Net Stat for Security professionals

Netstat for Security Professionals

This article was originally posted in 2012, right after my Microsoft TechEd New Zealand session, Updates on screenshots

This article is all about NETSTAT command. How it can help you to check the details on your network connections… (Network Statistics). It’s used to display very detailed information about how your computer is communicating with other computers or network devices.

netstat command

can display details about individual network connections, overall and protocol-specific networking statistics, and much more, all of which could help troubleshoot certain kinds of networking issues. And netstat can really help you to see if there are any suspicious activities happening on your computer, which send out information like to a Command and Control Center. As these activities will happen over the “network” looking at network statistics is a key for any Security Professional

netstat : displays the status of active TCP and UDP ports

image 34

Netstat –a : displays all active connections and listening ports

image 35

 

netstat –b: Displays the executable program’s name involved in creating each connection or listening port.

image 36

netstat –e: Displays ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s

image 38

netstat –es

image 39

Netstat –f Displays fully qualified domain names <FQDN> for foreign addresses

image 40

netstat –n: Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.

image 41

netstat –o: Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and –p

image 42

netstat –ano

image 43

netstat –r: Displays the contents of the IP routing table. (This is equivalent to the route print command under Windows.)

image 44

netstat –s: Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols

image 45

netstat –v: When used in conjunction with -b it will display the sequence of components involved in creating the connection or listening port for all executables

image 46

netstat –vb

image 47

netstat –na

 

image 48

 

Net stat –ano 5 (the 5 indicates the refresh rate,based on this example every 5 seconds, if you change 5 to 3 it will refers every 3 seconds)

image 49

netstat -sp

Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default.

image 50

netstat-sp tcp

 

image 51

netstat -sp IP

This command will show you how many connection is opened by particular connection.

image 52

netstat -rn

This command will list your Network Interface list as well as the routing table

route

netstat -e -t 5

This command will display your network interface statistics

netw


netstat -n -p TCP

If you believe you are under SYN Flood attack, this command can help you get evidence, please be aware this cmd will only display results if there is a
SYN_RECV tab displayed, if not, please check from your firewall or other network devices to verify your suspicions

image 53

 

To read more articles like this one:

https://www.erdalozkaya.com/category/how-to/

PS: What is netstat?

Netstat — derived from the words network and statistics — is a program that’s controlled via commands issued in the command line. It delivers basic statistics on all network activities and informs users on which portsand addresses the corresponding connections (TCP, UDP) are running and which ports are open for tasks. In 1983, netstat was first implemented into the Unix derivative BSD (Berkley Software Distribution), whose version 4.2 supported the first internet protocol family, TCP/IP. netstat has been integrated into Linux since its debut in 1991 and has been present in Windows since the appearance of version 3.11 (1993), which could also communicate via TCP/IP with the help of extensions. While the parameters of netstat’s commands (as well as their outputs) differ from system to system, when it comes to their functions, the various implementations are very similar.

Essentially, netstat is a command line program and for this reason doesn’t feature a graphical user interface. Programs like TCPView, which was developed by the Microsoft division Windows Sysinternals, makes it possible for statistics to be displayed graphically.

How do you use netstat?

In Windows operating systems, you can use the netstat services via the command line (cmd.exe). You can find them in the start menu under “All Programs” -> “Accessories” -> “Command Prompt“. Alternatively, you can search directly for “Command Prompt” in the start menu’s search field or start the command line via “Run” (Windows key + press “R” and enter “cmd”). The syntax of the netstat commands follows the following pattern:

netstat [-a] [-b] [-e] [-f] [-n] [-o] [-p Protocol] [-r] [-s] [-t] [-x] [-y] [Interval]
 
 
 
 
 
 
 
 

The combination of the individual options works by stringing the individual parameters together, each separated by a space:

netstat [-OPTION1] [-OPTION2] [-OPTION3] …
 
 
 
 
 
 
 
 

