{"id":2855,"date":"2014-02-25T00:10:33","date_gmt":"2014-02-24T16:10:33","guid":{"rendered":"http:\/\/rmohan.com\/?p=2855"},"modified":"2014-02-25T00:11:33","modified_gmt":"2014-02-24T16:11:33","slug":"ddos-attack-on-windows-server-netstat","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=2855","title":{"rendered":"DDOS attack on Windows Server Netstat"},"content":{"rendered":"
\n
\u00a0check tcp\/ip number of connection, run following commands in command prompt.===================
\nnetstat -ano | find \/i \/c “:80″netstat -ano | find \/i “80”
\n===================C:\\>netstat -ano | find \/i \/c “:80”
\n14126<\/p>\n

C:\\>netstat -ano | find \/i “80”
\nTCP [::]:49154 [::]:0 LISTENING 980
\nUDP 0.0.0.0:500 *:* 980
\nUDP 0.0.0.0:4500 *:* 980
\nUDP [::]:500 *:* 980<\/p>\n

To find on which IP the ddos is targeted.<\/p>\n

==============================
\nnetstat -ano | find \/i \/c “IP Address”
\n==============================<\/p>\n

C:\\>netstat -ano | find \/i \/c “192.168.1.1”
\n15000<\/p>\n<\/div>\n

netstat -a | find \/c “TCP”<\/p>\n

netstat -a | find \/c “UDP”<\/div>\n
<\/div>\n
\n
netstat -an |find \/i \"listening\" > c:'openports.txt<\/pre>\n
netstat -ao |find \/i \"listening\"\r\n\r\n\r\n<\/pre>\n
netstat -na 1 | find \u201c{Remote_Host_IP_Address}\u201d<\/p>\n
C:\\Users\\kcordero>netstat -na 1 | find \"10.101.2.101\"\r\n  TCP    172.16.40.79:56964     10.101.2.101:22         ESTABLISHED\r\n  TCP    172.16.40.79:56964     10.101.2.101:22         ESTABLISHED\r\n  TCP    172.16.40.79:56964     10.101.2.101:22         ESTABLISHED\r\n  TCP    172.16.40.79:56964     10.101.2.101:22         ESTABLISHED\r\n  TCP    172.16.40.79:56964     10.101.2.101:22         ESTABLISHED<\/pre>\n
Running this command shows TCP and UDP port activity.<\/p>\n
-n = Lists Numbers
\n-a = ALL Connections and Listening Ports
\n1 = Runs every second, repeatedly dumping the output<\/p>\n
NOTE:
\nThe 1 second outputs help because a 3-Way Handshake or an actual connection will most likely last more than 1 second. When troubleshooting, we always want to see if there\u2019s a 3-Way Handshake happening.<\/p>\n
TO SEE WHAT PORT A PROCESS IS USING TO A REMOTE HOST:<\/p>\n
This command is just like the one above except it shows the PID being used.<\/p>\n
netstat -nao 1 | find \u201c{Remote_Host_IP_Address}\u201d<\/p>\n
C:\\Users\\kcordero>netstat -nao 1 | find \"10.101.2.101\"\r\n  TCP    172.16.40.79:56964     10.101.2.101:22         ESTABLISHED     1452\r\n  TCP    172.16.40.79:56964     10.101.2.101:22         ESTABLISHED     1452\r\n  TCP    172.16.40.79:56964     10.101.2.101:22         ESTABLISHED     1452\r\n  TCP    172.16.40.79:56964     10.101.2.101:22         ESTABLISHED     1452\r\n  TCP    172.16.40.79:56964     10.101.2.101:22         ESTABLISHED     1452<\/pre>\n
-o = Displays the owning process ID associated with each connection.<\/p>\n
Since -o was added, a PID will be listed. In my case PID 1452. To see what PID 1452 is associated with, use the command below.<\/p>\n
tasklist \/fi \u201cPID eq 1452?<\/p>\n
C:\\Users\\kcordero>tasklist \/fi \"PID eq 1452\"\r\n\r\nImage Name                     PID Session Name        Session#    Mem Usage\r\n========================= ======== ================ =========== ============\r\nSecureCRT.exe                 1452 Console                    1     19,224 K<\/pre>\n
If you want to see a list of PIDs being used on the PC\/Server, you can use these commands: \u201ctasklist\u201d and \u201cwmic process list brief\u201d. If you want to use a GUI then use Task Manager. For me \u201ctasklist\u201d is the easiest and it has great Parameters to use. In the command above, I\u2019m using the \u201cFilterName\u201d Parameter. To see more on this command go here: http:\/\/technet.microsoft.com\/en-us\/library\/bb491010.aspx<\/p>\n
TO SHOW A CONNECTION USING PORT 22:<\/p>\n
