Section 3.4 Honeypots
As you study this section, answer the following questions:
- What is a honeypot?
- What are the differences between low, medium, and high interaction levels?
- What are the differences between the defensive and active defense approaches to antivirus software?
In this section, you will learn to:
- Detect malicious network traffic
- Scan for open ports with netstat
- Track port usage with TCPView
- Create a honeypot with Pentbox
The key terms for this section include:
Honeypots and Their Descriptions
| Honeypot Type | Description |
|---|---|
| Physical Honeypot | Physical honeypots are actual devices with an IP address that are physically placed on the network. They generally provide the highest level of interaction with attackers. |
| Virtual Honeypot | Virtual honeypots are simulated on a physical device. They are cost-effective because multiple honeypots can be simulated on a single server or device. However, they are not as effective because attackers can more easily detect them as decoys. |
| Low Interaction Honeypot | A low interaction level honeypot simulates a small number of services and apps on a target system or network. It is generally set to collect information about attacks such as network probes and worms. It is easy to set up and requires little maintenance and oversight. |
| Medium Interaction Honeypot | A medium interaction level honeypot simulates a real OS, applications, and services. It is more realistic than a low-level honeypot and logs and analyzes more complex attacks. It requires more maintenance and oversight than a low-level honeypot. |
| High Interaction Honeypot | A high interaction level honeypot does not simulate anything. These honeypots run actual services and applications on real computers. The honeypot can be completely compromised by an attacker, allowing full access to the system in a controlled area. It requires a high level of maintenance and oversight. |
| Production Honeypot | Production honeypots are deployed inside the production network of the organization along with other production servers. These honeypots improve the overall security but capture only a limited amount of information. |
| Research Honeypot | Research institutes, governments, and military organizations deploy high-interaction research honeypots to gain detailed knowledge about the actions of attackers. |
This section helps you prepare for the following certification exam objectives:
| Exam | Objective |
|---|---|
| CompTIA CySA+ CS0-003 | 1.2 Given a scenario, analyze indicators of potentially malicious activity
1.4 Compare and contrast threat-intelligence and threat-hunting concepts
2.1 Given a scenario, implement vulnerability scanning methods and concepts
2.2 Given a scenario, analyze output from vulnerability assessment tools
2.3 Given a scenario, analyze data to prioritize vulnerabilities
2.5 Explain concepts related to vulnerability response, handling, and management
3.2 Given a scenario, perform incident response activities
|
| TestOut CyberDefense Pro | 1.1 Monitor networks
3.1 Implement security controls to mitigate risk
3.2 Implement system hardening
3.4 Implement defensive deception methods
4.1 Manage security incidents
4.3 Analyze indicators of compromise
|
3.4.1 Honeypots
Click one of the buttons to take you to that part of the video.
Honeypots 00:00-00:20 Many network defense tools are reactive and are only triggered during an attack. But some provide active defense. One common active defense method is the implementation of honeypots. In this lesson, I'm going to go over how you can implement honeypots and the different types you have to choose from.
Honeypots' Purpose 00:20-00:43 A honeypot's purpose is to look like a legitimate network resource to entice an attacker to go after it. Honeypots trap attackers in an isolated environment where they can be monitored and kept from compromising important network systems. The honeypot tricks the attacker into believing that they're causing actual damage to the system, which enables the security team to analyze the attacker's behavior.
Honeypot Characteristics 00:43-01:06 Honeypots should be heavily monitored so you're aware of the activity being captured and so that you can see the early warning signs of a larger attack. A honeypot's logging capability is far greater than other network security tools and captures raw packet-level data, including keystrokes. The captured information is highly valuable because it contains malicious traffic with few false positives.
Physical vs. Virtual 01:06-01:45 When you're in the process of implementing a honeypot, you first need to decide which type of honeypot you want to set up. Honeypots can be either physical or virtual devices.
Physical honeypots have three main characteristics: they're actual devices, they have an IP address, and they're placed on the network. Physical honeypots usually provide the highest level of interaction with attackers. Virtual honeypots are simulated on a physical device. These are more cost-effective because you can simulate multiple honeypots on a single device. The downside to a virtual honeypot is that they attract less interactivity because it's easier for an attacker to tell that they're decoys.
Honeypot Placement 01:45-02:29 Deciding where to place the honeypot is an important decision as well. You want the honeypot to look like a real network device, but you also need to make sure the honeypot itself doesn't end up becoming a threat to your network.
