*%* _.|~~|.

_ | ~~~~)\~~~/ /~~~~~| |~~| /~~/ |~~~~~~~/ | ~~~~) *%* *%* |__ *%* | | __| | @ / | | | |\ \ | | | /~~~ | |/ / | | | < | |~~~~~ | @ / *%* | |_____ | |\ \ *%*

*%* |__| |_| \_\ | | | \____ | |\ \ | _____\ |_| \_\ *%* *%*%*%*%*%*%*%*%*%*%*/~ ~\ \_____/ |__| \__\ | |_____ *%* *%*~~~~~ * Tric Soft.net * |______/ *%*%*%*%*%* *%*%*%*%*%*%*%*%*%*%*%*%*%*%**%*%*%*%*%*%* (Cadtric @hotmail.com) - Date:June,01,2000 ---------------Contact Info: ---------------(with some slighter Written by: Tri modifications by R a v e N) Email:Cadtric @hotmail.com ICQ:40884568 AIM:zTric erz Web:http://tric soft.net ---------------________________________________________________ Title: IP and port Info using Netstat -----------------------------------------------Table of Contents: -----------------------------------------------INTRO I.Use of Netstat II.Detecting Open ports III.SYN and ACK IV.Using Netstat it for ICQ and AIM V.Other Uses VI.Tools and Utilities VII.Two Quic Tips Conclusion ---------------------------------------------------------------------------------------------------------------------------------------------Intro -----------------------------------------------Hello than s for reading this text on learning more about using netstat to help you. Please disregard any spelling or punction or any other grammer errors. This text is written so the average reader can understand it. Not to complicated. Please enjoy and feel free to email me. -----------------------------------------------I.Use of Netstat ------------------------------------------------ (To OPEN Netstat) - To open [Netstat] you must do the following: Clic on the - [Start] button-->Then clic [Programs]--> Then loo for [Ms-Dos Prompt]. Netstat is a very helpful tool that has many uses. I personally use Netstat to get IP addresses from other users I'm tal ing with on ICQ or AIM. Also you can use Netstat go moniter your port activity for attac ers sending syn requests (part of the TCP/IP 3 way handsha e) or just to see what ports are listening/Established. Loo at the example below for the average layout of a responce to typing Netstat at the C:\windows\ prompt. ~~~~~~~~~~~~~~~~~~~~ C:\WINDOWS>netstat Active Connections

Proto Local Address Foreign Address State TCP pavilion:25872 WARLOCK:1045 ESTABLISHED TCP pavilion:25872 sy-as-09-112.free.net.au:3925 ESTABLISHED TCP pavilion:31580 WARLOCK:1046 ESTABLISHED TCP pavilion:2980 205.188.2.9:5190 ESTABLISHED TCP pavilion:3039 24.66.10.101.on.wave.home.com:1031 ESTABLISHED ~~~~~~~~~~~~~~~~~~~ Now loo above at the example. You will see [Proto] on the top left. This just tells you if the protocal is TCP/UDP etc. Next to the right you will see [Local Address] this just tells you the local IP/Hostname:Port open. Then to th e right once again you will see [Foreign Address] this will give you the persons IP/Hostname and port in the format of IP:Port with ":" in between the port and I P. And at last you will see [State] Which simply states the STATE of the connection . This can be Established if it is connected or waiting connect if its listening. Now with this nowledge we will dive into deeper on how to use this for moniteri ng and port activity and detecting open ports in use. -----------------------------------------------II.Detecting Open ports -----------------------------------------------Now so you are noticeing something funny is going on with your computer? Your cd -rom tray is going crazy...Opening and closing when your doing nothing. And you say W hat the phruc is going on..or you realize someones been messing with a trojan on your c omputer. So now your goal is to locate what trojan it is so you can remove it right? Well your right. So you goto your ms-dos prompt. Now there are many ways to use Netstat and below is a help menu. Loo through it. ~~~~~~~~~~~~~~~~~~~~ C:\WINDOWS>netstat ? Displays protocol statistics and current TCP/IP networ connections. NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval] Displays all connections and listening ports. Displays Ethernet statistics. This may be combined with the -s option. -n Displays addresses and port numbers in numerical form. -p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP. -r Displays the routing table. -s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default. interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once. ~~~~~~~~~~~~~~~~~~~~~ I personally li e using (C:\Windows\Netstat -an) Which Displays all connections and listening ports in the form of IP instead of Hostname. As you see how i did the -a -e

