Home-Word-Ensuring local network security.

Ensuring local network security.

02/20/2004 Roger Grimes

Let's say "Stop!" hostile programs!

Among the questions security professionals often have to answer is, “If I find an open port on my system, does that mean I already have a Trojan horse?” Security mailing lists are littered with variations on this theme, and the answer to all such questions is always the same: trace the port number back to the program that opened it, and investigate that program. The process of tracing an open port back to the program that opened it is called matching. Of course, this answer assumes that the user is fairly knowledgeable about port numbers, that he has a suitable means of obtaining a list of open ports, and that he can determine whether the program found is dangerous. Let's first look at the problem of identifying open ports in general terms, and then I will introduce 11 port checkers for the Windows environment.

TCP/UDP Protocols Tutorial

To investigate port status, you need to have some understanding of the TCP/IP protocol and network connections. Currently, the TCP/IP network protocol is almost universally used to organize communication between computers. Two most important transport protocol The top level of TCP/IP (Open System Interconnection, OSI, Layer 4) is TCP and UDP. One of these two protocols is usually tasked with transmitting information exchanged between two computers (or two processes on the same system). Both TCP and UDP delegate the function of routing packets from one computer to another to the IP protocol lower level. Among other data, the IP packet header contains the source IP address as well as the destination IP address (or multicast or broadcast addresses when necessary) of the two computers, as well as the protocol number (say 6 for TCP and 17 for UDP). The lower layer protocol - IP - routes the packet over a logical network from the source device to the recipient device. When the packet arrives at its destination, the IP stack associated with the NIC discards the IP packet frame and examines the upper-layer protocol (ie, TCP or UDP). The differences between the TCP and UDP protocols are described in the sidebar “UDP and TCP.”

About ports

TCP and UDP packets contain source and destination port numbers. A port is an input/output point that connects a network to an application (or service or daemon). Ports have numbers from 0 to 65535. This numbering scheme was chosen because the headers of TCP and UDP packets allocate 16 (216) bits for the source and destination port numbers (216 corresponds to 65336 possible port numbers). Numbering I/O points is a convenient way to help both computers and users keep track of which port belongs to which program.

At the dawn of the Internet era, the Internet Assigned Numbers Authority (IANA), which is responsible for allocating numbers, decided to reserve the first 1024 port numbers (that is, numbers from 0 to 1023) for requesting entities. The IANA assigns these so-called well-known port numbers (some typical well-known port numbers are shown in Table 1). Although almost all lists of well-known port numbers are now outdated and no longer 100% accurate, popular port numbers for the most widely used services and protocols have remained the same for over 10 years.

Port numbers 1024 to 49151 are called registered port numbers, and ports 49152 to 65535 are called dynamic or private port numbers. In practice, ports from 1024 to 65535 are generated dynamically and can be used by any application program. When an application program or service starts, it typically checks to see if a particular port number can be used, and if the number is not already in use, the program or service opens that port. The port numbers opened by the application can always be the same, but they can also be generated randomly. The more popular the app, the more likely it is that developers software for the Internet will give this program the ability to use an exclusive port number. In table Table 2 shows some port numbers for popular applications, and Table. 3 contains a list of typical port numbers for Windows.

Example of communication

It is important to understand that the port of origin and the port of destination are not the same thing. In most cases, when an administrator analyzes port traffic, he is interested in destination port numbers. The destination port is usually a well-known port, while origin ports (aka source ports) can have randomly generated numbers in excess of 1023. In practice, however, random numbers are typically generated in the range from 1024 to 3000. Thus, when the user using Microsoft browser Internet Explorer (IE) connects to a Web site, the destination port number is 80, while the origin port number is a randomly generated number. The picture shows a demo session that was started when my browser contacted the node http://www.secadministrator.com. The destination IP address is 63.88.172.127 and the port number is TCP 80. The origin system IP address is 192.168.168.160 and the port number is TCP 2335.

The private IP address 192.168.168.160 is listed because my computer is located behind a firewall that connects it to the Internet and is assigned a public IP address. Each time a connection or update is made through the browser, a new (usually expressed as a higher number) source port number is generated. Additionally, because a Web page may have embedded links and advertisements hosted on other Web sites, a single browser page may have multiple open port connections; they can all point to the same IP address or to different IP addresses.

The Mystery of Svchost

Additionally, Windows 2000 and later operating systems open many other ports (such as 500 or 123) that are dedicated to the svchost.exe service. This generated process is located in the \%windir%system32 folder. It runs whenever Windows initializes and loads into memory one or more services defined in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvchost registry key.

In the process of identifying open ports, administrators often discover that the svchost.exe service is the one that initiates the opening of several individual ports. For example, right now, as I write this article, svchost.exe is loaded into my computer's memory four times; it supports RPCSS, EventSystem, Netman, NtmsSvc, RasMan, SENS, as well as TapiSrv services and has opened ports 123, 135, 1025, 1026, 1900 and 5000. While searching for malware, you may be warmed by the thought that ports associated with svchost.exe are inaccessible to those who are up to no good. However, of course, the possibility of external attacks against these ports (for example, attacks using remote procedure calls, RPC) cannot be ruled out.

Trojan horse ports

We know that there are programs that use well famous ports, and that there are ports actively used by Windows. Trojans also often use specific port numbers. Unfortunately, there are already hundreds of widespread “Trojan horses”, so it is impossible to describe them in one article. But for those who intend to detect malware using a utility that lists open ports, it will be useful to have a list of Trojan horse ports on hand in case they encounter unfamiliar port numbers. For a list of Web sites that host complete lists of Trojan Horse ports, see the sidebar “Resources for Trojan Horse Ports.”

