6 days to save $500 for SANS Rocky Mountain 2013

Intrusion Detection FAQ: I ran netstat on my NT server and see all these active ports, how can I find out what they are for?

The SNAP NT Auditing course recommends using a command prompt to run netstat -a | more. If you do that, you may see a screen that is similar to the one shown below:

Active Connections
Proto Local Address Foreign Address State
TCP xap013:1695 XAP013Z:0 LISTENING
TCP xap013:1696 XAP013Z:0 LISTENING
TCP xap013:1697 XAP013Z:0 LISTENING
TCP xap013:1698 XAP013Z:0 LISTENING
TCP xap013:1700 XAP013Z:0 LISTENING
TCP xap013:1704 XAP013Z:0 LISTENING
TCP xap013:1705 XAP013Z:0 LISTENING
TCP xap013:1706 XAP013Z:0 LISTENING
TCP xap013:1707 XAP013Z:0 LISTENING
TCP xap013:1709 XAP013Z:0 LISTENING
TCP xap013:1029 XAP013Z:0 LISTENING
TCP xap013:1029 maia.edu:nbsession ESTABLISHED
TCP xap013:137 XAP013Z:0 LISTENING
TCP xap013:138 XAP013Z:0 LISTENING
TCP xap013:nbsession XAP013Z:0 LISTENING
TCP xap013:1695 amethyst.edu:1068 ESTABLISHED
TCP xap013:1700 amethyst.edu:1100 ESTABLISHED
TCP xap013:1704 amethyst.edu:1068 ESTABLISHED
TCP xap013:1709 amethyst.edu:1100 ESTABLISHED
TCP xap013:1756 XAP013Z:0 LISTENING
TCP xap013:1756 pan.edu:nbsession ESTABLISHED
TCP xap013:137 XAP013Z:0 LISTENING
TCP xap013:138 XAP013Z:0 LISTENING
TCP xap013:nbsession XAP013Z:0 LISTENING
UDP xap013:1696 *:*
UDP xap013:1697 *:*
UDP xap013:1698 *:*
UDP xap013:1705 *:*
UDP xap013:1706 *:*
UDP xap013:1707 *:*
UDP xap013:nbname *:*
UDP xap013:nbdatagram *:*
UDP xap013:nbname *:*
UDP xap013:nbdatagram *:*


There is a great tool for checking this called Inzider, it does for Windows what lsof does for Unix. When you run it on a Windows based system (Win95, Win98, NT) it will identify which running application is holding open each listening port. You can then track down the executable to see what it is. Keep a close eye out for odd programs like "Explorer" opening ports. This is usually an indication that you've been infected by a trojan (i.e. Explorer does not open ports).

I've added some additional notes below.

Active Connections
Proto Local Address Foreign Address State
TCP xap013:1695 XAP013Z:0 LISTENING
TCP xap013:1696 XAP013Z:0 LISTENING
TCP xap013:1697 XAP013Z:0 LISTENING
TCP xap013:1698 XAP013Z:0 LISTENING
TCP xap013:1700 XAP013Z:0 LISTENING
TCP xap013:1704 XAP013Z:0 LISTENING
TCP xap013:1705 XAP013Z:0 LISTENING
TCP xap013:1706 XAP013Z:0 LISTENING
TCP xap013:1707 XAP013Z:0 LISTENING
TCP xap013:1709 XAP013Z:0 LISTENING
TCP xap013:1029 XAP013Z:0 LISTENING
The above ports could be due to a proxy server. I would use the inzider tool to check.

TCP xap013:1029 maia.edu:nbsession ESTABLISHED
Talking to a PDC? Could also be a file or printer share mapping.

TCP xap013:137 XAP013Z:0 LISTENING
TCP xap013:138 XAP013Z:0 LISTENING
TCP xap013:nbsession XAP013Z:0 LISTENING
System is waiting for NetBIOS/IP connections.

TCP xap013:1695 amethyst.edu:1068 ESTABLISHED
TCP xap013:1700 amethyst.edu:1100 ESTABLISHED
TCP xap013:1704 amethyst.edu:1068 ESTABLISHED
TCP xap013:1709 amethyst.edu:1100 ESTABLISHED
The above also makes me think we are looking at a system which is talking though a proxy.

TCP xap013:1756 XAP013Z:0 LISTENING
Kind of odd. Note that the connection is to a destination port of zero. Seen this before but have never been able to track down why it happens.

TCP xap013:1756 pan.edu:nbsession ESTABLISHED
More NetBIOS/IP.

TCP xap013:137 XAP013Z:0 LISTENING
TCP xap013:138 XAP013Z:0 LISTENING
TCP xap013:nbsession XAP013Z:0 LISTENING
More port zero weirdness only this time from the NetBIOS ports.

UDP xap013:1696 *:*
UDP xap013:1697 *:*
UDP xap013:1698 *:*
UDP xap013:1705 *:*
UDP xap013:1706 *:*
UDP xap013:1707 *:*
More potential proxy.

UDP xap013:nbname *:*
UDP xap013:nbdatagram *:*
UDP xap013:nbname *:*
UDP xap013:nbdatagram *:*
More NetBIOS/IP.
top^

It was, overall, the most in-depth training on securing Windows I've attended!
-Matt Hurst, Madison City Schools

SANSFIRE 2013 - Washington

Latest Whitepapers

Securing BYOD With Network Access Control, a Case Study
By Lawrence Orans

Event Monitoring and Incident Response
By Ryan Boyle

Dead Linux Machines Do Tell Tales
By James Fung

Latest Tweets

SANS San Francisco 2013 offers 7 courses to boost your Cyber [...]
May 23, 2013 - 3:06 PM

Excellent blog post by @MarkBaggett on pen testing MS SQL vi [...]
May 22, 2013 - 7:39 PM

#appsec "WhatWorks in AppSec: Log Forging" http://t.co/Gsq91O7UAH
May 22, 2013 - 10:00 AM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd

"SANS always provides you what you need to become a better security professional at the right price."
- Rasik Vekaria, BP