Here, for example, the honeypot on the outside of the firewall poses less of a threat to internal security, but an attacker might quickly realize what they're actually dealing with. Putting the honeypot on the inside of the firewall might look and feel like a real network entity to an attacker. The problem is that if you misconfigure things, it could pose a security risk. For a honeypot to be truly successful, it must interact like a real device. So carefully weigh the pros and cons as you decide placement on each individual network.
Honeypot Types 02:29-04:14 Once you've decided on the location, you need to figure out which type to implement. You could consider rolling out honeypots that allow for different interaction levels.
A low-interaction honeypot simulates a small number of applications on a target network and relies on the emulation of service and programs found on a vulnerable system. This means it can't be compromised completely and is generally set to collect information about attacks, like network probes and worms. These honeypots are very easy to set up and require little maintenance and oversight. A medium-interaction honeypot simulates real applications and services. These honeypots are more realistic than low-interaction honeypots, so they're able to analyze more complex attacks. They do require more maintenance and oversight, though.
You can also implement a high-interaction honeypot. These honeypots don't simulate anything but instead run actual services on real computers. A honeynet is a prime example of this. This is an entire network that's set up to entice an attacker while monitoring activity like encrypted sessions, file uploads, and more. These systems can also control the attacker's activity by implementing a honeywall gateway. A honeywall gateway allows inbound traffic but controls outbound traffic. High-interaction honeypots require the highest level of maintenance and oversight, but they can capture much more data than the others.
We can further classify honeypots based on their purpose and deception technology. Some common classifications are: research honeypots, production honeypots, malware honeypots, and database honeypots.
As a security analyst, you should understand a honeypot's purpose and be able to select the appropriate type for your organizational needs.
Summary 04:14-04:41 That's it for this lesson. In this lesson, we first looked at the purpose for using a honeypot. Next, we discussed the differences between a physical and virtual honeypot, and where to place them on the network. Then we looked at the different types of honeypots available. We ended by discussing how we can classify honeypots based on the interaction level we want an attacker to have and on the deception technology we're using.
3.4.2 Honeypot Facts
This lesson covers the following topics:
- Honeypots
- Types of honeypots
Honeypots
A honeypot is a decoy network or resource set up to entice a hacker to attack it so that a security analyst can study the attack methods. The goal is for the honeypot to look so much like a legitimate network resource that an attacker finds it indistinguishable from a real resource.
A honeypot is set up in a secure containment separate from the organization's network. This allows the system analyst to monitor the attacker's activity without affecting network systems. Honeypots:
- Are designed to look and function like a real resource to attract attackers.
- Can appear to be a server, a single host, a service on a host, a network device, a virtual entity, or even a single file.
- Should be heavily monitored as they can show early warning signs of a larger attack.
- Have a logging capability far greater than other network security tools. The honeypot captures raw, packet-level data, including the keystrokes and mistakes made by attackers.
- Should not trigger many false positives.
Honeypots can be physical or virtual. The following table describes each.
| Honeypot Implementation | Description |
|---|---|
| Physical | Physical honeypots have three main characteristics.
Physical honeypots generally provide the highest level of interaction with attackers. |
| Virtual | Virtual honeypots are simulated on a physical device.
|
- Placing a honeypot inside the firewall makes it look more like a real network device but poses a security risk to the network if it is misconfigured.
- Placing the honeypot outside the firewall protects the internal network, but attackers may quickly detect the honeypot as a decoy.
Types of Honeypots
There are different levels of honeypot interactions that can be implemented based on the network security needs. The following table describes honeypot interaction levels.
| Interaction Level | Description |
|---|---|
| Low | A low interaction level:
|
| Medium | A medium interaction level:
|
| High | A high interaction level:
A honeynet is an example of a high-interaction honeypot. Honeynets can control the attacker’s activity by implementing a honeywall gateway. A honeywall gateway allows inbound traffic but controls the outbound traffic. |
Honeypots can be further classified based on their purpose. Common classifications are described in the following table.
| Classification | Description |
|---|---|
| Production | Production honeypots are deployed inside the production network of the organization along with other production servers. These honeypots improve the overall security but capture only a limited amount of information. |
| Research | Research institutes, governments, and military organizations deploy high-interaction research honeypots to gain detailed knowledge about the actions of attackers. |
Honeypots can also be classified by the deception technology used. Common classifications include:
- Malware honeypots
- Database honeypots
- Spam honeypots
- Email honeypots
- Spider honeypots
3.4.3 Evade Honeypots
Click one of the buttons to take you to that part of the video.
