Network listening (sniffing). How to find out which process is listening on a port in Windows? Address families not supported by the system

Team netstat, included in the standard set network tools UNIX, displays various network–related information such as network connections, interface statistics, routing tables, masquerade, multicast, etc.

In this article we will look at ten practical examples of using the command netstat on Linux.

1. List of all ports (both listened and not)

List all ports: netstat -a

# netstat -a | more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain *:* LISTEN udp6 0 0 fe80::20c:29ff:fe68:ntp [::]:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 20492 /var/run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 23323 /var/run/php5 -fpm.sock

List all TCP ports: netstat -at

# netstat -at Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp 0 0 *:http *:* LISTEN

List all UDP ports: netstat -au

# netstat -au Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 localhost:domain *:* udp 0 0 *:bootpc *:* udp6 0 0 fe80::20c: 29ff:fe68:ntp [::]:*

2. List of sockets in LISTEN state

List all listening ports: netstat -l

# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain *:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN udp 0 0 192.168.128.134:ntp *:*

List TCP listening ports: netstat -lt

# netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp6 0 0 [::] :ssh [::]:* LISTEN

List listening UDP ports: netstat -lu

# netstat -lu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 *:bootpc *:* udp6 0 0 [::]:ntp [::]:*

List UNIX listening sockets: netstat -lx

# netstat -lx Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 3141 /var/run/fail2ban/fail2ban.sock unix 2 [ ACC ] STREAM LISTENING 20492 /var/ run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 23323 /var/run/php5-fpm.sock

3. View statistics for each protocol

Show statistics for all ports: netstat -s

# netstat -s Ip: 11150 total packets received 1 with invalid addresses 0 forwarded 0 incoming packets discarded 11149 incoming packets delivered 11635 requests sent out Icmp: 13791 ICMP messages received 12 input ICMP message failed. Tcp: 15020 active connections openings 97955 passive connection openings 135 failed connection attempts Udp: 2841 packets received 180 packets to unknown port received. .....

Show statistics for TCP ports only: netstat -st

# netstat -st

Show statistics for UDP ports only: netstat -su

# netstat -su

4. Display PID and process name in netstat output

Option netstat -p will add "PID/Program Name" to netstat output, and can be combined with any other set of options. This is very useful for debugging, to determine which program is running on a specific port.

# netstat -pt Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 org-ru-putty.vm.udf:www 52-106.plus.kerch :55723 ESTABLISHED 9486/nginx: worker tcp 0 0 org-ru-putty.vm.udf:www 52-106.plus.kerch:55757 ESTABLISHED 9486/nginx: worker

5. Name resolution in netstat output

When you don't need to resolve hostname, portname, username, use the option netstat -n to display values in digital format. The command will show IP address instead of host, port number instead of port name, UID instead of username.

This will also speed up the output since netstat will not perform unnecessary searches.

# netstat -an

To display the numerical values of only some of these items, use the following commands:

# netsat -a --numeric-ports # netsat -a --numeric-hosts # netsat -a --numeric-users

6. Netstat output continuously

Option netstat -c will output information continuously, in style top, refreshing the screen every few seconds.

# netstat -c Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 org-ru-putty.vm.udf:www 182.131.74.202:59933 FIN_WAIT2 tcp 0 0 org- ru-putty.vm.udf:www 182.131.74.202:63761 FIN_WAIT2 tcp 0 0 org-ru-putty.vm.udf:www 92-181-66-102-irk.:4585 ESTABLISHED ^C

7. Address families not supported by the system

Option netstat --verbose will show detailed output, and at the very end will display unsupported Address Families.

Netstat: no support for `AF IPX" on this system. netstat: no support for `AF AX25" on this system.

netstat: no support for `AF X25" on this system. netstat: no support for `AF NETROM" on this system.

8. Kernel routing Show kernel routing table:

netstat -r

# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default 192.168.128.2 0.0.0.0 UG 0 0 0 eth0 192.168.128.0 * 255.255.255.0 U 0 0 0 eth0 Note: Use netstat -rn

to view the route in digital format without resolving host names.

