IDFAQ: I ran netstat on my NT server and see all these active ports, how can I find out what they are for?

The SNAP NT Auditing course recommends using a command prompt to run netstat -a | more. If you do that, you may see a screen that is similar to the one shown below:

Active Connections

Proto	Local Address	Foreign Address	State
TCP	xap013:1695	XAP013Z:0	LISTENING
TCP	xap013:1696	XAP013Z:0	LISTENING
TCP	xap013:1697	XAP013Z:0	LISTENING
TCP	xap013:1698	XAP013Z:0	LISTENING
TCP	xap013:1700	XAP013Z:0	LISTENING
TCP	xap013:1704	XAP013Z:0	LISTENING
TCP	xap013:1705	XAP013Z:0	LISTENING
TCP	xap013:1706	XAP013Z:0	LISTENING
TCP	xap013:1707	XAP013Z:0	LISTENING
TCP	xap013:1709	XAP013Z:0	LISTENING
TCP	xap013:1029	XAP013Z:0	LISTENING
TCP	xap013:1029	maia.edu:nbsession	ESTABLISHED
TCP	xap013:137	XAP013Z:0	LISTENING
TCP	xap013:138	XAP013Z:0	LISTENING
TCP	xap013:nbsession	XAP013Z:0	LISTENING
TCP	xap013:1695	amethyst.edu:1068	ESTABLISHED
TCP	xap013:1700	amethyst.edu:1100	ESTABLISHED
TCP	xap013:1704	amethyst.edu:1068	ESTABLISHED
TCP	xap013:1709	amethyst.edu:1100	ESTABLISHED
TCP	xap013:1756	XAP013Z:0	LISTENING
TCP	xap013:1756	pan.edu:nbsession	ESTABLISHED
TCP	xap013:137	XAP013Z:0	LISTENING
TCP	xap013:138	XAP013Z:0	LISTENING
TCP	xap013:nbsession	XAP013Z:0	LISTENING
UDP	xap013:1696	*:*
UDP	xap013:1697	*:*
UDP	xap013:1698	*:*
UDP	xap013:1705	*:*
UDP	xap013:1706	*:*
UDP	xap013:1707	*:*
UDP	xap013:nbname	*:*
UDP	xap013:nbdatagram	*:*
UDP	xap013:nbname	*:*
UDP	xap013:nbdatagram	*:*

There is a great tool for checking this called Inzider, it does for Windows what lsof does for Unix. When you run it on a Windows based system (Win95, Win98, NT) it will identify which running application is holding open each listening port. You can then track down the executable to see what it is. Keep a close eye out for odd programs like "Explorer" opening ports. This is usually an indication that you've been infected by a trojan (i.e. Explorer does not open ports).

I've added some additional notes below.

Active Connections

Proto	Local Address	Foreign Address	State
TCP	xap013:1695	XAP013Z:0	LISTENING
TCP	xap013:1696	XAP013Z:0	LISTENING
TCP	xap013:1697	XAP013Z:0	LISTENING
TCP	xap013:1698	XAP013Z:0	LISTENING
TCP	xap013:1700	XAP013Z:0	LISTENING
TCP	xap013:1704	XAP013Z:0	LISTENING
TCP	xap013:1705	XAP013Z:0	LISTENING
TCP	xap013:1706	XAP013Z:0	LISTENING
TCP	xap013:1707	XAP013Z:0	LISTENING
TCP	xap013:1709	XAP013Z:0	LISTENING
TCP	xap013:1029	XAP013Z:0	LISTENING
The above ports could be due to a proxy server. I would use the inzider tool to check.
TCP	xap013:1029	maia.edu:nbsession	ESTABLISHED
Talking to a PDC? Could also be a file or printer share mapping.
TCP	xap013:137	XAP013Z:0	LISTENING
TCP	xap013:138	XAP013Z:0	LISTENING
TCP	xap013:nbsession	XAP013Z:0	LISTENING
System is waiting for NetBIOS/IP connections.
TCP	xap013:1695	amethyst.edu:1068	ESTABLISHED
TCP	xap013:1700	amethyst.edu:1100	ESTABLISHED
TCP	xap013:1704	amethyst.edu:1068	ESTABLISHED
TCP	xap013:1709	amethyst.edu:1100	ESTABLISHED
The above also makes me think we are looking at a system which is talking though a proxy.
TCP	xap013:1756	XAP013Z:0	LISTENING
Kind of odd. Note that the connection is to a destination port of zero. Seen this before but have never been able to track down why it happens.
TCP	xap013:1756	pan.edu:nbsession	ESTABLISHED
More NetBIOS/IP.
TCP	xap013:137	XAP013Z:0	LISTENING
TCP	xap013:138	XAP013Z:0	LISTENING
TCP	xap013:nbsession	XAP013Z:0	LISTENING
More port zero weirdness only this time from the NetBIOS ports.
UDP	xap013:1696	*:*
UDP	xap013:1697	*:*
UDP	xap013:1698	*:*
UDP	xap013:1705	*:*
UDP	xap013:1706	*:*
UDP	xap013:1707	*:*
More potential proxy.
UDP	xap013:nbname	*:*
UDP	xap013:nbdatagram	*:*
UDP	xap013:nbname	*:*
UDP	xap013:nbdatagram	*:*
More NetBIOS/IP.

---