Evade Honeypots 00:00-00:25 Attackers are always on the lookout for honeypots. They don't want to spend their time attacking a system that's designed to catch them, so a honeypot is only useful if it remains undetected. If an attacker does detect the honeypot, he or she will simply ignore it and move on. In this lesson, I'll go over some of the different honeypots you can implement and how an attacker might detect them.
Honeypot Detection 00:25-00:47 Since there are many ways to implement honeypots, attackers need to know how each type of honeypot works and how to detect them. One type of honeypot is known as a sticky honeypot, or tarpit. These honeypots are designed to take a long time to respond and essentially cause the attacker's machine to get stuck. These tarpits work at different levels of the OSI model.
Layer 7 Tarpit 00:47-01:10 A Layer 7 tarpit reacts to incoming packet requests slowly. A common implementation of this tarpit is to slow down spam emails and delay email server authentication to increase email transfer times. This makes sending spam mail unattractive to the attacker. Layer 7 tarpits can be quickly detected by measuring the latency in response times.
Layer 4 Tarpit 01:10-01:43 Layer 4 tarpits use the TCP/IP stack and are generally used to slow the spread of worms, backdoors, and other attacks. This tarpit first accepts the incoming connection and then spontaneously switches the TCP windows size to zero. This means the attacker is unable to terminate the connection because they can't send a disconnect request. Attackers can detect this tarpit by analyzing the TCP window size. If the tarpit acknowledges incoming packets, but the window size is zero, that's a red flag for the attacker.
Layer 2 Tarpit 01:43-02:00 The final type is a Layer 2 tarpit. These are used to block attacks that occur from inside a network. These tarpits use a special MAC address that acts as a sort of black hole to trap the attacker. If an attacker sees this MAC address, they'll probably know right away that they're in a honeypot.
VMWare 02:00-02:47 Honeypots are often run inside virtual machines to save on resources and security. One of the more popular virtualization programs is VMware. VMware is a virtual machine software used to simultaneously launch multiple instances of operating systems on the same physical machine. To detect VMware, attackers look at the hardware, since this is what VMware emulates. Attackers look for specific display adapters and network cards. Another VMware detection method is to cause an illegal instruction. As the VMware's exception handler checks to see if the instruction must be handled by VMware itself or by a specific handler, the attacker can watch the subsequent reaction to make an analysis. VMware takes longer to process the instruction than a host machine.
Honeyd 02:47-03:13 Honeyd is another widely used honeypot. It makes it easy to create thousands of honeypots, and it can distract potential attackers. For example, if a network only has three real servers, but one server is
running Honeyd, the network appears to have hundreds to an observer. This means that when you use Honeyd, the attacker has to do more research to determine which servers are real. Otherwise, they might get caught in a honeypot.
User-Mode-Linux (UML) 03:13-03:36 User-Mode-Linux, or UML, is an open-source tool used to create virtual machines and honeypots. One of the big issues with UML is that it doesn't use a real hard disk, but instead uses a fake IDE device. This means that attackers can identify the presence of UML honeypots by analyzing specific files in the OS that contain UML-specific information.
Bait and Switch Honeypot System 03:36-04:05 A bait and switch honeypot system works with other IDS software, mainly Snort, to detour suspected malicious traffic into a honeypot that mirrors or closely resembles the real network without the attacker knowing. The attacker needs to be skilled enough to identify the detour or detect that they're in a honeypot when they're redirected.
These are just a few of the honeypot types that you can implement. As a security analyst, you should know which type of honeypot you've implemented and how an attacker might detect it.
Summary 04:05-04:25 That's it for this lesson. In this lesson, we covered a few of the common honeypots, such as tarpits, virtual honeypots, Honeyd, UML, and bait and switch honeypots. We also looked at how an attacker might detect each type and attempt to avoid them.
3.4.4 Evade Honeypots Facts
Honeypots are useful only if an attacker does not know the attack is on a honeypot. If the target system is suspected to be a honeypot, an attacker will avoid it.
This lesson covers the topic of honeypot detection.
