Lesson Plans/Netstat

Overview[edit | edit source]

Netstat is a program that delivers basic statistics on all network activities and informs users on which ports and addresses the corresponding connections (TCP, UDP_ are running and which ports are open for tasks. It is an important command to know for the Cyberpatriot competition for both Ubuntu and Windows images because it will show you which ports are listening. Listening ports indicate software running which may or may not be on the authorized software list, as well as backdoors which should be removed as part of the competition.

Netstat for Windows[edit | edit source]

The netstat command is run as follows:

netstat [-OPTION1] [-OPTIONS2] [-OPTION3] ...

The options are also known as "flags" that specify what you want netstat to display. For the Cyberpatriot competition, the most commonly used options will be as follows:

• -a Displays all active ports
• -b Displays the executable file of a connection or listening port
• -n Numerical display of addresses and port numbers
• -o Displays the process identifier (PID) associated with each displayed connections
• -q Lists all connections, all listening TCP ports, and all open TCP ports that are not listening
• -x Informs about all connections, listeners and shared endpoints for NetworkDirect

As an example, if you wanted to query all open ports and active connections (including process ID) in numeric form, you would use the command:

netstat -ano

You should run Netstat on a Windows system prior to the competition so that you understand which listeners will always be there versus which ones are unique to your image. As an example, you will see ports 139 (NetBios) and 445 (Samba) on almost every Windows system you run netstat on. The List of TCP and UDP Port Numbers Wikipedia page is an excellent reference for common ports and what they are used by.

Netstat for Linux[edit | edit source]

The netstat command is run as follows:

netstat [-OPTION1] [-OPTIONS2] [-OPTION3] ...

The options are also known as "flags" that specify what you want netstat to display. For the Cyberpatriot competition, the most commonly used options will be as follows:

• -a Show both listening and non-listening sockets
• -l List only the listening ports
• -p Display the process ID (PID) and program names
• -n Show numerical addresses instead of trying to deermine symbolic host, port or user names
• -t Display TCP sockets
• -u Display UDP sockets

As an example, if you wanted to query all listening TCP ports (including process ID) in numeric form, you would use the command:

netstat -lntp

You should run Netstat on a Linux system prior to the competition so that you understand which listeners will always be there versus which ones are unique to your image. As an example, you will see ports 53 (DNS) and 22 (SSH) on almost every Linux system you run netstat on. The List of TCP and UDP Port Numbers Wikipedia page is an excellent reference for common ports and what they are used by.