​
Netstat
command allows you to view statistics for TCP/IP protocols on a system. Many attacks establish connections from an infected computer to a remote computer. If you suspect this, you can often identify these connections with netstat.
Windows:
netstat /? --> Get helpnetstat -a --> All TCP/UDP ports that a system is listening on.netstat -e --> Display details on network statistics, including how many bytes the system send and receivednetstat -s --> Display statistics of packets send and received for specific protocols such as IP, ICMP, TCP and UDPnetstat -n --> Display addresses and port numbers in numerical order.netstat -p protocol --> Statistics for a specific protocol. 'netstat -p tcp' shows only TCP statisticsnetstat -b --> Displays the executable involved in creating each connection or listening port.netstat -o --> Process ID
🧠Imagine you want to see all the TCP connections with the port IDs and process IDs.
netstat -ponb tcp
You can see all the ESTABLISHED connections simply piping it:
The Tracert command lists the routers between two systems. In this context, each router is referred to as a hop. Tracert identifies the IP address and sometimes the host name of each hop in addition to the round-trip times (RTTs) for each hop.
Windows -> Tracert,
Linux -> Traceroute
Scenario 1: Network administrators typically use tracert
to identify faulty routers on the network. Ping tells them if they can reach a distant server. If the ping fails, they can use tracert to identify where the traffic stops. Some of the hops will succeed, but at some point, tracert will identify where packets are lost, giving them insight into where the problem has occurred. Other times, they will see where the RTTs increase as traffic is routed around a faulty router. Tracing a path is especially valuable when troubleshooting issues through a wide area network (WAN).
Scenario 2: From a security perspective, you can use tracert to identify modified paths. As an example, consider Figure 1.5. Users within the internal network normally access the Internet directly through Router 1. However, what if an attacker installed an unauthorized router between Router 1 and the Internet?
Traffic will still go back and forth to the users. However, the attacker could capture the traffic with a protocol analyzer and view any data sent in clear-text.