Honeypot Detection
Honeypots can be created using a variety of tools and methods. The method to detect a honeypot depends on how the honeypot was created.
The following table describes several honeypots and detection methods:
| Honeypot | Description |
|---|---|
| Layer 7 tarpit | Tarpits are an older honeypot technique that can operate at different levels of the OSI model, depending on their function. Layer 7 tarpits act as security entities. They are designed to respond to incoming packet requests slowly. Layer 7 tarpits:
Layer 7 tarpits can be quickly detected by measuring the latency in response times. |
| Layer 4 tarpit | Layer 4 tarpits use the TCP/IP stack and are effectively employed to slow the spread of worms, backdoors, and similar malware. A Layer 4 tarpit:
Layer 4 tarpits can be quickly detected by analyzing the TCP window size. If the tarpit acknowledges incoming packets, but the window size is 0, that is indicative of a Layer 4 tarpit. |
| Layer 2 tarpit | Layer 2 tarpits are used to block attacks that occur from inside the network. Layer 2 tarpits:
Layer 2 tarpits can be quickly detected by the MAC address. |
| VMware | Honeypots are often run inside virtual machines to save resources. One of the more popular virtualization programs is VMware. VMware can launch multiple instances of operating systems simultaneously on the same physical machine. Two methods to identify a honeypot running on VMWare are:
|
| Honeyd | Honeyd is used to create thousands of honeypots. Honeyd can act as a distraction to potential attackers. It works as follows:
|
| Pentbox | Pentbox is a security suite package that provides (among other things) various network tools, such as Net DoS Tester, TCP port scanner, Honeypot, Fuzzer, DNS and host gathering, and Mac address geolocation. It was written primarily for Linux-based systems but is compatible with MacOS and Windows. You can configure Pentbox using the Fast Auto Configuration option or manually. The manual method lets you configure which port to listen on and a false message that can be shown when an attack happens. To set up a honeypot with Pentbox:
Pentbox is now listening and recording any attempt to access the server on which Pentbox was installed. |
| User-Mode Linux (UML) | UML is an open-source tool that is efficient at creating virtual machines to deploy honeypots. UML uses a fake IDE device named /dev/ubd*. An attacker can detect UML by the following system files:
Another sign of UML is the usage of the TUN/TAP backend for the network device 0, which is not common on a real system. |
| Sebek | Sebek is a server/client-based honeypot application that captures rootkits and other malware that hijack read() system calls. An attacker can detect Sebek by measuring the execution time of the read() system call. On a system without Sebek, minimal time is around 8225, and the physical is 0.776282 |
| Snort inline | Snort inline is a modified version of Snort IDS that is capable of packet manipulation. Snort rules must be on a single line; the parser does not handle rules on multiple lines. An attacker might notice the packet manipulation if the rule logic appears altered. The attacker must be highly knowledgeable of Snort inline and have the ability to sniff the IDS traffic. |
| Fake access point (AP) | Security analysts can use fake APs to create fake 802.11 beacon frames with randomly generated ESSID and BSSID (MAC address) assignments. Attackers can use many ESSID and BSSID validation tools to detect fake APs. |
| Bait and switch | Bait and switch technology works with IDS software, typically Snort. The technology detours suspected malicious traffic into a honeypot that mirrors or closely resembles the real network. The attacker carries out the attack against the honeypot. The attacker must be skilled enough to detect the detour or honeypot. |
3.4.5 Anti-Malware Software
Click one of the buttons to take you to that part of the video.
Anti-Malware Software 00:00-00:13 In this lesson, I'm going to talk about how utilizing anti-malware software is part of an active defense strategy to protect your organization's infrastructure.
Active Defense 00:13-01:06 Organizations are often on the defensive in protecting their systems, data, and resources.
Attackers have the advantages of time, resources, and an ever-evolving landscape. The idea behind taking an active defense approach is to change the odds to be asymmetrically in your organization's favor. Hopefully, these strategies end up helping a security analyst take up less time and resources to do their job, and make an attacker have to use more time and resources on their end. The expectation is that attackers will just move on to easier targets. Anti-malware software is an important part of this.
Before we discuss anti-malware, remember that the first line of defense is always user intervention. Train users in your organization to be savvy about their online interactions, like not opening attachments from unfamiliar senders or clicking on links from phishing emails.
