Active Connections
We can see the currently active connections with the help of netstat command.
C:\Users\Bala>netstat -aon
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 856
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 496
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 1024
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1072
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 580
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 568
TCP [::]:135 [::]:0 LISTENING 856
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:5357 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 496
TCP [::]:49153 [::]:0 LISTENING 1024
TCP [::]:49154 [::]:0 LISTENING 1072
TCP [::]:49155 [::]:0 LISTENING 580
TCP [::]:49156 [::]:0 LISTENING 568
UDP 0.0.0.0:123 *:* 1224
UDP 0.0.0.0:500 *:* 1072
UDP 0.0.0.0:4500 *:* 1072
UDP 127.0.0.1:1900 *:* 1224
UDP 127.0.0.1:49153 *:* 1224
UDP [::]:123 *:* 1224
UDP [::]:500 *:* 1072
UDP [::1]:1900 *:* 1224
UDP [::1]:49152 *:* 1224
UDP [fe80::100:7f:fffe%11]:1900 *:* 1224
DNS queries made from infected system.
We can see the recent DNS queries with the command
C:\Users\Bala>ipconfig /displaydns
Windows IP Configuration
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
----------------------------------------
Record Name . . . . . : 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 86400
Data Length . . . . . : 4
Section . . . . . . . : Answer
PTR Record . . . . . : localhost
1.0.0.127.in-addr.arpa
----------------------------------------
Record Name . . . . . : 1.0.0.127.in-addr.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 86400
Data Length . . . . . : 4
Section . . . . . . . : Answer
PTR Record . . . . . : localhost
localhost
----------------------------------------
Record Name . . . . . : localhost
Record Type . . . . . : 1
Time To Live . . . . : 86400
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
localhost
----------------------------------------
Record Name . . . . . : localhost
Record Type . . . . . : 28
Time To Live . . . . : 86400
Data Length . . . . . : 16
Section . . . . . . . : Answer
AAAA Record . . . . . : ::1
NetBIOS Connections
we can use
nbtstat -c the cached connections.
nbtstat -S (or) net sessions To see the current sessions.
If any files were transmitted over this network we can use the
net file command to display them.
ARP Cache
we can see the ARP cache of the machine under question with the command
arp -a
We can see the currently active connections with the help of netstat command.
C:\Users\Bala>netstat -aon
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 856
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 496
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 1024
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1072
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 580
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 568
TCP [::]:135 [::]:0 LISTENING 856
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:5357 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 496
TCP [::]:49153 [::]:0 LISTENING 1024
TCP [::]:49154 [::]:0 LISTENING 1072
TCP [::]:49155 [::]:0 LISTENING 580
TCP [::]:49156 [::]:0 LISTENING 568
UDP 0.0.0.0:123 *:* 1224
UDP 0.0.0.0:500 *:* 1072
UDP 0.0.0.0:4500 *:* 1072
UDP 127.0.0.1:1900 *:* 1224
UDP 127.0.0.1:49153 *:* 1224
UDP [::]:123 *:* 1224
UDP [::]:500 *:* 1072
UDP [::1]:1900 *:* 1224
UDP [::1]:49152 *:* 1224
UDP [fe80::100:7f:fffe%11]:1900 *:* 1224
DNS queries made from infected system.
We can see the recent DNS queries with the command
C:\Users\Bala>ipconfig /displaydns
Windows IP Configuration
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
----------------------------------------
Record Name . . . . . : 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 86400
Data Length . . . . . : 4
Section . . . . . . . : Answer
PTR Record . . . . . : localhost
1.0.0.127.in-addr.arpa
----------------------------------------
Record Name . . . . . : 1.0.0.127.in-addr.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 86400
Data Length . . . . . : 4
Section . . . . . . . : Answer
PTR Record . . . . . : localhost
localhost
----------------------------------------
Record Name . . . . . : localhost
Record Type . . . . . : 1
Time To Live . . . . : 86400
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
localhost
----------------------------------------
Record Name . . . . . : localhost
Record Type . . . . . : 28
Time To Live . . . . : 86400
Data Length . . . . . : 16
Section . . . . . . . : Answer
AAAA Record . . . . . : ::1
NetBIOS Connections
we can use
nbtstat -c the cached connections.
nbtstat -S (or) net sessions To see the current sessions.
If any files were transmitted over this network we can use the
net file command to display them.
ARP Cache
we can see the ARP cache of the machine under question with the command
arp -a
No comments:
Post a Comment