9. Compliance of ports and processes

Find out which port is occupied by a certain program:

# netstat -ap | grep ssh (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 *:ssh *:* LISTEN - tcp6 0 0 [::] :ssh [::]:* LISTEN -

Find out which process is using a specific port:

# netstat -an | grep ":80"

10. Network interfaces Show list of network interfaces:

netstat -i

# netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 1911037 0 0 0 1382056 0 0 0 BMRU lo 16436 0 0 0 0 0 0 0 0 0 LRU Show extended information about interfaces (same as ifconfig):

netstat -ie

# netstat -ie Kernel Interface table eth0 Link encap:Ethernet HWaddr 00:0c:29:68:4c:a4 inet addr:192.168.128.134 Bcast:192.168.128.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff: fe68:4ca4/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:24278 errors:0 dropped:0 overruns:0 frame:0 TX packets:11275 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:33203025 (33.2 MB) TX bytes:665822 (665.8 KB) Interrupt:19 Base address:0x2000

11. netstat -lnptux Let's summarize the above and combine the keys into one useful command

which will show: -l all open ports
(LISTEN)
-t over TCP protocol
-u over UDP protocol
-x via UNIX Socket protocol
-n without resolving IP/names

-p but with process names and PIDs Note: Not all processes can be identified the last key , other people's processes will not be shown. You must have root rights

# netstat -lnptux Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 9614/nginx tcp 0 0 0.0.0.0 :22 0.0.0.0:* LISTEN 601/sshd udp 0 0 8.8.4.4:123 0.0.0.0:* 574/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 574/ntpd udp 0 0 0.0.0.0: 123 0.0.0.0:* 574/ntpd Active UNIX domain sockets (servers only) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 4233 826/python /var/run/fail2ban/fail2ban. sock unix 2 [ ACC ] STREAM LISTENING 8122 2561/mysqld /var/run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 160413 7301/php-fpm.conf /var/run/php5-fpm.sock

January 2013, website

Please enable JavaScript

Open the window command line(as an administrator). In the "Start\Search" box, type "cmd", then right-click "cmd.exe" and select "Run as administrator"

Type the following text and press Enter.

netstat -abno

-a Displays all connections and listening ports.

-b Displays the executable file involved in creating each connection or listening port. In some cases, a known executable host has multiple independent components, and in these cases a sequence of components is involved in creating a connection or listening port. In this case, the executable's name is at the bottom, at the top is the component it named, etc. until TCP/IP is reached. Please note that this option may take a long time and will fail if you do not have sufficient permission.

-n Displays addresses and port numbers in numeric form.

-o Displays the ownership process ID associated with each connection.

Find the port you are listening to under "Local Address"

Look at the process name directly below this.

NOTE. To find a process in Task Manager

Note the process ID (process ID) next to the port you are looking for.

Open Windows Task Manager.

Go to the Processes tab.

Look at the PID you noted when you did the netstat in step 1.

If you don't see the PID column, click View/Select Columns. Select PID.

Make sure "Show processes from all users" is selected.

Lecture course

in the discipline “Protection information processes V computer systems”

Part 1

1. Goals pursued by the attacker

2. Methods and tools

2.1. Network listening

2.2. Scanning

2.3. Packet generation

2.4. Trojans

2.5. Exploits

2.6. Programs for automated password selection

3. Classification network attacks

3.1. By OSI model level

3.2. Type

3.3. By location of the attacker and the attacked object

4. Spoofing attacks

5. Attacks that enable unauthorized data exchange

5.1. Tunneling

5.2. Tiny Fragment Attack

6. Data interception attacks

6.1. False ICMP Redirect message

6.2. False DHCP message

6.3. Attack on routing protocols

7. Distributed denial of service (DDoS) attacks

7.1. General principles and concepts of DDoS attacks

7.2. DDoS attacks, based on the TCP protocol

7.3. DDoS attacks based on the UDP protocol

7.4. DDoS attacks based on the ICMP protocol

8. Application level attacks

8.1. Password attacks

8.2. SQL Injection

8.3. Cross-Site Scripting(XSS)

9. Threats and attacks specific to 802.11 wireless networks

Relevance and importance of the problem of ensuring information security due to the following factors:

· Fast development global network Internet

Such globalization allows attackers from almost anywhere globe, where there is Internet, thousands of kilometers away, to carry out an attack on a corporate network.