The parameters are typically preceded by a hyphen (-), but if you want to combine several options, you only have to place this hyphen in front of the first element. Instead of the variant shown above, you can also link different parameters as follows:

netstat [-OPTION1][OPTION2][OPTION3] …
 
 
 
 
 
 
 
 

In this case, it is important that you do not leave any spaces between the individual netstat options.

netstat commands for Windows

[OPTION]

Command

Description

 

netstat

Standard listing of all active connections

-a

netstat -a

Displays all active ports

-b

netstat -b

Displays the executable file of a connection or listening port (requires administrator rights)

-e

netstat -e

Shows statistics about your network connection (received and sent data packets, etc.)

-f

netstat -f

Displays the fully qualified domain name (FQDN) of remote addresses

-i

netstat -i

Brings up the netstat overview menu

-n

netstat -n

Numerical display of addresses and port numbers

-o

netstat -o

Displays the process identifier (PID) associated with each displayed connection

-p Protokoll

netstat -p TCP

Displays the connections for the specified protocol, in this case TCP  (also possible: UDP, TCPv6, or UDPv6)

-q

netstat -q

Lists all connections, all listening TCP ports, and all open TCP ports that are not listening

-r

netstat -r

Displays the IP routing table

-s

netstat -s

Retrieves statistics about the important network protocols such as TCP, IP, or UDP

-t

netstat -t

Shows the download status (TCP download to relieve the main processor) of active connections

-x

netstat -x

Informs about all connections, listeners, and shared endpoints for NetworkDirect

-y

netstat -y

Displays which connection templates were used for the active TCP connections

Interval

netstat -p 10

Displays the respective statistics again after a selected number of seconds (here 10); can be combined as required (here with –p), [CTRL] + [C] ends the interval display

Netstat for security professionals

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Malware

DNSChanger Malware

DNSChanger Malware Are your PC’s still infected with the trojan, which effected many of the Fortune 500 companies? Are you still not... read more
The Importance of Cybersecurity

Importance of Cybersecurity – Part 1

Importance of Cybersecurity In this fast-paced industry, digitization and staying connected are playing a vital role. This is further coupled with... read more

Getting hacked by color

Getting hacked by color A hacking anatomy and what we can learn out of it! There is nearly no single week... read more
Australian Information Security Association

AUSTRALIA UNDER ATTACK – Free Event 2010

AUSTRALIA UNDER ATTACK AISA November is a month which is serving YOU to help learning, This will be my third conference in... read more

Effective cybersecurity strategies -Learn 4 Free

Effective cybersecurity strategies With cybercrime on the rise, companies have started adopting the hard ways of preventing system breaches. Cybersecurity has... read more
Cybersecurity Canon Candidate Book Review

Cybersecurity Canon Candidate Book Review: Learn Social Engineering

Cybersecurity Canon Candidate Executive Summary Learn Social Engineering: Learn the art of human hacking with an internationally renowned expert will equip you with... read more
Cryptolocker and Incident Response Bir Saldırının Anatomisi: Cryptolocker

Cryptolocker and Incident Response – Free Webinar 3/6/21 :

Cryptolocker and Incident Response This webinar will be hosted by Turkeys biggest IT Community Cozum Park in Turkish Bir Saldırının Anatomisi:... read more
Tycoon Success Erdal

Cybersecurity Threat Landscape – Current state as of 2022

Cybersecurity Threat Landscape I have some great news to share again, Tycoon Success Magazine has awarded me as Business Leaders to... read more

The Commuter, Cyber Safe (2018)

The Commuter Movie Cyber Safe It's great to see that a  Cyber Security course which I have helped to develop showed up... read more
CISO Form Pakistan Dr Erdal Ozkaya

Security Challenges from Leaders Perspective : Free Webinar 4-21

Security Challenges from Leaders Perspective Cybersecurity Alliance Pakistan has brought leaders like Standard Chartered regional CISO , Huawei CTO together to... read more