have already been compromised. It’s a great way to understand networking a little better. I definitely recommend studying the netstat ouput on your computer (especially a line with a port in the 0-1023 range) and figuring out what that particular port is for, who you’re connected to, etc.
Both Windows and Linux should come pre-installed with netstat.