Run “netstat –an” on your own computer. On a computer running Microsoft Windows, open a command...
- Run “netstat –an” on your own computer. On a computer running Microsoft Windows, open a command prompt. Often this can be done by going to the Start menu, then choosing Programs > Accessories > Command Prompt. The netstat command will actually work on many other operating systems, including Linux and Mac. The output will be something like below:
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING
TCP 0.0.0.0:38068 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49694 0.0.0.0:0 LISTENING
TCP 10.0.0.238:139 0.0.0.0:0 LISTENING
TCP 10.0.0.238:53031 131.253.34.232:443 ESTABLISHED
TCP 10.0.0.238:53179 216.58.194.130:443 TIME_WAIT
TCP 10.0.0.238:53180 151.101.49.121:443 ESTABLISHED
TCP 10.0.0.238:53181 151.101.49.121:443 ESTABLISHED
TCP 10.0.0.238:53182 151.101.49.121:443 ESTABLISHED
TCP 10.0.0.238:53187 151.101.49.121:443 ESTABLISHED
TCP 10.0.0.238:53188 151.101.49.121:443 ESTABLISHED
TCP 10.0.0.238:53189 151.101.49.121:443 ESTABLISHED
TCP 10.0.0.238:53192 207.126.123.113:443 ESTABLISHED
TCP 10.0.0.238:53196 184.31.241.232:443 ESTABLISHED
TCP 10.0.0.238:53198 23.207.18.195:443 ESTABLISHED
TCP 10.0.0.238:53199 72.21.211.11:443 ESTABLISHED
TCP 10.0.0.238:53200 72.21.211.11:443 ESTABLISHED
TCP 10.0.0.238:53212 8.43.72.52:443 ESTABLISHED
TCP 10.0.0.238:53213 216.58.194.130:443 TIME_WAIT
TCP 10.0.0.238:53214 8.43.72.52:443 ESTABLISHED
TCP 10.0.0.238:53215 8.43.72.52:443 ESTABLISHED
TCP 10.0.0.238:53218 176.32.96.208:443 ESTABLISHED
TCP 10.0.0.238:53240 23.36.68.241:443 ESTABLISHED
TCP 10.0.0.238:53248 216.58.194.102:443 ESTABLISHED
TCP 10.0.0.238:53250 23.36.68.241:443 ESTABLISHED
TCP 10.0.0.238:53256 8.43.72.98:443 ESTABLISHED
TCP 10.0.0.238:53258 23.43.160.49:443 ESTABLISHED
TCP 10.0.0.238:53261 23.43.160.96:443 ESTABLISHED
TCP 10.0.0.238:53264 107.178.254.65:443 ESTABLISHED
Notice that each line has the following columns: Proto, Local Address, Foreign Address and State. Let’s examine each one.
The name of the first column, Proto, stands for protocol and is either TCP or UDP. TCP and UDP are two types of network protocols in the Internet. Notice that the TCP lines all end with either ESTABLISHED or LISTENING for a state. ESTABLISHED connections are those that are actively being used to transfer data. The LISTENING connections are not currently being used to transfer data but they represent server software that is ready to accept and respond to requests should they arrive.
The foreign and local address portions of each line are composed of two portions separated by a colon -- an IP address and a port number. The IP address indicates the numerical address of the computer on which the network software is running. The port number indicates the “mailbox” number on that particular computer for that particular service or network conversation.
You can investigate each type of server running on your machine. For example, consider the line:
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
It says that a service is listening on TCP port 135. If I want to know what port 135 is typically used for, I can do a Web search for “TCP port 135”.
Now do a “netstat –an” command on your computer, copy and paste the output below. Then select three services currently running on your computer, identify their port number, and conduct a web search and find out what type of service typically runs on these ports? How some computer viruses could have exploited flaws in these services?
Your output and findings:
Homework Answers
output
1. port 135 is used in client/server applications, There is a RPC (a RPC's Endpoint Mapper component) vulnerability in Windows NT where a malformed request to port 135 could cause denial of service (DoS).
2.TCP port 445 is used for direct TCP/IP MS Networking access without the need for a NetBIOS layer.
Leaving port 445 open leaves Windows machines vulnerable to a
number of trojans and worms:
W32.HLLW.Deloder [Symantec-2003-030812-5056-99]
IraqiWorm (aka Iraq_oil.exe )
W32.HLLW.Moega [Symantec-2003-080813-3234-99]
W32.Korgo.AB [Symantec-2004-092415-4853-99] (2004.09.24)
Backdoor.Rtkit.B [Symantec-2004-100115-0426-99] (2004.10.01)
W32.Sasser.Worm [Symantec-2004-050116-1831-99] - exploits port 445
vulnerabilities, opens TCP ports 5554,9996.
Trojan.Netdepix.B [Symantec-2005-011715-5404-99] (2005.01.16.) -
trojan uses port 445, opens port 15118/tcp.
Backdoor.IRC.Cirebot [Symantec-2003-080214-3019-99] (2003.08.02) -
trojan that exploits the MS DCOM vulnerability, uses ports 445
& 69, opens backdoor on port 57005.
Windows Null Session Exploit.
3.Port 808 is used by Microsoft Net.TCP Port Sharing Service
vulnerable to winhole trojan
Not the answer you're looking for?
Similar Questions
Need Online Homework Help?
Get Answers For Free
Most questions answered within 1 hours.
Active Questions
asked 23 minutes ago
asked 1 hour ago
asked 1 hour ago
asked 1 hour ago
asked 1 hour ago
asked 1 hour ago
asked 2 hours ago
asked 2 hours ago
asked 2 hours ago
asked 2 hours ago
asked 3 hours ago
asked 3 hours ago