· Distribution of easy-to-use hacking programs

The widespread proliferation of easy-to-use malicious programs and recommendations for their use has led to a sharp decline in the level of knowledge and skills that an attacker needs to carry out a successful attack.

· Automation of almost all business processes of companies

The significant increase in the volume of information stored and processed using computers and other automation tools has contributed to the emergence of threats associated with the possibility of data loss, distortion and disclosure. According to experts, currently about 70-90% of a company’s intellectual capital is stored in digital form.

· Numerous vulnerabilities of software and network platforms

Due to competition, modern software products come on sale with errors and defects. Errors and shortcomings remaining in these systems lead to accidental and intentional violations of information security.

· Neglect of information security issues in the company.

Lack of information support for employees in the field of information security and maintaining trade secrets.

· Increasing popularity of wireless network technologies in a corporate environment. This is due to the ease of deployment (there is no need to lay a cable), the relative cheapness of the equipment, a significantly lower cost if it is necessary to expand the network (compared to a wired analogue, it is enough to cover the required area with access points), as well as mobility for users and flexibility when expanding.

Goals pursued by the attacker

- information theft(example – theft of login and password; theft of information that is a trade secret)

- modification of information(example – changing information about the account status in the bank database)

- violation of the availability of an information resource(in this case, the attacker is not interested in information; his goal is to complicate or make it impossible for the server to operate to such an extent that other users cannot use its services).

Methods and tools

Network listening (sniffing)

Listening to traffic on local networks is done using special programs– sniffers. This program catches packets that come to the computer's network interface and allows you to analyze them.

Due to the fact that some network applications transmit data to text format(HTTP, FTP, SMTP, POP3, etc.), using a sniffer you can find out useful and sometimes confidential information (for example, usernames and passwords). The interception of usernames and passwords creates a great danger, since users often use the same login and password for multiple resources and applications.

Network Chemistry Packetyzer sniffer program interface

The process of listening to traffic in local network depends on its topology and the equipment used in it.

Previously, local networks were non-switched. Data exchange between computers on the network took place over the same information channel or, roughly speaking, over the same wire, regardless of the sender and recipient. Such networks include Ethernet networks with the “Common Bus” topology (now obsolete), Ethernet networks with the “Star” topology based on a hub or hub (currently rarely used), wireless networks of the Wi-Fi standard.

Ethernet with “Common Bus” topology

Ethernet with “Star” topology based on a hub (hub)

Wireless WiFi net

In non-switched networks, each computer receives all packets transmitted over the network. Having received the packet, the network card driver analyzes the packet header, extracts the recipient's MAC address from there and compares it with the MAC address of the network card. If the addresses match, the packet is transferred to the operating system for further processing. If the addresses do not match, the packet is discarded.

It is clear that with such a scheme it is easy for an attacker to listen to all traffic on the network. To do this, you need to put the network card into a special mode - the so-called promiscuous (“unintelligible”). LAN card in “promiscuous” mode, it receives all packets, regardless of their destination address, and transmits them to the sniffer program for analysis. (In most cases, promiscuous mode is turned on automatically after the sniffer is launched).

However, nowadays most Ethernet networks are built on the basis of a switch.

Ethernet with “Star” topology based on switch (switch)

The switch has a table of correspondence between the MAC addresses of nodes and its ports to which these nodes are connected. Packets are now routed to a specific port assigned to the packet's destination. Accordingly, an attacker can only view packets addressed to him or broadcast packets.

However, there are ways that allow an attacker to bypass this restriction and listen to traffic that is not intended for it. One of these methods is the ARP spoofing attack (another name for the attack is ARP poisoning, i.e. poisoning). ARP spoofing attack is a type man-in-the-middle(man in the middle).