Since port numbers above 1023 are not officially assigned, such numbers can be used by any program. Most often, programs use ports on a “first come, first served” basis. Therefore, if a developer uses the port number of a popular program for a new program, the new program may not function correctly. Two programs can use the same port at the same time, but if the code does not allow this, they may conflict with each other. If two applications use the same port, the TCP and UDP protocols can get lost and the network will experience communication problems. However, it is known that some programs, including malware, are embedded in computer systems in such a way that they get the opportunity to use one or another port in conjunction with another program.

Two programs should not use the same port number. Port 80 is an important exception to this rule. Most firewalls have this port open; this is necessary so that clients can explore Web resources. Many programs route their traffic through port 80 in order to bypass screens network protection. Thus, instant messaging programs often automatically route their traffic to port 80 (using the HTTP protocol) if their standard ports are blocked. These programs may even contain routines that scan firewalls for open ports to outgoing traffic that they can use.

Netstat

All versions of Windows since Windows 95 (and including Windows 3.11 with the Microsoft TCP/IP32 add-on) have a good TCP/IP utility called Netstat. It was developed (for both Windows and UNIX) at the beginning of the Internet era. Using Netstat you can determine which UDP and TCP ports are open and active. Readers can learn more about Netstat from the sidebar “The Art of Netstat Interpretation.” In systems Windows Server 2003 and Windows XP provide the ability to use the Netstat utility to view a list of open ports and associated programs.

TCP session

To activate Netstat, you need to open a command prompt window by opening the Start menu and selecting Run. In the command line window you need to enter the command

and press the Enter key. To get a list of Netstat parameters, you can use the command Nestat -?, but for the purposes of this article we will enter the command

netstat -ano

where the -a option displays active connections, the -n option displays connections with IP addresses and port numbers instead of names, and the -o option displays the process ID (PID) of the application that owns the given port.

If the -n option is not used, the system will display the domain names of the computers to which it is connected. The Netstat -ao command replaces port numbers with the names of their normal applications or services, but this function is not always accurate (for example, all traffic using port 80 is given the name HTTP, even if the content of the traffic contains elements that have nothing to do with HTTP ). Additionally, Nestat -ao changes all local IP addresses to the NetBIOS names of the corresponding local systems. Without the -n option, it is impossible to determine which interface the program is currently listening to. Netstat -ao should only be run when you need to know the name remote computer(For example, www.yahoo.com). If the system is running a version of Windows earlier than XP, the -o option will not work, and Netstat will not be able to determine which programs are using which ports.

Screen 1: Netstat -ano command output

Figure 1 shows the results of running Netstat -ano as displayed by my computer. The command produces five columns of data. The first column lists all network protocols, displaying all TCP connections first. The second column indicates local IP address and the port number of the corresponding connection. The third column lists the destination IP addresses and port numbers. If the port number has not yet been defined, an asterisk (*) is placed in the column. The fourth column indicates the states of the TCP ports. The ESTABLISHED, LISTENING, and SYN_SENT states indicate open and active sessions; all other states do not fall into these categories. For UDP ports, states are not listed because the UDP protocol does not store state data. IN table 4 shown various states Netstat (the server in the table is the local program or service that owns the port).

The fifth column of data provided by the Netstat utility shows the PIDs of the processes that opened the corresponding port. You can link this information to specific program or service using a dispatcher Task Manager. For those who have not yet explored PIDs using Task Manager, I would like to remind you that you need to create an additional PID column in the Task Manager window. To do this, press the key combination Ctrl+Alt+Del; The Task Manager window will appear on the screen. You should go to the Task Manager Processes tab, then click on View and Select Columns. With the desired process PID radio button selected, click OK. Task Manager now displays the PID next to the Image Name of the program that owns the port, as Figure 2 shows. To match process IDs to process names, you can switch between the Netstat screen and the Task Manager window.

Screen 2: Process PIDs in Task Manager

Netstat -ano is a good utility for listing open ports, but it has a few drawbacks. It only works on Windows 2003 and Windows XP, and if the user wants to map ports to programs, he must switch between two screens. On systems with many ports open, Netstat can be extremely slow in performance, and is not as accurate as some of its competitors. Netstat is a command line utility and does not have a user-friendly GUI and does not provide real-time data. This tool should be run whenever you need to update information about a particular port. Finally, Netstat does not display remote IP addresses and port numbers (otherwise known as endpoints) connected to active UDP ports.

All these problems prompt many users to turn to third-party utilities that display lists of open ports. Let's move on to reviewing products in this category. Next, I will highlight some of the most interesting of them and mention utilities that do not deserve attention.

Utilities for exploring open ports from independent companies

There are many free and commercial tools available, ranging from command-line utilities to professional-looking GUI tools. I tested 10 of these programs on Windows 2000 Professional. The computer had a standard set of services and ports (specifically we're talking about about ports 135, 137, 138, 139, 445 and 500), characteristic of a newly commissioned system.

I decided to adopt the tactics of "Trojan horses", which use non-printable characters in their names (so as not to get listed on open ports), and made every effort to make invisible name Telnet Server services. Using this trick, attackers hope that administrators who are busy examining long lists of processes will see empty space and not bother to find out what lies behind it. I had to work hard to get Telnet Server services out of sight. First, using a series of ASCII hex characters (ASCII 32h is the space character), I named the tlntsvr.exe file.exe. Then I made changes to the registry so that when Windows initialization instead of the usual file with the service name, a file with a new name was launched.

In addition, I launched two well-known Trojan horses - Back Orifice 2000 (BO2K) and NetBus with the goal of creating hostile open ports. I wanted to find out whether the utilities would consider the mentioned "Trojans" suspicious - and at least one of the programs (Port Explorer) did. I was careful to ensure that the same applications and processes were running throughout the tests. In total I had 14 active TCP processes and 7 UDP processes running. Then I would launch the test products and conduct tests.

