Sunday, July 31, 2011

Recent and Current Network Connections

Active Connections

We can see the currently active connections with the help of netstat command.

C:\Users\Bala>netstat -aon

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       856
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       496
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       1024
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       1072
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       580
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       568
  TCP    [::]:135               [::]:0                 LISTENING       856
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:5357              [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       496
  TCP    [::]:49153             [::]:0                 LISTENING       1024
  TCP    [::]:49154             [::]:0                 LISTENING       1072
  TCP    [::]:49155             [::]:0                 LISTENING       580
  TCP    [::]:49156             [::]:0                 LISTENING       568
  UDP    0.0.0.0:123            *:*                                    1224
  UDP    0.0.0.0:500            *:*                                    1072
  UDP    0.0.0.0:4500           *:*                                    1072
  UDP    127.0.0.1:1900         *:*                                    1224
  UDP    127.0.0.1:49153        *:*                                    1224
  UDP    [::]:123               *:*                                    1224
  UDP    [::]:500               *:*                                    1072
  UDP    [::1]:1900             *:*                                    1224
  UDP    [::1]:49152            *:*                                    1224
  UDP    [fe80::100:7f:fffe%11]:1900  *:*                                    1224


DNS queries made from infected system.
We can see the recent DNS queries with the command

C:\Users\Bala>ipconfig /displaydns

Windows IP Configuration

    1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
    ----------------------------------------
    Record Name . . . . . : 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
    Record Type . . . . . : 12
    Time To Live  . . . . : 86400
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    PTR Record  . . . . . : localhost


    1.0.0.127.in-addr.arpa
    ----------------------------------------
    Record Name . . . . . : 1.0.0.127.in-addr.arpa.
    Record Type . . . . . : 12
    Time To Live  . . . . : 86400
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    PTR Record  . . . . . : localhost


    localhost
    ----------------------------------------
    Record Name . . . . . : localhost
    Record Type . . . . . : 1
    Time To Live  . . . . : 86400
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1


    localhost
    ----------------------------------------
    Record Name . . . . . : localhost
    Record Type . . . . . : 28
    Time To Live  . . . . : 86400
    Data Length . . . . . : 16
    Section . . . . . . . : Answer
    AAAA Record . . . . . : ::1


NetBIOS Connections


we can use

nbtstat -c the cached connections.
nbtstat -S (or) net sessions To see the current sessions.

If any files were transmitted over this network we can use the

net file command to display them.


ARP Cache

we can see the ARP cache of the machine under question with the command

arp -a





No comments:

Post a Comment