Call: (480) 382-8464

Monitor Ports on Windows

This tutorial will tell you how to test if you are infected with worms, trojans and other types of malware. You’ll also learn how to run dos programs in a for loop ….

Lets say we wanted to loop over and over watching for port 80 connections (perhaps we are looking for a worm and trying to find out where it connects to, or we want to investigate all connections that our computer is making without our permission/knowledge). This is a typical method of investigating for spyware infections…

Port 80 is a web server, and most worms and malware connect via HTTP (a web server on port 80), or HTTPS (an encrypted webserver on port 443). In reality though spyware can connect to any port, these are simply the most common. We could simply look for “TCP” connections and find which ports they are using. Anyway, assuming it’s port 80 you are looking for:

In Linux, you’d simply type:

shell>watch "netstat -ano |grep ':80'"

In winblow$ though, there isn’t such a command as “watch” by default. There is a several hacks available on the resource cd, but that’s not a default install for most users… So, lets expand our example and pretend we want to see all connections to port 80, on a windows box:

netstat -ano | find ":80"

using netstat to monitor port 80

This will show you what happens at that moment, but won’t allow you to monitor unless you up arrow and run the command over and over …. bleh

So, put it in a for loop:

for /L %1 in (0,0,0) do netstat -ano|find ":80"
for loop netstat ano find port 80

for loop netstat ano find port 80 scrolling by too fast

But this scrolls by like a jack rabbit on crack when I open up a browser, so we’ll slow it down with a ping in between each loop using the && operator

We’ll ping the multicast address of 224.0.0.0 once (-n 1) and then wait 2000 milliseconds (2 seconds, -w 2000). This is a hack that allows us to pause for 2 seconds:

ping -n 1 -w 2000 224.0.0.0

And to use the loop, the command and the pause all together:

for /L %i in (0,0,0) do netstat -ano|find ":80" && @ping -n 1 -w 2000 224.0.0.0
using ping to slow down a for loop

using ping to slow down a for loop - still ugly

It’s slow now, and readable, but it’s ugly still and will be difficult to monitor casually, so I’m going to use @, cls and NUL to erase data I don’t want see, making changes easier to see, so final tweaks:

for /L %i in (0,0,0) do @cls && netstat -ano|find ":80" && @ping -n 1 -w 2000 224.0.0.0 >NUL && @cls
Monitoring Port 80, Real time - looks nice!

Monitoring Port 80, Real time - looks nice!

And a few seconds later, if we keep monitoring (wait for the TCP connections that I initiated to time out):

Using a for loop, ping and netstat to monitor port 80 - LAST_ACKs

Using a for loop, ping and netstat to monitor port 80 - LAST_ACKs

Etc.

Find out what port you are looking for and it will tell you what ip address it’s communicating to.

For example, if you were watching for all TCP connections you’d instead say:

for /L %i in (0,0,0) do @cls && netstat -ano | find "TCP" && @ping -n 1 -w 2000 224.0.0.0 >NUL && @cls

And just a few seconds later after most of the connects have timed out:

Real time port monitoring on windows - TIME_WAIT

Real time port monitoring on windows - TIME_WAIT

Other Examples:

SSH:

for /L %i in (0,0,0) do @cls && netstat -ano | find ":22" && @ping -n 1 -w 2000 224.0.0.0 >NUL && @cls

FTP:

for /L %i in (0,0,0) do @cls && netstat -ano | find ":21" && @ping -n 1 -w 2000 224.0.0.0 >NUL && @cls

RDP:

for /L %i in (0,0,0) do @cls && netstat -ano | find ":3389" && @ping -n 1 -w 2000 224.0.0.0 >NUL && @cls

Be creative and you can use a loop to find and monitor for useful information, such as all TCP connections, that are not Ipv6 (here I use another find, but this time I use it to remove [::], which is an ipv6 connection:

for /L %i in (0,0,0) do @cls && netstat -ano|find "TCP"|find /V "::" && @ping -n 1 -w 2000 224.0.0.0 >NUL && @cls
Monitoring TCP Connections in Real Time on Windows

Monitoring TCP Connections in Real Time on Windows

Simply replace the green text with whatever commands/parameters you want to monitor and this dos 1 liner will monitor it for you in real time. You can adjust the ping -n 1 -w 2000 224.0.0.0 line to be some other number if you want screen updates to happen faster or slower. Each 1000 ms is a second. So to do a 10 second wait: ping -n 1 -w 10000 224.0.0.0

So … we found a connection and don’t know what it’s to. What do you do? First, use task manager and look at the Process ID. We’ll use the line above and look for the PID of 1116.

Using Task Manager to Track Unknown, Open Ports

Using Task Manager to Track Unknown, Open Ports

We can see that 1116 in the PID column is safe, it’s our virus scanner (Google AvastSvc.exe to verify and make sure you have avast.com free antivirus installed.)

We can also look at the established connections using nslookup to find out who owns the ip address. That will often give a great clue as to what you are connected to. Scroll up and look at the established connection for 74.125.19.19, who owns it and why is process id 2648 (chrome web browser) connected to it?

Common sense should tell me to go look at my chrome browser and see what might be https (netstat shows it’s connected on port 443, which is https), but lets assume that it’s not chrome and it’s some program in the background that is connecting to some ip address without my knowledge, here is how I’d find out who that remote ip address is:

Using nslookup to track trojans and spyware

Using nslookup to track trojans and spyware

This says that the root domain is 1e100.net, and if I do a lookup on http://whois.sc or any other domain lookup tool it tells me that it’s owned by google. As I’m connected to gmail on https, this established connection makes perfect sense and I don’t need to investigate further.

Tags: , ,

  • Mark Williams

    Interesting, but you do know netstat has an interval parameter right.
    So from your earlier example if you want to listen to port 80 every 2 seconds you could just type
    netstat -ano 2 | find “:80” where the 2 is the interval in seconds.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Main Offers/Services

Hosting and website related services offered by Digital Crunch:



Managed VPS Hosting

Server Updates, Module/Software Installs, Firewall, Security, Hosting Management, Wordpress - let us manage it for you

Hosted Email

Setup and Maintain Business Class, Secure Email Hosting including spam protection and 25GB of storage space

Linux Consulting

Server Updates, Module/Software Installs, Firewall, Security, Hosting, Wordpress and Apps, anything related to Linux

Email Marketing Services

We broadcast your content to your list, capture leads for you, follow up on schedules, make more sales for you

Website Maintenance

Content updates, menu changes, graphics changes, adding content, getting links, building traffic, building sales funnels

Hosting Tutorials

Tutorials we've written for other customers that like to get their hands dirty and learn about hosting