Lesson Plans/Netstat
Overview
Netstat is a program that delivers basic statistics on all network activities and informs users on which ports and addresses the corresponding connections (TCP, UDP_ are running and which ports are open for tasks. It is an important command to know for the Cyberpatriot competition for both Ubuntu and Windows images because it will show you which ports are listening. Listening ports indicate software running which may or may not be on the authorized software list, as well as backdoors which should be removed as part of the competition.
Netstat for Windows
The netstat command is run as follows:
netstat [-OPTION1] [-OPTIONS2] [-OPTION3] ...
The options are also known as "flags" that specify what you want netstat to display. For the Cyberpatriot competition, the most commonly used options will be as follows:
-a Displays all active ports -b Displays the executable file of a connection or listening port -n Numerical display of addresses and port numbers -o Displays the process identifier (PID) associated with each displayed connections -q Lists all connections, all listening TCP ports, and all open TCP ports that are not listening -x Informs about all connections, listeners and shared endpoints for NetworkDirect
As an example, if you wanted to query all open ports and active connections (including process ID) in numeric form, you would use the command:
netstat -ano
You should run Netstat on a Windows system prior to the competition so that you understand which listeners will always be there versus which ones are unique to your image. As an example, you will see ports 139 (NetBios) and 445 (Samba) on almost every Windows system you run netstat on. The following Wikipedia page is an excellent reference for common ports and what they are used by:
[[1]]