To generate a packet and send it to the network, the computer needs to know the IP and MAC addresses of the packet recipient. The IP address, as a rule, is known to the sender in advance (or the recipient’s domain name is known, through which it is easy to obtain the IP address using a DNS server). To find a MAC address using a known IP, the ARP (Address Resolution Protocol) protocol is used. It works like this:

When a computer needs to send a packet to a specific IP address, it first examines its ARP cache to see if the IP-MAC mapping it is looking for is there. (You can view the contents of your computer's ARP cache by running arp –a at the command prompt.) If there is one, then the received MAC address is inserted into the header of the outgoing packet, and the packet is sent to the network.

Otherwise, a special broadcast ARP request is sent to the network (“Who has 192.168.0.1?”). Any computer, having recognized its IP address in the request, must respond to its sender and send its MAC address. It is placed in the ARP cache of the requester and is used for further sending network packets.

An attacker can use the ARP protocol to intercept traffic between two computers on a network.

ARP spoofing attack scheme

Let's assume that attacker X needs to view traffic from A to B and back. To do this, he sends to computer A false ARP response, containing the IP address of computer B and the supposedly corresponding MAC address of attacker X. A similar ARP response is sent to B: in it, the IP address of computer A is matched with the MAC address of attacker X. The ARP protocol does not require authentication, so A and B cannot verify the reliability of the incoming data and will immediately enter it into its ARP cache. Thus it happens ARP cache poisoning nodes A and B, entering incorrect, false data into them. At the same time, having sent a false ARP packet once and replaced the ARP cache of someone else's computer, you need to periodically perform this procedure again and again, since any operating system also constantly updates its ARP cache at certain intervals. It is enough to do this once every 20–40 seconds.

Now computer A, about to send data to B, will send it to X (since the actual delivery of data by the switch occurs at the recipient's MAC address). Attacker X receives the data, views it, and then forwards it to the rightful recipient B without being detected. A similar situation occurs in the opposite direction: traffic transmitted from B to A can also be studied by an attacker. A particular benefit for the attacker (and, accordingly, a particular danger) is the case when one of the attacked computers is a gateway, i.e. serves to connect a local network to the Internet. Then the attacker may have access to usernames and passwords for accessing Internet resources (web sites, ICQ, email) and other confidential information transmitted to the Internet.

Thus, switched infrastructure does not eliminate the threat of sniffing. However, it noticeably reduces its severity.

Methods of protection against ARP spoofing

Using static entries in the ARP cache. To do this, you must manually enter entries into the computer's ARP cache about IP and their corresponding MAC addresses. In this case, the attacker's false ARP response will not be accepted, and cache poisoning will not occur.

ARP cache entries - static and dynamic

However, this method is difficult to use in large networks due to its complexity. It will also not be possible to use static entries if IP addresses are distributed automatically using a DHCP server.

Using smart switches.

Many modern switch models have built-in protection against ARP spoofing (performed by analyzing ARP traffic on the switch and blocking false ARP requests).

Using special firewall modules to detect and block attacks

Some firewalls include a special module (for example, in Outpost it is called “Attack Detector”) that allows you to detect suspicious network activity and block it, as well as notify the user about it.

Traffic encryption

This method does not prevent interception, but it does render it useless. If the communication channel is cryptographically secure, this means that the hacker is not intercepting the message, but the ciphertext (that is, an incomprehensible sequence of bits). However, be aware that performing cryptographic transformations on large amounts of data can significantly slow down your computer.

There is another way to listen to traffic on the network. As you know, for its operation, the switch dynamically builds a “MAC address – port” correspondence table. If a packet passes through the switch whose MAC address is not in this table, the switch automatically adds a new entry to it corresponding to the unknown MAC address.

The attack consists of sending through a switch large number packets with various false MAC addresses. In this case, the switch table will overflow and it will switch to the “hub” operating mode. Accordingly, the attacker will have access to all traffic on the network.

Particularly relevant in Lately is the problem of listening to wireless networks, because wireless network is inherently open and accessible to all. To prevent unauthorized eavesdropping of wireless traffic in Wi-Fi networks special cryptographic protocols are used (today the most common are WPA and WPA2).