netstat -na 1 | find \u201c{PORT}\u201d<\/p>\n
C:\\Users\\kcordero>netstat -na 1 | find \"22\"\r\n  TCP    172.16.40.79:56964     10.101.2.101:22         ESTABLISHED<\/pre>\n
NOTE:
\nNothing will show up until there\u2019s an ESTABLISHED connection on port 22.<\/p>\n
TO SHOW AN ESTABLISHED CONNECTION USING PORT 22:<\/p>\n
netstat -na 1 | find \u201c{PORT}\u201d | find \u201cESTABLISHED\u201d<\/p>\n
C:\\Users\\kcordero>netstat -na 1 | find \"22\" | find \"ESTABLISHED\"\r\n  TCP    172.16.40.79:56964     10.101.2.101:22         ESTABLISHED<\/pre>\n
TO SEE ALL LISTENING CONNECTIONS:<\/p>\n
netstat -an |find \/i \u201clistening\u201d<\/p>\n
C:\\Users\\kcordero>netstat -an |find \/i \"listening\"\r\n  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING\r\n  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING\r\n  TCP    0.0.0.0:623            0.0.0.0:0              LISTENING\r\n  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING\r\n  TCP    0.0.0.0:8192           0.0.0.0:0              LISTENING<\/pre>\n
TO SEE ALL ESTABLISHED CONNECTIONS:<\/p>\n
netstat -an |find \/i \u201cestablished\u201d<\/p>\n
C:\\Users\\kcordero>netstat -an |find \/i \"established\"\r\n  TCP    172.16.40.79:53719     170.12.10.154:8194     ESTABLISHED\r\n  TCP    172.16.40.79:53728     170.12.14.119:8522     ESTABLISHED\r\n  TCP    172.16.40.79:53740     170.12.144.198:443     ESTABLISHED\r\n  TCP    172.16.40.79:53741     170.12.144.198:443     ESTABLISHED\r\n  TCP    172.16.40.79:56964     10.101.2.101:22         ESTABLISHED<\/pre>\n
TO SEE ALL STATES:<\/p>\n
netstat -a<\/p>\n
C:\\Users\\kcordero>netstat -a\r\n\r\nActive Connections\r\n\r\n  Proto  Local Address          Foreign Address        State\r\n  TCP    0.0.0.0:135            Z123574W:0             LISTENING\r\n  TCP    127.0.0.1:9535         Z123574W:63556         ESTABLISHED\r\n  TCP    127.0.0.1:63484        Z123574W:53739         TIME_WAIT\r\n  TCP    127.0.0.1:63484        Z123574W:53742         TIME_WAIT\r\n  TCP    127.0.0.1:63486        Z123574W:0             LISTENING<\/pre>\n
Here\u2019s a list of all the states with an explanation:<\/p>\n
State Explanation
\n\u2014\u2014\u2014\u2014 \u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2013
\nSYN_SEND Indicates active open.<\/p>\n
SYN_RECEIVED Server just received SYN from the client.<\/p>\n
ESTABLISHED Client received server\u2019s SYN and session is established.<\/p>\n
LISTEN Server is ready to accept connection.<\/p>\n
FIN_WAIT_1 Indicates active close.<\/p>\n
TIMED_WAIT Client enters this state after active close.<\/p>\n
CLOSE_WAIT Indicates passive close. Server just received first FIN from a client.<\/p>\n
FIN_WAIT_2 Client just received acknowledgment of its first FIN from the server.<\/p>\n
LAST_ACK Server is in this state when it sends its own FIN.<\/p>\n
CLOSED Server received ACK from client and connection is closed.<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
 check tcp\/ip number of connection, run following commands in command prompt.=================== netstat -ano | find \/i \/c “:80″netstat -ano | find \/i “80” ===================C:\\>netstat -ano | find \/i \/c “:80” 14126<\/p>\n
C:\\>netstat -ano | find \/i “80” TCP [::]:49154 [::]:0 LISTENING 980 UDP 0.0.0.0:500 *:* 980 UDP 0.0.0.0:4500 *:* 980 UDP [::]:500 *:* 980<\/p>\n
 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2855"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2855"}],"version-history":[{"count":5,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2855\/revisions"}],"predecessor-version":[{"id":2860,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2855\/revisions\/2860"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2855"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2855"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2855"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}