Antivirus Software 01:06-01:58 Now, let's look at antivirus software. Often, the terms antivirus and anti-malware are used interchangeably, but they're not the same thing. Antivirus software protects against more established threats, such as viruses, worms, Trojan horses, rootkits, keyloggers, backdoors, and botnets. Anti-malware typically focuses on more recent threats.
Cybersecurity researchers write rules, such as YARA rules, to discover malware signatures. When discovered, the signatures are added to antivirus databases or lists.
Antivirus software scans incoming files in the background and compares their signatures with its own database. Keeping your antivirus software updated is crucial, as new threats are constantly being added to the list. When it detects malware, antivirus software blocks it from infecting the system.
Anti-Malware Software 01:58-02:46 Even though there's a lot of crossover between antivirus and anti-malware, anti-malware software generally uses heuristic-based malware detection for zero-day attacks and second-generation malware. The software can also remove malware that's already infected a system.
In heuristic analysis, artificial intelligence and machine learning use algorithms based on risk determined by if/then statements or decision rules. The analysis also looks for code that's similar to known malware code and flags it for testing. Many anti-malware software options analyze suspicious programs by running them in a virtual machine or sandbox to keep the environment controlled. This scanning method helps anti-malware software identify signs of a compromised system.
Anti-Malware Tools 02:46-03:47 Besides antivirus and anti-malware software, there are other tools that security analysts use to protect their networks. These include integrity checkers, interceptors, and code emulation. Integrity checkers establish a baseline and keep an eye on system changes that shouldn't be taking place. These programs also alert users to the possibility that there's malware on the system. The biggest drawback to this method is that not all integrity checkers can analyze the changes and determine whether they're due to a system failure or to malware.
Interceptors are mainly used against logic bombs and Trojans. For example, if a request for network access is made, the interceptor notifies the user and asks to continue. Code emulation is when anti-malware software opens a virtual environment to mimic CPU and RAM activity. Malware code is executed in this environment instead of on the physical processor. This method works well against polymorphic and metamorphic viruses.
Summary 03:47-04:09 That's it for this lesson. In this lesson, we discussed using an active defense approach to security. Then we looked at the difference between antivirus and anti-malware software. We finished by discussing additional anti-malware tools that can help you defend against malware.
3.4.6 Anti-Malware Software Facts
Malware programs are a common way attackers gain access to systems. Using anti-malware software is one of the more important steps you can take to protect a system.
This lesson covers the following topics:
- Active defense
- Antivirus and anti-malware software
- Malware detection methods
- Penetration testing method
Active Defense
Organizations typically dedicate a great deal of resources to defend their systems and data. If an organization uses a basic defensive approach, the system analyst will spend more time and resources defending against attacks. The defense will simply be a reaction to malware infections that are discovered. This allows attackers the ability to spends less time and resources creating or instigating attacks. Attackers know there is no defense until the intrusion occurs, and the organization is most likely vulnerable to new malware attacks.
An active defense approach seeks to asymmetrically put the odds in the security analyst's favor. Active defense includes offensive strategies to implement maneuverability to sensitive data, the use honeypots to learn attacker's capabilities, and implement anti-malware defenses. This also includes actively hardening assets against new malware attacks via up-to-date software and patches. In an active defense approach, the system analyst will actually spend less time and resources defending against attacks. It will also result in less time spent recovering from attacks by stopping them or preventing them from spreading. As a result, the attacker will spend more time and resources creating or instigating attacks.
Antivirus and Anti-Malware Software
Understanding the difference between antivirus and anti-malware software is an important concept in implementing an active defense. There is a commonality between the two; however, the following table describes the general differences.
| Software | Description |
|---|---|
| Antivirus | Protects against:
How viruses are added to databases:
|
| Anti-malware | Anti-malware:
In heuristic analysis, artificial intelligence and machine learning use algorithms based on risk determined by if/then rules or decision rules to detect malware. It also looks for code that is similar to known malware code, and flags the code and tests it. |
Always keep antivirus and anti-malware software updated. Some of the more popular anti-malware programs include:
- Bitdefender
- McAfee
- Webroot
- Symantec Norton 360
- Kaspersky
- AVG
- Avira
- ClamAV (Open Source Program)
Malware Detection Methods
Anti-malware software uses a variety of methods to detect malware. Some of the best methods for detecting are described in the following table:
| Method | Description |
|---|---|
| Integrity checking | Integrity checking establishes a baseline of the system and will alert the user if any suspicious system changes occur. Integrity checkers cannot determine if the change is from malware, a system failure, or some other cause. |
| Interception | Interception is mainly used against logic bombs and Trojans. If a request for network access or any request that could damage the system is made, the interceptor notifies the user and asks for permission to approve the request. |
| Code emulation | The anti-malware software opens a virtual environment to mimic CPU and RAM activity. Malware code is executed in this environment instead of the physical processor. This method works well against polymorphic and metamorphic viruses. |
Penetration Testing Method
Part of a penetration test is checking for malware vulnerabilities. When performing a penetration test, the penetration tester follows a set of steps:
- Scan for open ports.
