netstat -ano | find /i /c “:80″netstat -ano | find /i “80”
===================C:\>netstat -ano | find /i /c “:80”
14126
C:\>netstat -ano | find /i “80”
TCP [::]:49154 [::]:0 LISTENING 980
UDP 0.0.0.0:500 *:* 980
UDP 0.0.0.0:4500 *:* 980
UDP [::]:500 *:* 980
To find on which IP the ddos is targeted.
==============================
netstat -ano | find /i /c “IP Address”
==============================
C:\>netstat -ano | find /i /c “192.168.1.1”
15000
netstat -a | find /c “TCP”
netstat -an |find /i "listening" > c:'openports.txt
netstat -ao |find /i "listening"
netstat -na 1 | find “{Remote_Host_IP_Address}”
C:\Users\kcordero>netstat -na 1 | find "10.101.2.101" TCP 172.16.40.79:56964 10.101.2.101:22 ESTABLISHED TCP 172.16.40.79:56964 10.101.2.101:22 ESTABLISHED TCP 172.16.40.79:56964 10.101.2.101:22 ESTABLISHED TCP 172.16.40.79:56964 10.101.2.101:22 ESTABLISHED TCP 172.16.40.79:56964 10.101.2.101:22 ESTABLISHED
Running this command shows TCP and UDP port activity.
-n = Lists Numbers
-a = ALL Connections and Listening Ports
1 = Runs every second, repeatedly dumping the output
NOTE:
The 1 second outputs help because a 3-Way Handshake or an actual connection will most likely last more than 1 second. When troubleshooting, we always want to see if there’s a 3-Way Handshake happening.
TO SEE WHAT PORT A PROCESS IS USING TO A REMOTE HOST:
This command is just like the one above except it shows the PID being used.
netstat -nao 1 | find “{Remote_Host_IP_Address}”
C:\Users\kcordero>netstat -nao 1 | find "10.101.2.101" TCP 172.16.40.79:56964 10.101.2.101:22 ESTABLISHED 1452 TCP 172.16.40.79:56964 10.101.2.101:22 ESTABLISHED 1452 TCP 172.16.40.79:56964 10.101.2.101:22 ESTABLISHED 1452 TCP 172.16.40.79:56964 10.101.2.101:22 ESTABLISHED 1452 TCP 172.16.40.79:56964 10.101.2.101:22 ESTABLISHED 1452
-o = Displays the owning process ID associated with each connection.
Since -o was added, a PID will be listed. In my case PID 1452. To see what PID 1452 is associated with, use the command below.
tasklist /fi “PID eq 1452?
C:\Users\kcordero>tasklist /fi "PID eq 1452" Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ SecureCRT.exe 1452 Console 1 19,224 K
If you want to see a list of PIDs being used on the PC/Server, you can use these commands: “tasklist” and “wmic process list brief”. If you want to use a GUI then use Task Manager. For me “tasklist” is the easiest and it has great Parameters to use. In the command above, I’m using the “FilterName” Parameter. To see more on this command go here: http://technet.microsoft.com/en-us/library/bb491010.aspx
TO SHOW A CONNECTION USING PORT 22:
netstat -na 1 | find “{PORT}”
C:\Users\kcordero>netstat -na 1 | find "22" TCP 172.16.40.79:56964 10.101.2.101:22 ESTABLISHED
NOTE:
Nothing will show up until there’s an ESTABLISHED connection on port 22.
TO SHOW AN ESTABLISHED CONNECTION USING PORT 22:
netstat -na 1 | find “{PORT}” | find “ESTABLISHED”
C:\Users\kcordero>netstat -na 1 | find "22" | find "ESTABLISHED" TCP 172.16.40.79:56964 10.101.2.101:22 ESTABLISHED
TO SEE ALL LISTENING CONNECTIONS:
netstat -an |find /i “listening”
C:\Users\kcordero>netstat -an |find /i "listening" TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:623 0.0.0.0:0 LISTENING TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING TCP 0.0.0.0:8192 0.0.0.0:0 LISTENING
TO SEE ALL ESTABLISHED CONNECTIONS:
netstat -an |find /i “established”
C:\Users\kcordero>netstat -an |find /i "established" TCP 172.16.40.79:53719 170.12.10.154:8194 ESTABLISHED TCP 172.16.40.79:53728 170.12.14.119:8522 ESTABLISHED TCP 172.16.40.79:53740 170.12.144.198:443 ESTABLISHED TCP 172.16.40.79:53741 170.12.144.198:443 ESTABLISHED TCP 172.16.40.79:56964 10.101.2.101:22 ESTABLISHED
TO SEE ALL STATES:
netstat -a
C:\Users\kcordero>netstat -a Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 Z123574W:0 LISTENING TCP 127.0.0.1:9535 Z123574W:63556 ESTABLISHED TCP 127.0.0.1:63484 Z123574W:53739 TIME_WAIT TCP 127.0.0.1:63484 Z123574W:53742 TIME_WAIT TCP 127.0.0.1:63486 Z123574W:0 LISTENING
Here’s a list of all the states with an explanation:
State Explanation
———— ——————————————————–
SYN_SEND Indicates active open.
SYN_RECEIVED Server just received SYN from the client.
ESTABLISHED Client received server’s SYN and session is established.
LISTEN Server is ready to accept connection.
FIN_WAIT_1 Indicates active close.
TIMED_WAIT Client enters this state after active close.
CLOSE_WAIT Indicates passive close. Server just received first FIN from a client.
FIN_WAIT_2 Client just received acknowledgment of its first FIN from the server.
LAST_ACK Server is in this state when it sends its own FIN.
CLOSED Server received ACK from client and connection is closed.
Recent Comments