Active Network Monitor

The Active Network Monitor utility, created by SmartLine specialists, is a simple and very effective remedy port checks. Its installation is carried out without any difficulties and does not require a system reboot. The main window is equipped with a small number of functions, but the product is stable and efficient. Active Network Monitor provides the user with basic information: PIDs, local and remote IP addresses and ports, protocols, and program names including access routes. The utility can export a list of processes to an external file.txt or.csv separated by commas or tabs. To draw attention to new uses of ports, the utility highlights changes in state using colored markers. Active Network Monitor makes it possible to terminate processes. The default Always on Top setting is a bit annoying. Of course, it is easy to change, but in general this mode interferes with work.

Port Traffic Analyzer

Atelier Web's Port Traffic Analyzer ($32.50) was once one of my favorite tools. It was one of the first graphical utilities to find open ports. It was easy to install and operate. Unfortunately, when I installed the current version on a test system, Port Traffic Analyzer was unable to detect any port activity, although the installation process seemed to go smoothly. I uninstalled this utility several times and installed it again, I tried rebooting the system - all in vain. On the Atelier Web site, the first—and longest—part of the FAQ section documents installation issues. It seems that most users are having problems because the utility in question uses Microsoft's proposed API Layer Service Provider (LSP) to collect information. Technical support It is provided only via the Web, but you can quickly get an answer. As much as I've admired this product in the past, I find it difficult to recommend it now due to ongoing installation issues.

Fport

Foundstone's free Fport program is perhaps the industry's most commonly recommended command-line port testing utility. This is a reliable and compact product, which is also quick to install. Fport generates lists of PIDs, process names, local port numbers, protocols, process executables, and access routes. But although many praise this utility to the skies, it must be said that it lacks some important functions. Thus, it is not capable of generating lists of local IP addresses, does not display remote IP addresses and port numbers, and does not reflect states or processes currently occurring. From a remote computer, I connected to my machine through a Trojan-infected BO2K client, but the Fport program did not notice any changes. I've seen Fport skip certain open ports before. Once upon a time Fport was worthy for me additional means, but after getting acquainted with some competing products, I came to the conclusion that in the future in my research I will most likely use a different tool.

Insider

The most notable feature of Inzider, which is freely distributed by NTSecurity.nu, is simple procedure removal. I started having problems the moment I activated this utility. The interface seemed to me a graphical variation on the theme of the DOS command line window. When I launched the program for execution, the system's performance immediately decreased, and I wondered if it had frozen. However, after a few minutes, Insider began displaying a list of processes on the screen. Unfortunately, the first process on this list did not have an open network port; Only the PID, process name, and access path were provided. Maybe the utility should have presented the port number or IP address after some time, but I never got a chance to see them. After five minutes, Insider only showed two processes, so I aborted.

Obviously, this slowness is due to the unique way Inzider lists processes - this method is called DLL injection. Not surprisingly, this technique is not used in any other port checker. After all, even the developers of the Inzider utility themselves note in the documentation that the program functions unstable. Additionally, they acknowledge that Insider does not provide verification of processes that are initiated as services. In other words, it turns out that this solution does not achieve much.

Net-Scope

Net-Scope, developed by Delta Design UK, is another outsider. During testing, it included many processes in the list that were not programs with network connections. The tool missed several port-opening programs, incorrectly registered programs that did not open ports, and had inaccurate reporting of port usage. For example, although Net-Scope included IE among the programs that had open ports in its testing, it listed 127.0.0.1 as both the source and destination IP addresses. When establishing an IE connection to the server http://www.google.com the program did not display either an active connection or a remote IP address. Without additional manipulations, the graphical interface of the utility displays little. To get detailed information about a particular process, you need to double-click on the process icon and wait until the results are displayed at the bottom of the screen. Often the right results never appear. The free demo version gives you the right to use the program 15 times, but the fact is that each screen update is considered one session, so the opportunities for free use of the utility allotted to me were exhausted very quickly.

Port Explorer

Without a doubt, Diamond Computer Systems' (DiamondCS) Port Explorer ($40) is the best port checker available in the industry. this review. It has a well-designed user interface, is easy to install, highly stable, provides a wealth of useful information (where the user can easily find the information they need), comes with a set of testing tools, and provides color-coded highlighting of suspicious programs. If Port Explorer finds oddities in the behavior of a program, its port is marked in red. During testing, the product highlighted the ports of both Trojan horses - both BO2K and NetBus. When Port Explorer is activated for the first time after installation, the program's help file opens, which is clearly one of its advantages. This is the only port checker that has its own discussion board. It looks like its developers are determined to turn Port Explorer into best product in your class.

Port Explorer appears to use at least five separate methods to monitor and identify processes - SNMP, LSP, the undocumented Transport Driver Interface (TDI) technique, and both documented and undocumented IPHelper methods. In my tests, Port Explorer was the most accurate tool and was one of two port checkers that showed remote IP addresses and UDP connections both on screen and in the log.

Port Explorer provides real-time updates on port traffic, but the program can also be configured to pause updates and render the data view static. In addition, it should be noted that this remedy records details of everything that happens to a local file that the user can view using a GUI. I subjected Port Explorer to severe loads, which were usually enough to cause Netstat to run at a snail's pace or stop altogether, but Port Explorer immediately displayed data for each port immediately upon launch.

