IT Security in Health Care: Where Are We Now? Take Survey - Enter to Win iPad

Intrusion Detection FAQ: I ran netstat on my NT server and see all these active ports, how can I find out what they are for?

The SNAP NT Auditing course recommends using a command prompt to run netstat -a | more. If you do that, you may see a screen that is similar to the one shown below:

Active Connections
Proto Local Address Foreign Address State
TCP xap013:1695 XAP013Z:0 LISTENING
TCP xap013:1696 XAP013Z:0 LISTENING
TCP xap013:1697 XAP013Z:0 LISTENING
TCP xap013:1698 XAP013Z:0 LISTENING
TCP xap013:1700 XAP013Z:0 LISTENING
TCP xap013:1704 XAP013Z:0 LISTENING
TCP xap013:1705 XAP013Z:0 LISTENING
TCP xap013:1706 XAP013Z:0 LISTENING
TCP xap013:1707 XAP013Z:0 LISTENING
TCP xap013:1709 XAP013Z:0 LISTENING
TCP xap013:1029 XAP013Z:0 LISTENING
TCP xap013:1029 maia.edu:nbsession ESTABLISHED
TCP xap013:137 XAP013Z:0 LISTENING
TCP xap013:138 XAP013Z:0 LISTENING
TCP xap013:nbsession XAP013Z:0 LISTENING
TCP xap013:1695 amethyst.edu:1068 ESTABLISHED
TCP xap013:1700 amethyst.edu:1100 ESTABLISHED
TCP xap013:1704 amethyst.edu:1068 ESTABLISHED
TCP xap013:1709 amethyst.edu:1100 ESTABLISHED
TCP xap013:1756 XAP013Z:0 LISTENING
TCP xap013:1756 pan.edu:nbsession ESTABLISHED
TCP xap013:137 XAP013Z:0 LISTENING
TCP xap013:138 XAP013Z:0 LISTENING
TCP xap013:nbsession XAP013Z:0 LISTENING
UDP xap013:1696 *:*
UDP xap013:1697 *:*
UDP xap013:1698 *:*
UDP xap013:1705 *:*
UDP xap013:1706 *:*
UDP xap013:1707 *:*
UDP xap013:nbname *:*
UDP xap013:nbdatagram *:*
UDP xap013:nbname *:*
UDP xap013:nbdatagram *:*


There is a great tool for checking this called Inzider, it does for Windows what lsof does for Unix. When you run it on a Windows based system (Win95, Win98, NT) it will identify which running application is holding open each listening port. You can then track down the executable to see what it is. Keep a close eye out for odd programs like "Explorer" opening ports. This is usually an indication that you've been infected by a trojan (i.e. Explorer does not open ports).

I've added some additional notes below.

Active Connections
Proto Local Address Foreign Address State
TCP xap013:1695 XAP013Z:0 LISTENING
TCP xap013:1696 XAP013Z:0 LISTENING
TCP xap013:1697 XAP013Z:0 LISTENING
TCP xap013:1698 XAP013Z:0 LISTENING
TCP xap013:1700 XAP013Z:0 LISTENING
TCP xap013:1704 XAP013Z:0 LISTENING
TCP xap013:1705 XAP013Z:0 LISTENING
TCP xap013:1706 XAP013Z:0 LISTENING
TCP xap013:1707 XAP013Z:0 LISTENING
TCP xap013:1709 XAP013Z:0 LISTENING
TCP xap013:1029 XAP013Z:0 LISTENING
The above ports could be due to a proxy server. I would use the inzider tool to check.

TCP xap013:1029 maia.edu:nbsession ESTABLISHED
Talking to a PDC? Could also be a file or printer share mapping.

TCP xap013:137 XAP013Z:0 LISTENING
TCP xap013:138 XAP013Z:0 LISTENING
TCP xap013:nbsession XAP013Z:0 LISTENING
System is waiting for NetBIOS/IP connections.

TCP xap013:1695 amethyst.edu:1068 ESTABLISHED
TCP xap013:1700 amethyst.edu:1100 ESTABLISHED
TCP xap013:1704 amethyst.edu:1068 ESTABLISHED
TCP xap013:1709 amethyst.edu:1100 ESTABLISHED
The above also makes me think we are looking at a system which is talking though a proxy.

TCP xap013:1756 XAP013Z:0 LISTENING
Kind of odd. Note that the connection is to a destination port of zero. Seen this before but have never been able to track down why it happens.

TCP xap013:1756 pan.edu:nbsession ESTABLISHED
More NetBIOS/IP.

TCP xap013:137 XAP013Z:0 LISTENING
TCP xap013:138 XAP013Z:0 LISTENING
TCP xap013:nbsession XAP013Z:0 LISTENING
More port zero weirdness only this time from the NetBIOS ports.

UDP xap013:1696 *:*
UDP xap013:1697 *:*
UDP xap013:1698 *:*
UDP xap013:1705 *:*
UDP xap013:1706 *:*
UDP xap013:1707 *:*
More potential proxy.

UDP xap013:nbname *:*
UDP xap013:nbdatagram *:*
UDP xap013:nbname *:*
UDP xap013:nbdatagram *:*
More NetBIOS/IP.