[../_includes/Default.htm]
Now let's look at what "doors" are open on your
computer. In order to do this we will be using a utility called
Netstat. Netstat provides its user with the network status of the
computer from which the command is being sent. Netstat is very
comprehensive; below you will find its usage stanza:
Displays protocol statistics and current
TCP/IP network connections.
NETSTAT [-a] [-e] [-n] [-s] [-p proto]
[-r] [interval]
-a Displays all connections and listening
ports.
-e Displays Ethernet statistics. This may be combined with the
-s
option.
-n Displays addresses and port numbers in numerical
form.
-p proto Shows connections for the protocol specified by proto;
proto may be TCP or UDP. If used with the -s option to
display
per-protocol statistics, proto may be TCP, UDP, or IP.
-r
Displays the routing table.
-s Displays per-protocol statistics. By
default, statistics are
shown for TCP, UDP and IP; the -p option may be
used to specify
a subset of the default.
interval Redisplays
selected statistics, pausing interval seconds
between each display.
Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will
print the current
configuration information once.
There are a lot of options listed, but we are only
concerned with the first one:
-a Displays all connections and listening
ports.
Translation:
-a Shows you who's in the "warehouse" and and which
"doors" are open.
Now let's do a little.....hacking? Follow these
steps.
STEP 1 - Launch DOS or Command
Prompt
1. Click on the Start button on the bottom left of your
screen.
2. Next click on the Run.
3. You will be presented with the Run window which allows
you to type in commands. The command we want to run is cmd to
bring up the command prompt or DOS. Type cmd in the window, and
click the OK button.
STEP 2 - Execute netstat -a command
1. Now you should be looking at the command prompt or DOS
window. This where we can type in our command: netstat -a
After you type this command, press Enter.
STEP 3 - Reading the output
You should see fours columns on your screen:
 |
Proto(col) - This is the protocol or language being used by
your system for a service. Examples are:
|
TCP Transmission Control
Protocol-
UDP User Datagram
Protocol
| | -
Local Address - Your system name otherwise known as hostname,
and the port number/name. The port number may be substituted for the
name of the service being used.
Example: localhost:http instead
of localhost:80
-
Foreign Address - The name or IP address of the system you
are connected to and the port number/name. The IP address is
the number representation for a system name. try the following
link to see what I mean:
|
http://64.58.76.225
| -
State - This lets you know what is happening on a particular
port. The words we're looking for are:
|
LISTENING, an open door-
ESTABLISHED, a door which is being
used-
TIME_WAIT, a door was used, now it's
closed
| | | | | | |
STEP 4 - Grouping, grouping, gone!
Let's group everything according to its State. This
will require opening up a blank/new document in either Note Pad, Write
Pad, Word, or any other word professing software. Copy and paste the
entire Netstat-a output from your DOS/Command Prompt window into your new
document. Follow these steps:
|
"Right-click" on the Title Bar of the DOS/Command
Prompt -
Select the Edit item and then select the Select All
item-
"Right-click" on the Title Bar of the DOS/Command
Prompt -
Select the Edit item and then select the Copy item-
| Go to your new document and Paste | | | | |
Ok. Let's do some grouping by State. Move all
LISTENING lines together, all the ESTABLISHED lines together, and all the
TIME_WAIT lines together.
NOTE: You can find out which of these ports is
opened to the general Internet public by running the Probe MY Ports
test. If your results are unsatisfactory and you don't have a
firewall, you need to get a firewall. A firewall should be a basic
component of your Internet security. Below are listed some of
the top players in the software firewall game, but please read our Link Disclaimer before clicking on
the links.
[firewallinks.htm]
Amazon and Tiger Direct have a good selection of
hardware firewalls.
|
Amazon.com-
| Tiger Direct - Use the following link to go to TigerDirect's Networking Section and then click on
the Router/Gateway at the top of the
page. | |
NOTE: Check our Security
FAQs page for benefits of a hardware versus software
firewall.
STEP 5 - Let's go a-hunting!
We need to identify what is actually running on these
ports. First let's look in our Windows services file. This
document is used to startup services on certain ports and contains a very
brief description of the service. Below is the location of the
files:
|
Win 95/98 - C:\WINDOWS\SERVICES-
Win NT/2k- C:\WINNT\SYSTEM32\DRIVERS\ETC\SERVICES-
| Official
List | | |
Tip: Create a shortcut of this file on your desktop
so that you don't have to hunt for it again:
- Right-click on the file
- Click Send to...
- Select desktop
It's good to know what you actually have running on your
machine so that in case you do get hacked, you know what ports you should
see open. You should make sure that you don't have any
Internet applications running when you compile the list. This
includes, but is not limited to :
|
AOL Instant Messenger-
Yahoo
Messenger-
ICQ-
Trillian-
Internet explorer-
Netscape Navigator-
Eudora E-mail client-
| Outlook or Outlook Express
clients | | | | | | | |
NOTE: Port 138 which is used by the NetBios
protocol has "well known" exploits and vulnerabilities. If you don't have a home network setup than turn off the following
services:
|
File and Print Sharing for Microsoft Networks-
| Client Services for Microsoft Networks | |
Instructions: Windows
95/98 Windows NT
STEP 6 - Now what?
Now you're ready to rid your machine of the dreaded
"script kiddies" should you get hacked. Pay attention,
grasshopper. You NEED a firewall - whether it is a software
firewall, a hardware firewall, or both, you need a firewall! This will
protect you 99.99% of the time, unless someone has a personal vendetta
against you. The three banners listed on this page are links to
industry-leading software firewalls. Click on any one of them to get
more information. So let's suppose your .01% time happens before you
leave this beautiful planet, then here's what you need to do. You
already have the basics down - we're just going to put it all
together.
- Check the Netstat-a output against the following trojan
port list. If you find the port, then click on the name of the
trojan to get more information. Copy this information in another
text document by via copy/paste. It will come in handy
later.
- Run Netstat-n. This will give you the IP address
of the machine that is connected to you on that port (the script
kiddie). Write this down as well so that you can nail them later
by turning them into their ISP.
- Disconnect from the Internet. Easiest way to do
this is remove the cable from your modem, and and shutdown all Internet
applications.
- Run anti-virus scan. Check out our Virus
Section.
- Run anti-trojan scan. If you don't have it, get
it here.
- If the description of the trojan from the trojan list
noted any files in the registry, make sure they are gone. Use the
same method you used to open the DOS/Command Prompt, but instead of
typing cmd, type regedit. Then do a "Find" for the files
listed in the description. If you find them, delete them.
- Reconnect your modem cable and reboot computer.
- Check Netstat-a against the trojan
list again to verify a "script kiddie" free machine.
- If you want to try and catch the culprit, open up your
DOS/command prompt window like you did for Netstat and type: tracert
["script kiddies" IP]. You should have copied down the IP
address from step 2. Now, before the trace gets to the IP address
of the perpetrator, it will pass through the ISP first. So check
the two previous IP addresses before getting to the destination.
Type them into the browser the way we did with Yahoo above, and see who
to report the incident to. Usually, it will be
abuse@[ISP].com
[../_includes/foot.htm]
| [internet-security-nav.htm] | 
| [../_includes/right_bottom.html] | |