Scanning

Network scanning is aimed at identifying computers connected to the network and determining the network services running on them (open TCP or UDP ports). The first task is performed by sending ICMP Echo messages using the ping program and sequentially searching through the addresses of hosts on the network.

A network administrator can detect scanning attempts by analyzing network traffic and monitoring Echo messages sent sequentially to all network addresses over a short period of time. For greater secrecy, an attacker can significantly extend the process over time (“slow scanning”) - the same applies to scanning TCP/UDP ports.

To determine which UDP or TCP applications (as well as OS system services) are running on detected computers, scanner programs. Since the port numbers of all major Internet services are standardized, then, having determined, for example, that port 25/TCP is open, we can conclude that this host is a server Email; port 80/TCP – Web server, etc. The attacker can use the information obtained to further deploy the attack.

Scanning host TCP ports is done in several ways. The simplest way is establishing a full TCP connection with the tested port. If the connection was established, it means that the port is open and a server application is connected to it. The advantage of this method is the ability to perform scanning without special software: standard program telnet allows you to specify an arbitrary port number to establish a connection. A significant drawback is the ability to monitor and record such a scan: when analyzing the system log of the scanned host, numerous open and immediately interrupted connections will be detected, as a result of which measures can be taken to improve the level of security. In addition, if you use the telnet utility, you will have to manually search through all the ports of interest to the attacker.

Half-open scanning does not have the described disadvantages. Most modern scanners work this way. The scanner sends a SYN segment to the scanned port and waits for a response. Receiving a response segment with the SYN and ACK bits means that the port is open; receiving a segment with the RST bit means the port is closed. Having received SYN+ACK, the scanner immediately sends a segment with the RST bit to the detected port, thus eliminating the connection attempt. Since the connection was never opened (an ACK was not received from the scanner), it is much more difficult to register such a scan.

Third way - scanning using FIN segments. In this case, a segment with the FIN bit set is sent to the scanned port. The host must respond with an RST segment if the FIN segment is addressed closed port. FIN segments directed to a port in the LISTEN state are ignored by many TCP/IP implementations. Thus, the lack of response indicates that the port is open. Variants of this scanning method are sending segments with the FIN, PSH, URG flags or without any flags at all (“Null scan”).

Of course, scanning with SYN segments gives more reliable results, however, fortunately, many firewalls may not allow SYN segments without an ACK flag from the Internet during internal network(thus, connections from Internet hosts to internal hosts initiated from the Internet are prohibited, but connections initiated from within are allowed). In this case, the attacker has no choice but to use FIN segment scanning.

To determine open UDP ports, an attacker can send a UDP message to the tested port. Receiving an ICMP Port Unreachable message in response indicates that the port is closed.

The scanner can also determine operating system the scanned node by how the node reacts to specially designed, non-standard packets: for example, TCP segments with meaningless combinations of flags or ICMP messages of certain types, and other characteristics.

Modern scanner programs allow you not only to detect open application ports, but also to determine a list of vulnerabilities that are present in these applications and provide recommendations for eliminating them. In order for the scanner to be able to find vulnerabilities in new versions of applications, the scanner database must be constantly updated (similar to the database of an antivirus program).

Thus, the scanner program can be used not only by an attacker, but also by the administrator himself, in order to search for vulnerabilities and eliminate them. The administrator should also regularly review the list of open ports: the presence of an open port unknown to the administrator may indicate the presence of a Trojan program on the system.

Xspider scanner report with a list of open ports

Xspider scanner report: vulnerability found and recommendations for eliminating it

You can also determine the open ports on the local machine, as well as the applications that use these ports, using the netstat command line utility.

Packet generation

On the Internet you can find ready-made programs for generating packages of a certain format and content. The use of such programs often does not require the attacker to have any programming skills or understanding of the principles of network operation, which makes many of the attacks, especially denial-of-service attacks, widely executable.

2.4. Trojans

Designed to steal information or control a remote computer.

Trojan programs differ from each other in the actions they perform on an infected computer. The following is a classification of Trojan programs, according to Kaspersky Lab.