Port Explorer's GUI and features are customizable. Depending on the user's wishes, the utility can display the file name or the full access path to the file of the program that owns the given port. The latter feature is very convenient in cases where you have to “smoke out” an elusive program. The main window has several columns of data that can be sorted by clicking on the top row of the sort column; In addition, columns can be dragged with the mouse to different areas of the screen without interrupting the program. By going to one or another of the tabs located at the top of the main screen, the user can choose one of several viewing methods. It is possible to customize colors, image refresh rate, and even select a language. Port Explorer can present information in eight languages; Apart from Netstat, this is the only utility for finding open ports that is equipped with such tools. In addition, the program can display network statistics.

Port Explorer includes several diagnostic and test utilities that make it easier to find a remote computer. These include Ping, Lookup, Whois, Traceroute, and even a packet sniffer called Socket Spy. By entering the appropriate PIDs from the keyboard, the user can instruct the Socket Spy analyzer to intercept information from packets local programs. In addition, you can terminate any process recognized by Port Explorer. Without a doubt, Port Explorer is the fastest, most stable, and most impressive tool I've tested for finding open ports.

OpenPorts

DiamondCS recently released a command-line utility called OpenPorts, which can be used free of charge by home computer owners and educational users. Operating principle of this instrument same as the FPort program; Moreover, in the command line window, the user can enter the fport command, and then the utility will begin to display data in the same view as Fport. In addition, the OpenPorts data presentation format can be changed using the -netstat switch. It is curious that in standard mode functioning of OpenPOrts, when listing ports, sorts them by process names - very convenient opportunity, which allows you to see all ports (TCP and UDP) associated with a particular program. To understand how useful this feature is, just imagine a situation where a browser establishes a connection to a Web site that contains links to 15 other sites, and each of them opens a different port. OpenPOrts provides the process name (but not the process path), local IP address and port number, remote IP address and port number, and status information. In addition, this tool can export data to three file formats. And because OpenPorts provides information about remote IP addresses, remote port numbers, and status, this free utility is superior to Fport's product.

Socket Port Owner

Fly Ya Software's Socket Port Owner ($14.99) provides a little more information than Fport. This product's simple graphical interface reminds me of the main Active Network Monitor window. The Socket Port Owner utility displays information about PIDs, executable path, local and remote IP addresses and ports, and protocols. The interface has a Remote Location column, in which the program, oddly enough, mistakenly identified my private IP address as located in Holland (however, it is possible that this error is typical only for the demo version). The other column, Listen, contains only two values, yes or no, which is hardly the best way to represent state information. Finally, Socket Port Owner does not have a help file.

TCPView

The TCPView utility from Sysinternals (distributed free of charge) is a “Spartan” product without any frills. It is designed as a single executable module. The utility's real-time graphical interface provides necessary information, and displays them where the user needs to see them. The program provides the process name, process ID, protocol, local and remote IP addresses, as well as port numbers and status information. By clicking on the process connection icon, the user can get full path access to the place where it is being carried out and take measures to stop this process. To make it easier for the user to track new events, the program highlights them in color.

A free product that can provide basic functions - it would seem, what could be better? But I must say that during testing, the TCPView program did not always run reliably in the NT Server 4.0 environment. So, when I tried to save the screen results in text file, it disappeared or froze. Also, I have encountered similar problems in the past. It happened that when installing TCPView on NT 4.0 workstations, instability phenomena were noted: in particular, immediately after the first reboot, problems with a “blue screen” arose. However, the program operates stably on modern Windows platforms. Sysinternals and Wininternals Software have produced a large number of high-quality freeware and commercial packages, but if anyone decides to use this utility in a Windows NT environment, they do so at their own risk.

When starting to prepare this article, I intended to write a review of the TCPView Pro program, which is endowed with a richer set of functions and is a commercial “cousin” of the TCPView utility. But an evaluation version of this product was never posted on the company's Web site. It appears that TCPView Pro can only be obtained as part of the Administrator's Pak (that is, as part of a set of five utilities).

X-NetStat Professional 4.0

Developed by Fresh Software, X-NetStat Professional 4.0 ($20) is quick and easy to install, but has a clunky graphical interface. It is difficult to determine how to get to the information you need. The top of the screen contains a list of connections, as well as local and remote addresses, local and remote ports, protocol, and status (which the program's creators refer to as Status). At the bottom of the screen there are several windows; each of them contains an open port (in some cases it is a UDP port, in others it is a TCP port). To get general information To find out which program uses this port, you need to click on one of these windows right click mouse and select Port Information from the menu that opens. In general, it must be said that the program contains many errors and is inconvenient to use. The only advantage is that X-NetStat Professional 4.0 provides port-by-port packet header capture, which has proven to be sometimes useful in port identification.

I found an announcement on Fresh Software's Web site that version 5.0 of the product would be released in November 2002, but that version never appeared. But the site literally bombarded me with a whole pile of pop-up advertisements. I believe that the company has stopped working on this product and is trying to profit from other areas of its business.

The best

When looking for programs that can cause damage to your system, it is useful to have on hand a list of open TCP/IP ports, as well as the programs or services that opened them. Netstat has limited capabilities, but it is installed with every version of Windows, so you can always use this tool when trying to find the cause of problems. Unfortunately, it does not make it easier to solve the problem of establishing correspondence between open port And original program. And yet, if necessary, operators of Windows 2003 and Windows XP computers can use the Netstat-ano command - the data obtained with its help can be compared with a list of PIDs Task Manager Manager. But those running other Windows platforms will have to look for alternative solutions. If we talk about the products presented in our comparative review, the strongest contender is DiamondCS and its programs - a product based on the Port Explorer graphical interface and the OpenPorts command line utility. Sysinternals' TCPView product is a number two contender, but only for those who can avoid the stability issues I encountered running the Windows NT platform. Among command line utilities, an alternative to OpenPorts is Foundstone's Fport. But those who deal with problems professionally network security or systems administration, you should definitely have a copy of the Port Explorer program.

