July 31, 2011
state list
LISTEN: In the listening state.
ESTABLISHED: established online online situation.
TIME_WAIT: The line is already waiting in the current state.
-a parameter commonly used to access your local system, open ports, you can use it to check your own system has not been installed on the Trojans (ps: there are many good programs to detect Trojans, but Your goal is to become a real hacker, than just click the manual testing “scan” button better —- just personal opinion). If you Netstat yourself, then find the following information:
Port 12345 (TCP) Netbus
Port 31337 (UDP) Back Orifice
congratulations ! you are the most common Trojan (^_^, 4899 is even above others, and this is a commercial software radmin, now my favorite remote control software)
If you need horse and The port list, then look to the domestic H-stations, or baidu, google it
************************ ************************** ***************
# Some principles: Maybe you have a question: “In the port number after the machine name mean anything?
example: Eagle: 2929
ports below 1024 are usually run some network services, ports greater than 1024 to establish a connection with the remote machine.
************************** ************************ ***************
continue our study, use the-n parameter. (Netstat-n)
Netstat-n-a parameter is basically a digital form:
C: \> netstat-n
Active Connections
Proto LocalAddress ForeignAddress State
TCP127.0.0.1: 445127.0.0.1:1031 ESTABLISHED
TCP127.0.0 .1:1031127.0.0.1:445 ESTABLISHED
TCP 192.168.1.180:1213 218.85.139.65:9002 CLOSE_WAIT
TCP 192.168.1.180:2416 219.133.63.142:443 CLOSE_WAIT
TCP 192.168.1.180:2443 219.133.63.142:443 CLOSE_WAIT
TCP 192.168.1.180:2907 192.168.1.101:2774 CLOSE_WAIT
TCP 192.168.1.180 : 2916 192.168.1.101:23 ESTABLISHED
TCP 192.168.1.180:2929 219.137.227.10:4899 ESTABLISHED
TCP 192.168.1.180:3048 192.168.1.1:8004 SYN_SENT
TCP 192.168.1.180:3455 218.85.139.65:9002 ESTABLISHED
-a and-n is the most common of the two, I do not fully tested the following results:
1.-n shows the number of host name with that IP address, rather than compute_name [eagle]
2.-n TCP connections only (no where seen in Microsoft documentation, which friends have seen it, let me know Oh ^ _ ^)
get IP equal to get everything, it is most likely to attack the machine stuff, so to hide their IP, access The IP of the hacker is someone very important to hide IP technology is now very popular, but those hidden tools or services you really invisible? I see too, Oh, agents, springboard does not belong to today discussion, one for each IP- simple example, please refer to my previous article [QQ friends with the DOS command check IP address]
-a and-n are the most commonly used commands, if you want to display more detailed information of some agreement, we must this parameter with the-p, it is-a and-n a variant, we look at an example, you will understand: [netstat-p @ @ @ @ @ @ which is TCP or UDP]
C: \> netstat-p tcp
Active Connections
Proto LocalAddress ForeignAddress State
TCP Eagle: microsoft-ds localhost: 1031ESTABLISHED
TCPEagle: 1031localhost: microsoft-ds ESTABLISHED
TCPEagle: 1213218.85.139.65:9002 CLOSE_WAIT
TCPEagle: 2416219.133.63.142: https CLOSE_WAIT < br />
TCPEagle: 2443219.133.63.142: https CLOSE_WAIT
TCPEagle: 2907192.168.1.101:2774 CLOSE_WAIT
TCPEagle: 2916192.168.1.101: telnetESTABLISHED
TCPEagle: 2929219.137.227.10:4899 ESTABLISHED
TCPEagle: 3455218.85.139.65:9002 ESTABLISHED