Question

Mathematical statistics is the collection, organization, and presentation of data to be used in solving problems. When you analyze statistics, you are going to use probability to fix issues. For example, in a room of 23 people, there is a 50 percent probability that two of those people share the same birthday. In cybersecurity, a birthday attack is a type of cryptographic attack that exploits the math behind the birthday statistic. This attack can be used to find collisions in a hash function. In our world of networking, learning your network statistics can be quite valuable.

NetStat is a network utility tool that displays networking connections (incoming and outgoing), routing tables, and some other details such as protocol statistics. It will help you gauge the amount of network traffic and diagnose slow network speeds. Sounds simple, yes? From a cybersecurity standpoint, how quickly can you tell which ports are open for incoming connections? What ports are currently in use? What is the current state of connections that already exist?

The output from the netstat command is used to display the current state of all the connections on the device. This is an important part of configuration and troubleshooting. NetStat also has many parameters to choose from to answer the questions presented in the previous paragraph. One thing to remember about the parameters discussed next is that when you type them into your cmd shell, you can literally squish them together. For example, when I am teaching my Metasploit Pro class, we launch a proxy pivot via a Meterpreter shell and scan another network segment. (That might sound like gibberish now, but just finish the book.) How do you know what is actually transpiring on the compromised system? Using the netstat command and the options –a for all and –n for addresses and ports, you will have a list of all active network conversations this machine is having, as shown in Figure 1.8 .

Figure 1.8 : NetStat finding active connections

To translate the figure, when running netstat on your host, you may see both 0.0.0.0 and 127.0.0.1 in this list. You already know what a loopback address is. A loopback address is accessible only from the machine you're running netstat on. The 0.0.0.0 is basically a “no particular address” placeholder. What you see after the 0.0.0.0 is called a port.

One of my favorite explanations of ports is that you have 65,536 windows and doors in your network ranging from 0 to 65,535. Computers start counting at 0. Network admins are constantly yelling, “Shut the windows and close the doors—you're letting the data out!” Ports can be TCP or UDP. Simply put, TCP means there is a connection made between the host and the destination. UDP doesn't worry about whether there is a connection made. Both TCP and UDP have 65,535 ports available to them. This was the highest number that could be represented by a 16‐bit, or 2‐byte, number. You may see this represented mathematically as 2¹⁶ – 1.

The Internet Assigned Numbers Authority (IANA) maintains an official assignment of port numbers for specific uses. Sometimes this list becomes antiquated at the same time new technologies are becoming available. Some of the most common ones you might see are the “well‐known” ports, which are 0–1023. Looking at the list in the previous figure, you see this machine is listening on port 135. Port 135 is traditionally used for a service called epmap/loc‐srv . That should tell you, among other things in Figure 1.8 , that this is a Windows host. When a Windows host wants to connect to an RPC service on a remote machine, it checks for port 135.

The next port that is listening is 443. Most IT professionals memorize this port early in their career. Port 443 is Hypertext Transfer Protocol over TLS/SSL—better known as HTTPS. HTTPS is the authentication of a website that is being accessed and protecting the confidentiality of the data being exchanged. Ports from 1023 all the way up to 49151 are “registered” ports. Above that, you have dynamic or private ports.

NetStat is an abbreviation for “network statistics.” If a host is not listening on the correct port for a specific service, then no communication can occur. Take another step in your network path, and these ports may be listening, but this does not mean that a firewall is allowing the traffic to get to the device. To test that hypothesis, you can temporarily disable your host‐based firewall causing the networking issue.

Among my favorite netstat commands are the statistics options shown in Figure 1.9 . In Lab 1.5 , you'll use the netstat command.

Figure 1.9 : NetStat statistics

---

LAB 1.5 : NETSTAT

1. Open a command prompt or a terminal window.
2. At the command prompt, type netstat –help .
3. When the prompt is available, use netstat –an –p TCP .
4. Next try netstat –sp TCP .

---

---