Roger Grimes- consultant on antivirus protection. He has CPA, MCSE, CNE, A+ certificates and is the author of the book “Malicious Mobile Code: Virus Protection for Windows” (O?Reilly & Associates). His address: [email protected]

UDP and TCP

Almost all programs use one of two protocols for communication - UDP or TCP. The TCP protocol is a more efficient tool. It is connection-oriented and provides reliable data transfer. First of all, TCP makes sure that the computer receiving the data is ready to receive it. The protocol conducts a three-packet negotiation session during which the sender and recipient agree that they are ready to exchange data. To do this, status flags are included in the TCP packet; with their help, nodes exchange data about the current state of transmission (start, completion, continuation). TCP traffic is stateful. TCP then makes sure that the data gets to its destination. If the recipient does not acknowledge the packet, TCP automatically resumes transmitting it, usually repeating three times. TCP splits large packets into packets if necessary smaller sizes, so that the exchange of information between the sender and the recipient occurs without the risk of data loss. TCP discards duplicate packets and restores the order of packets arriving out of order.

UDP is not a connection-oriented protocol. It is more suitable for transmitting packets of limited capacity. UDP does not have a self-checking mechanism to confirm that data has been received or to ensure that it arrives in the order in which it was sent. However, this check is often performed by an application using UDP; it can also send a request to the sending computer to retransmit the lost information. In addition, the protocol in question does not store state data; therefore, UDP does not conduct a negotiation session, and UDP packets do not have status flags.

Some programs use both protocols - UDP and TCP. Thus, the RealAudio server from RealNetworks uses TCP port 7070 to initialize the connection for subsequent downloading of data for the RealAudio Player client. Once the connection is established, the RealAudio server transmits the data stream through UDP ports 6980 to 7170. Another example: Microsoft DNS uses UDP port 53 to communicate between DNS servers. If one DNS server determines that another DNS server is also a Microsoft DNS server, it may decide to switch the network connection to TCP port 53 in order to be able to transfer larger amounts of data about names in the domain.

The Art of Netstat Interpretation

Reading Netstat's five-column readings is something of an art. First of all, you should pay attention to the Local Address column. As a rule, it will display data like 0.0.0.0 or 127.0.0.1, or maybe the IP address of one of the physical network interfaces(say, a network interface card or modem). If this application is associated with 0.0.0.0, the program is ready to accept connections from any interface. If an application is bound to a specific IP address, the program intends to accept connections to that port only from that local interface. Address 127.0.0.1 is the local loopback address; that is, this application will accept connections initiated only by a specific computer. The address 127.0.0.1 is often used when exchanging data in the process remote call procedures between processes and when connecting to a PDA. Generally, 127.0.0.1 connections are safe because malware never opens only the local connection. Therefore, attention should be paid to the remaining connections.

The next step is typically for administrators to turn to state research. Communication sessions in Listening mode must not have remote IP addresses associated with them, but sessions in Established mode (or in another active state), on the contrary, must have such addresses. Typically the remote IP address is 127.0.0.1 or the address of some external computer. Again, connection 127.0.0.1 can be ignored, but you should focus on analysis active sessions with remote IP addresses. Are there any addresses among them that seemed unusual to you? If yes, then you need to match the session with its process PID and investigate that program. You should note the remote destination port number and try to bind it to a well-known protocol (eg HTTP).

When looking for malware, I recommend paying special attention to the following ports: unexplained Established connections to remote Internet addresses, unknown TCP ports in Listening mode, and unknown UDP ports. Many UDP ports have a "duplicate" TCP Listening mode entry because the application opening the port can use either UDP or TCP, depending on the situation. If the UDP port does not have a corresponding entry in TCP, you need to investigate it. If the UDP port has a duplicate TCP entry, you can make the TCP port the main object of your research.

Trojan Horse Port Resources

Lists of ports that can be targeted by Trojan horses are useful to have on hand in situations where open ports are suddenly discovered. Such lists can be found at the following addresses:



This article will, to some extent, be devoted to security. I recently had an idea, how to check which applications are using the Internet connection, where traffic can flow, through which addresses the connection goes, and much more. There are users who also ask this question.

Let's say you have an access point to which only you are connected, but you notice that the connection speed is somehow low, call your provider, they note that everything is fine or something like that. What if someone is connected to your network? You can try using the methods in this article to find out which programs that require an Internet connection he uses. In general, you can use these methods as you please.

Well, let's analyze?

netstat command for analyzing network activity

This method is without using any programs, we just need the command line. Windows has special utility netstat, which deals with network analysis, let's use it.

It is advisable to run the command line as an administrator. In Windows 10, you can right-click on the Start menu and select the appropriate item.

At the command line, enter the netstat command and see a lot of interesting information:


We see connections, including their ports, addresses, active and pending connections. This is certainly cool, but it’s not enough for us. We would like to find out which program is using the network, for this we can use the –b parameter together with the netstat command, then the command will look like this:

netstat –b

Now the utility that uses the Internet will be visible in square brackets.


This is not the only parameter in this command; to display the complete list, enter the command netstat –h .


But, as practice shows, many command line utilities do not provide the information that we would like to see, and it is not that convenient. As an alternative, we will use third party software - TCPView.

Monitoring Network Activity with TCPView

You can download the program from here. You don’t even need to install it, you just unpack it and run the utility. It is also free, but does not support the Russian language, but this is not really needed, from this article you will understand how to use it.

So, the TCPView utility monitors networks and shows in the form of a list all programs, ports, addresses and connections connected to the network.