- Scan for running processes.
- Check for suspicious or unknown registry entries.
- Verify all running Windows services.
- Check startup programs.
- Look through event log for suspicious events.
- Verify all installed programs.
- Scan files and folders for manipulation.
- Verify that device drivers are legitimate.
- Check all network and DNS settings and activity.
- Scan for suspicious API calls.
- Run anti-malware scans.
- Document results and findings.
3.4.7 Detect Malicious Network Traffic with a Honeypot
Click one of the buttons to take you to that part of the video.
Detect Malicious Network Traffic with a Honeypot 00:00-00:47 Reconnaissance tools like nmap can find vulnerable systems on the internet. These tools scan ranges of IP addresses for systems with interesting ports open, such as Telnet, Remote Desktop, SSH, and FTP. Many security analysts like to know who's gathering this kind of information, and there's a simple way to record reconnaissance attempts. In order to record these network scans, we need a computer whose sole purpose is to listen for connection attempts on interesting ports, then log the data about each attempt. This kind of system is called a honeypot. It looks appealing and hackable from the outside, but it's actually recording data about every remote user that attempts to connect. Today, we'll look at how to set up an extremely basic honeypot using a tool called Pentbox.
Pentbox 00:47-03:02 Pentbox is available online, but many people upload copies of the original program. When downloading tools, especially penetration tools, you have to be certain of the tool's integrity so you don't download malicious software. I've already downloaded the tool and put it in a folder named pentbox, so let's open that now. From my Kali Linux machine, I'll open a terminal and navigate to ‘cd pentbox/'. I'll list the folder's contents to make sure everything is there.
Pentbox is a Ruby script. Since Ruby is already installed on Kali, we just need to run the script. To do that, I'll type ‘./pentbox.rb' and press Enter.
When it opens, we can see a variety of options. Pentbox does a lot of things. But right now, we're only interested in the honeypot utility, which is located under Network Tools. First, I'll select number 2, and then we'll select Honeypot, number 3.
After we've selected the Honeypot utility, we're presented with the option to use either fast or manual configuration. I'm going to select number 1, the Fast Autoconfiguration option, since the manual configuration only lets us change which port the tool listens on. It also lets us set the message to return to the requesting machine.
As soon as we press Enter, we're told that the honeypot has started running on port 80. Let's try connecting to it with Firefox to see what happens. I'll open Firefox and type ‘localhost' in the address bar. We can see that the honeypot returns back a webpage that tells us access has been denied. Interestingly, the autoconfiguration option returns a line with a date and time. This doesn't change; actually, it represents the time the tool was started. Now that we've connected to the page, let's see what Pentbox says.
Okay, I'm back on my Kali Linux system. It looks like the honeypot utility is telling us quite a bit of information. The first line of each entry shows that there was a connection attempt and tells us what the IP address of the connecting machine was, as well as the connection time. After that, the honeypot utility tells us the header information that was received when the connection was made. This information includes both the web browser that was used and information about the type of operating system that connected.
Summary 03:02-03:24 So, there's a really simple overview of a honeypot's function. This is just a taste of what you can accomplish- there are many more robust tools available that can log information about connections on many different ports and protocols simultaneously, which is a goldmine of data that will help you keep your network safe.
3.4.8 Scan for Open Ports with Netstat
Click one of the buttons to take you to that part of the video.
Scan for Open Ports with Netstat 00:00-00:31 Netstat is a tool you can run on Windows or Linux to show active network connections on the local machine. Netstat is capable of showing the port, protocol, and state of each connection as well as the local and foreign IP addresses involved in the connection. If flags are specified, additional information can be shown. Since netstat is a command line application, let's open a prompt. I have a shortcut to PowerShell on the Desktop, so I'll start PowerShell and click Run as Administrator.