command Netstat(space)-a(Displays all connections and listening ports.)n(in numerical fo rm) Netstat -an -So doing that does TWO of the options at once no need for -a-n. S o now that you now how to use netstat to view all your connections and listening you can search for common ports li e 12345(old Netbus Trojan),1243(subseven) etc. T his Becomes very handy for everything you will soon find out. Ta e a brea now and g o chill out on your couch and relax for about 5 minutes and let all this soa in then co me bac ready to learn more. :) -----------------------------------------------III.SYN and ACK -----------------------------------------------When you here Syn and Ac (ACKnowledge) you do not thin of the communication of pac ets on your system. Well let me tell you what SYN and ACK do. [SYN] - SYN in common words is a request for a connection used in the 3way handsha e in TCP/IP. Once you send a SYN out for a connection, the target computer will re ply with a SYN and ACK. So basically when you see in [State] catagory Syn that m eans you are sending out a request to connect to something. [ACK] - Now the ACK is a ACKnowledgement to the request made by a comput er that is trying to connect to you. Once a Syn is sent to you you need to ACK it, then Sen d bac another syn to the computer requesting connection to confirm the pac et s ent was correct. I sure hope that helped you understand a little more about SYN and ACK. If you h ave further questions try loo ing for texts on TCP/IP (such as BSRF's TCP/IP text - blac sun .box.s /tcpip.txt). Now onto the fun stuff. -----------------------------------------------IV.Using Netstat it for ICQ and AIM -----------------------------------------------Have you ever wanted to get someones IP address or hostname using [Aol Instant M essanger] or [ICQ]? Well your in Luc . [AIM] - With AIM you can not ussually find the exact IP address without some trial and error because most of the time it seems to open up all online use rs on Port 5190. So Less users online easier it is. So goto Ms-Dos Prompt and type netstat -n here you will see under [Foreign Addresses] a IP:With port 5190. Now one of t hose IP's connected to you with 5190 is going to be your target aim user. Just use trial and error t o find out is ussually the easiest way. [ICQ] - To get a IP using netstat of a ICQ user is easy before tal ing t o the person on ICQ you must open ms-dos prompt and do netstat -n to list all IP 's and ports.Write them down or copy them somewhere you will remember to loo bac . Now it's time to fin d out his IP. Message the user witha single message now quic ly do Nestat -n. And you wil l have a new added line of a IP address, just search for the new one on the list under foreign and once you find it you now have your buddys ip without any patc hes or hac s. Pure s ill :P. ------------------------------------------------

V.Other Uses -----------------------------------------------Netstat can be used to get IPs of anything and anyone, as long as there's a dire ct connection between you and the target (i.e. direct messages, file transfers o r ICQ chats in ICQ, DCC (Direct Client Connection) chat and file transfers in IR C etc' etc'). -----------------------------------------------VI.Tools and Utilities: -----------------------------------------------Port scanning: To loo for any open ports on a computer: - [7th Sphere Port scanner] - (2 mirror sites so if one lin doesnt wor ) - http://members.xoom.com/Cryptog/7spereportscan.exe - http://members.xoom.com/gohan_3/7spereportscan.exe Firewall to moniter Ports and registry: - [Loc down 2000] - http://www.loc down.com For Communicating better: - [ICQ] - http://www.icq.com - [Aol Instant Messanger] - http://www.aol.com -----------------------------------------------VII.Two Quic Tips -----------------------------------------------a.Sometimes Netstat can generate very long lists, which are especially confusing for newbies. If you're having difficulties, just run netstat, and then ma e a d irect connection of some sort to your target, or ma e it connect to you (ICQ, IR C etc', you get the picture) and run netstat again. There should be a new line this is what you're loo ing for. b.If netstat's output is too long, type 'netstat -an > c:\some-directory\some-fi le.txt' (without the quotes, and you can replace the parameters -an and the file name and it's path with anything you'd li e). This will dump the output to that file for easy viewing, and will also let you copy & paste. -----------------------------------------------Conclusion -----------------------------------------------I thin there are better ways to understand the internet than with tools you fin d. Learn how to do stuff manually so you fully understand whats going on. This will fuel your power and ill your lameness :) -Tric er