In principle, everything is very clear here, but I will explain some points of the program:

  • Column Process, of course, shows the name of the program or process.
  • Column PID indicates the ID of a process connected to the network.
  • Column Protocol indicates the process log.
  • Column Local address– local address of the process of this computer.
  • Column Local port– local port.
  • Column Remote address indicates the address to which the program is connected.
  • Column State– indicates the connection status.
  • Where indicated Sent Packets And RCVD Packets indicates the number of packets sent and received, same with the columns Bytes.

You can also use the program to right-click on a process and terminate it, or see where it is located.

Address names as shown in the image below can be converted to a local address by pressing hotkeys Ctrl+R.



Other parameters will also change – protocols and domains.

If you see the lines different colors, for example, green, then this means the start of a new connection, if red appears, then the connection is completed.

That's all the basic settings of the program, there are also small parameters, such as setting the font and saving the connection list.

If you liked this program, then be sure to use it. Experienced users will definitely find what purposes to use it for.

Hello everyone, earlier I started a story about the system administrator’s network utilities in the article “The pathping utility or how to diagnose a problem on the route to the site. Network utilities part 3,” let’s move on and look at another utility netstat or how to determine which ports your computer is listening on. This program will be an irreplaceable tool in the software baggage of any system engineer; it will help him quickly diagnose the situation and detect a number of various problems with services and their availability.

netstat commands

Netstat- Displays active TCP connections, ports listening on the computer, Ethernet statistics, IP routing table, IPv4 statistics (for IP, ICMP, TCP and UDP protocols) and IPv6 (for IPv6, ICMPv6, TCP over IPv6 and UDP over IPv6 protocols)

Let's imagine a situation where you installed, for example, MSM LSI utility to view parameters RAID controller, you run the utility, but it doesn’t find anything, because the port is closed and you don’t know which one, and it’s not always possible to quickly find information about this on the Internet, for this you can run netstat and see which port your server with the MSM process is listening to .

Open the command line Windows string and enter netstat?. The utility's help will pop up.

C:\Users\sem>netstat ?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-x] [-t]
[interval]

  • -a Displays all connections and listening ports.
  • -b Display the executable file involved in creation
  • each connection or listening port. Sometimes known executable files contain many independent components. The sequence of components involved in creating a connection or listening port is then displayed. In this case, the name of the executable file is at the bottom in brackets, at the top is the component it called, and so on until TCP/IP is reached. Please note that this approach can be time consuming and requires sufficient permissions.
  • -e Display Ethernet statistics. Can be used in conjunction with the -s option.
  • -f Display fully qualified domain name () for external addresses.
  • -n Display addresses and port numbers in numeric format.
  • -o Display the process ID of each connection.
  • -p protocol Display connections for the protocol specified by this parameter. Valid values: TCP, UDP, TCPv6 or UDPv6. When used in conjunction with the -s option to display protocol statistics, valid values ​​are: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  • -r Display the contents of the route table.
  • -s Display protocol statistics. By default, statistics are displayed for the IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6 protocols. The -p option allows you to specify a subset of the output.
  • -t Display the offload status for the current connection.
  • -x Displays NetworkDirect connections, listeners, and common endpoints.
  • -y Display the TCP connection template for all connections. Cannot be used in conjunction with other options. interval Repeated display of selected statistics with a pause between displays specified by the interval in seconds. To stop displaying statistics repeatedly, press CTRL+C. If this parameter is omitted, netstat will print the current configuration information once.

Let's look at the interesting keys of the netstat utility. The first thing we enter

and statistics on ethernet network packets will appear on our screen.

If we add the -s switch, we will get statistics on protocols.

It is very useful to see everything that your host is listening to, for this we write

The command output contains the Protocol type, either TCP or UDP, the local address with the port that is listening and the external address with the port, and the action status.

For full understanding The information provided by this command requires you to understand the principles of connection establishment in the TCP/IP protocol. Here are the main steps in the process of establishing a TCP/IP connection:

1. When attempting to establish a connection, the client sends a SYN message to the server.

2. The server responds with its own SYN message and an acknowledgment (ACK).

3. The client then sends an ACK message back to the server, completing the connection setup process.

The disconnection process consists of the following steps:

1. The client says "I'm done" by sending a FIN message to the server. At this stage, the client only receives data from the server, but does not send anything itself.

2. The server then sends an ACK message and sends its own FIN message to the client.

3. The client then sends an ACK message to the server, confirming the FIN server's request.

4. When the server receives an ACK message from the client, it closes the connection.

Understanding the steps in the connection setup and termination process allows you to more transparently interpret connection states in netstat command output. Connections in the list can be in the following states:

  • CLOSE_WAIT- indicates the passive phase of closing a connection, which begins after the server receives a FIN message from the client.
  • CLOSED- the connection was interrupted and closed by the server.
  • ESTABLISHED- the client has established a connection to the server by receiving a SYN message from the server.
  • FIN_WAIT_1- the client initiated closing the connection (sent a FIN message).
  • FIN_WAIT_2- the client received ACK and FIN messages from the server.
  • LAST_ACK- the server sent a FIN message to the client.
  • LISTEN- the server is ready to accept incoming connections.
  • SYN_RECEIVED- the server received a SYN message from the client and sent it a response.
  • TIMED_WAIT- the client sent a FIN message to the server and is waiting for a response to this message.
  • YN_SEND- the specified connection is active and open.

If you add the -f switch, the names of remote external resources will be resolved

Sometimes when running any system, be it a home personal computer or a powerful server serving many connections, it is useful to have a tool on hand that can display data about network activity. Why might this be needed? To calculate applications that illegally access the Internet, or users. This is exactly what the utility we are considering does.

What is Netstat?

This is an application with which you can find out what is currently happening on the Internet. To start, use the command line. It also uses additional keys and parameters when starting Netstat.