Use Netstat to View Connections and Open Ports 00:31-02:07 Alright. Aside from simply viewing active connections, we can see which ports the machine is listening on. This can be incredibly useful for discovering which protocols can be exploited on a machine. You do need to be familiar with what each port is commonly used for, but there are plenty of lists on the web that you can use for reference.
First, let's see what netstat tells us when we don't provide any flags. I'll just type in 'netstat'.
Here we can see that we're only shown connections that are currently active or were recently active. In this case, they're mostly connections to the internet over port 443. When netstat knows the service that typically runs on a port, rather than providing the port number in the foreign address field, it shows the service name instead, such as https for port 443.
Let's clear the screen.
There's a good chance we may want to view some more information than just the basics. We're going to type 'netstat -a' to see all connections and listening ports. Regardless of whether it's UDP or TCP, we'll see all connections on the system regardless of state.
Next, 'netstat -n' displays all connections in numerical form, and 'netstat -o' displays the process id associated with the connection. Now, it's possible to combine several flags together, such as 'netstat -ano' to achieve the correct information you may be looking for.
If by chance we were troubleshooting and wanted to see an output every five seconds, we could do something like 'netstat -o 5'. You can see here that every five seconds, it's giving us a new netstat output.
We're going cancel this and clear our screen.
Netstat Statistics 02:07-02:49 Not only can netstat provide you with port information, it can also give you more statistics than the GUI can provide. To display both Ethernet statistics and the statistics of all protocols, type 'netstat -e -s'. Let's scroll back up and take a look. We're not going to explain everything in this output. However, it shows that you received or sent IPV4, IPV6, ICMPv4, ICMPv6, TCP, and UDP.
We've decided that we only want to see the TCP statistics instead. So to do that, let's type 'netstat -s -p TCP'. Now, we have only the statistics we've requested.
Summary 02:49-03:04 That's it for this demo. In this demo, we discussed how to use netstat to view active and listening ports. We also showed how we can gather statistics on all network connections.
3.4.9 Track Port Usage with TCPView
Click one of the buttons to take you to that part of the video.
TCPView 00:00-00:29 TCPView is a tool you can run on Windows to quickly and easily discover which network ports are in use on the local machine. In addition to showing which ports are in use, TCPView also tracks the local and remote addresses the computer is talking on, as well as how much data is traveling to and from each process. This can be incredibly useful for troubleshooting a machine's network usage, or even for discovering hidden services talking to the internet in the background.
Set up the Scenario 00:29-00:48 Consider this scenario: you get onto your computer and notice that your downloads are running slowly. You don't think you should be having a lot of network traffic, but to find out for sure, you open up TCPView to diagnose the traffic. I have a icon here, on the desktop, so I'll double-click it to open up the program. I'll say Yes to the user account control.
Use TCPView to Diagnose a Problem 00:48-02:13 In TCPView, there are quite a few columns that contain a lot of information, so let's go through them quickly.
The Process column tells us the name of the program making a network connection, and the PID column tells us the process ID that Windows uses to track it.
The Protocol column is useful for troubleshooting, but it primarily exists to make sure we have the complete data set.
The Local Address and Local Port column tell us the address and port number of the machine communicating with the server detailed in the Remote Address and Remote Port columns. TCPView will attempt to tell us the name of the protocol running on a port if it knows what typically runs on it.
For instance, we can see that the Local Port column has both port numbers and the names of protocols, such as Netbios.
The State column is useful for troubleshooting network connections that seem to have trouble connecting or staying connected.
The columns that will help us troubleshoot why our download speed is slow are the Sent and Received Packets and Bytes columns. These show us how much data is communicated for each connection listed.
Let's sort by most data received to see if our problem is related to a large download hidden somewhere.
Look at that! qbittorrent is sending and receiving a lot of data. That reminds me that I think I left a download running yesterday. Maybe I forgot to stop it from uploading to others, let's check. I'll come down here to the system tray and check the qbittorrent program. It looks like I was right. I forgot to stop it from seeding the Kali Linux installer download. So, I'll pause uploading, and that should take care of the issue.
Summary 02:13-02:31 And that's it for this demo. We explored the TCPView interface to diagnose network traffic problems. We discussed the different columns in the program, sorted by the Sent and Received column, and discovered a program using a large amount of bandwidth.