It is worth noting that the name of the utility is formed from two components - network statistics, that is, network statistics, which, in principle, is logical. Among the information that the program shows, one can highlight statistics of TCP connections, ports, and routing.

Commands and Keys

The syntax of command keys and parameters is quite extensive. This allows you to obtain network statistics at a variety of levels. The following is a description of the Netstat command, its parameters and keys:

  • -a - running with this parameter will display all active TCP connections, as well as TCP and UDP ports listening on the system;
  • -e - display extended Ethernet statistics, such as byte and packet movements;
  • -n - parameter allows you to show active TCP connections with addresses and port numbers;
  • -o - just like the previous switch, displays active TCP connections, but process codes have been added to the statistics, using them you can already determine exactly which application is using the connection;
  • -p - display information on a specific protocol specified in the parameter. Values ​​may include tcp, udp, tcpv6, and udpv6;

  • -s - display protocol statistics; by default, all known types will be displayed;
  • -r - this switch will display the contents of the IP, the parameter is equivalent to using the route command;
  • interval - in the general command line you can use the value of the interval through which the selected statistics will be displayed; if it is omitted, the information will be displayed only once;
  • /? - will display background information by Netstat command.

Using Netstat on Windows

In order to display all connections on the command line screen, while placing them on several pages, you need to use the following syntax: “-a | more". If you need to save all statistics in specific file, you need to use “ -a > C:\filename”. Thus, all collected information will be written to the file specified in this path.

The result of the work can be a small table that contains the following types of data:

  • Name. The name of the found active protocol is indicated here.
  • Local address. The IP address and port used by the local service to create the connection. The values ​​may include 0.0.0.0, which means any available address, or 127.0.0.1. This indicates a local loop.
  • External address. IP and port of the external service on the network to which the connection is established.

  • State. Shows the current connection status. Can take on different meanings. For example, Listening indicates that the service is “listening” and waiting for an incoming connection. Established means an active connection.

Netstat, launched with the -a and -b switches, will show all network connections, as well as the programs associated with them. This is very convenient if you need to figure out which program is actively using traffic and where it is sending data.

Additional connection states

In addition to the above connection states, there are additional ones:

  • closed - as the name suggests, the connection is closed;
  • syn_sent - there is an active attempt to establish a connection;
  • syn_received - shows the initial stage of synchronization;
  • close_wait - disabled and the connection is closed.

Using Netstat on Linux

Using the utility in Linux environment, in fact, is not much different from Windows. There are only slight differences in the command parameters. Description of the Netstat command and its parameters with examples:

  • To display all ports, you need to use the command - “netstat -a”.
  • Everything is the same, but only the TCP type - “-at”.
  • UDP ports are "-au".
  • Display open ports in Netstat - “-l”. Their status will be shown as Listening.
  • Display open ones in Netstat - “netstat -lt.
  • Display the process ID and its name - “netstat -p”.
  • Show statistics for an individual - "netstat -s".

Sometimes, in order to get more complete information about a network connection, you need to combine Netstat with some commands and Linux utilities. For example, like this:

netstat -ap | grep ssh

This line will display a list of ports that are currently used by the SSH utility. If, on the other hand, you want to find out which process is occupying a specific port, you can use the following syntax:

netstat -an | grep `:80`

Also for Netstat in Linux there is a universal set of keys that can display everything you need at once. It looks like this: netstat -lnptux. The data set will reflect all TCP, UDP, UNIX Socket protocols, names of processes and their identifiers.

Some examples to identify a DoS or DDoS attack

The following command will let you know how many connections are active on each IP address:

netstat -naltp | grep ESTABLISHED | awk "(print $5)" | awk -F: "(print $1)" | sort -n | uniq -c

We define large number requests from one IP address:

netstat -na | grep:80 | sort

We determine the exact number of requests received per connection:

netstat -np | grep SYN_RECV | wc -l

When conducting a DoS attack, the number obtained as a result of this command should be quite large. In any case, it may depend on the specific system. That is, on one server it can be one thing, on another it can be different.

Conclusion

Whatever operating system the command is used in, it is an indispensable tool for scanning, analyzing and debugging the network. It is actively used system administrators all over the world.

Netstat can be used when the system is infected with some kind of virus software. It is able to show all applications with a lot of suspicious network traffic activity. This will help to identify malicious software at an early stage and neutralize it, or protect the server from unwanted intrusion by attackers.

Conclusions

The article gave detailed description Netstat command and its parameters and switches. Full use of the program is possible after several stages of practice on real device. Combining with other teams will make it even more effective. A complete set of descriptions of Netstat commands can be found in the manual on the utility's official website. It is also worth noting that when used in a Linux environment, the Netstat command is deprecated and it is strongly recommended to use SS instead.

Laboratory work No. 03-005

Netstat network utility. Operating principles and use.

The utility displays active and listening TCP ports, Ethernet statistics, IP routing tables, IPv4 statistics (for IP, ICMP, TCP and UDP protocols) and IPv6 (for IPv6, ICMPv6, TCP over IPv6 and UDP over IPv6 protocols). Command run without parameters netstat displays active TCP connections.

Syntax:

netstat [-a] [-e] [-n] [-o] [-p protocol] [-r] [-s] [interval].

Parameters:

-a displays all active TCP connections and TCP and UDP ports listening on the computer;

- b display of executable files involved in creating active connections. If independent software components are used to create the socket, they are also displayed.

-e Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with the key -s;

-n displays active TCP connections, showing addresses and port numbers in numeric format without attempting to resolve names;

-o Lists active TCP connections and includes a process ID (PID) for each connection. Process code allows you to find the application on the tab Processes Windows Task Manager. This parameter can be combined with the keys -a, -n And -p;

-p protocol output connections for the protocol specified by the parameter protocol. In this case the parameter protocol can take values tcp, udp, tcpv6 or udpv6. If this parameter is used with the key -s to display protocol statistics, parameter protocol may matter tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6 or ipv6;

-r Displays the contents of the IP routing table. This command is equivalent to the command route print;

-s output of protocol statistics. By default, statistics are displayed for the TCP, UDP, ICMP and IP protocols. If IPv6 is installed for Windows XP, statistics for TCP protocols via IPv6, UDP over IPv6, ICMPv6 and IPv6. Parameter -p can be used to specify a set of protocols;

- v used in conjunction with the parameter b to display the sequence of software components involved in creating a socket

interval sets the selected data to be updated at an interval specified by the parameter interval(in seconds). Pressing CTRL+C stops the update. If this parameter is omitted, netstat displays the selected data only once.

/? O Display help on the command line.

At the network level in the TCP/IP protocol stack, addressing is carried out using IP addresses. But after the packet is delivered via the IP protocol to the recipient computer with the given IP address, the data must be sent to a specific recipient application process. Each computer can run multiple processes, and an application process can have multiple entry points that simultaneously act as data recipients.

The communication needs of application processes are served by the transport layer of the protocol stack, implemented in software in the operating system kernel, in the form of a separate user process or in the form of a library module loaded by a network application. Packets arriving at the transport layer are organized by the operating system in the form of many queues to the entry points of various application processes. In TCP/IP terminology, such system queues are called ports . Port is software concept, which is used by a client or server to send or receive messages; the port is identified by a 16-bit number. Thus, the destination address that is used by the transport entity is the application service port identifier (number). The port number, together with the network number and the end node number, uniquely identifies the application process on the network. This set of identifying parameters is called socket .

Port numbers are assigned to application processes either centrally, if these processes are popular public services (for example, number 21 is assigned to the FTP remote file access service, and 23 is assigned to the telnet remote control service), or locally for those services that have not yet become widespread enough to be assigned to them standard (reserved) rooms. Centralized assignment of port numbers to services is performed by the organization Internet Assigned Numbers Authority (IANA). These numbers are then fixed and published in Internet standards.

Local Port number assignment is where the application developer simply associates any available, randomly chosen numeric identifier with it, making sure that it is not one of the reserved port numbers. In the future, all remote requests to this application from other applications must be addressed using the port number assigned to it.

The client initiating the connection, before attempting to establish a connection with the remote application server, asks its OS for a free port number. Ports with numbers 0 -1023 are usually called privileged; they are almost all reserved and are not allocated to client processes. This does not mean that there are no assigned port numbers with large numbers, but they are used much less frequently and, being free on a given host, may well be made available to the client program.

UDP (UserDatagrammProtocol) is a simple datagram-oriented transport layer protocol: a process issues one UDP datagram at a time, resulting in one IP datagram being transmitted. The protocol does not establish a connection and does not confirm to the sender that the message has been delivered.

TCP (Transmission Control Protocol) provides connection-based reliable service byte stream. It is used in cases where guaranteed delivery of messages is required. It uses packet checksums to verify packet integrity and relieves application processes of the need for timeouts and retransmissions to ensure reliability.

The term connection-oriented means that two applications using TCP (typically a client and a server) must establish a TCP connection with each other before they can exchange data.

There are always two endpoints, which communicate with each other using a TCP connection. TCP does not do broadcasts or multicasts.

The steps required to establish and terminate a TCP connection can be represented by:

lena in the form of a model with 11 possible states:

Condition Description

CLOSED Closed. The connection is not active and is not in the process of being established

LISTEN Waiting. The server is waiting for an incoming request

SYN RCVD A connection request has arrived. Waiting for confirmation

SYN SENT Connection request sent. The application started opening a connection

ESTABLISHED Installed. Normal data transmission state

FINWAIT 1 The application reported that it has nothing more to transfer

FINWAIT 2 The other party agrees to terminate the connection

TIMED WAIT Wait until all packets disappear from the network

CLOSING Both parties attempted to close the connection at the same time

CLOSE WAIT The other party has initiated a disconnect

LAST ACK Wait until all packets disappear from the network

In each of these states, allowed and prohibited events can occur. In response to any allowed event, a specific action can be taken. When prohibited events occur, an error is reported.

Each connection starts in the state CLOSED(closed). It can exit this state by making either an active (CONNECT) or passive (LISTEN) attempt to open a connection. If the opposite side does the opposite, the connection is established and enters the ESTABLISHED. Any party can initiate the termination of the connection. Once the disconnection process is complete, the connection returns to the CLOSED.

Self-test questions

    Port as a transport layer addressing element. Socket.

    Locally and centrally assigned ports.

    Basic transport layer protocols of the TCP/IP stack. Their brief description.

    Mapping network connections to processes running on a computer.

    Netstat utility parameters.

Required Equipment

IBM PC is a compatible computer with a licensed Windows operating system, connection to local network, Internet access.

Quests

Before starting the tasks, restart your computer and do not launch any applications.

1. Using the netstat command, view the Ethernet connection statistics.

2. Using the netstat command, view the statistics of network protocols.

3. Using the netstat command, view the statistics of the ICMP protocol (the output should contain data only for this protocol).

4. Use the netstat command to view a list of all TCP connections and UDP listening ports.

5. Launch your browser and establish a connection to any site. Repeat the previous task and comment on the result.

6. Using the netstat command, identify any 5 processes listening on UDP ports. Specify the name of the processes and numbers of listening ports.

6. Using the netstat command, determine the active TCP connections, their port numbers, and the names of the executable files of the applications that use these connections.

Submit a report on the completion of the work in printed or electronic form with copies of the utility operation screens.



Related publications: