Netstat Active Connections

by Dave Breslin
April 29, 2012

Connectionstrend

This template uses the results from Nessus plugin 58651, Netstat Active Connections, to report all hosts that have network connections to or from the same public or private IP address. The sample above was cut from the report example provided and depicts the increase in hosts with connections to or from the private IPv4 address “192.168.1.4”.  To see a full report use the download example link.

The template consists of a single chapter which reports:

  1. Daily trend of hosts with one or more connections to/from an IP address over the last 5 days
  2. Current counts for hosts with one or more connections to/from an IP address divided across /24 subnets
  3. The last netstat information report for each host with one or more connections to/from an IP address

To change the template to report an IP, other than 192.168.1.4, each report element within the single chapter uses the same filters to focus the report on one particular IP of interest:

Filters

 

You can modify the trend graph to report a larger timeframe:

Timeframe

You can also change the network reporting to /16 or /8 subnets. The template is currently set to divide the reported IP address space into /24 subnets:

Subnettable

 

You may wish to replace or compliment the subnet reporting table element with a table element reporting asset lists if you are using more complex VLSM and have leveraged SecurityCenter 4’s static asset list functionality to give subnets meaningful labels like their physical locations, for example:

Assetlists

 

Trend data for a SecurityCenter repository is automatically generated daily. Building a repetitive scan to support the trending graph in the template could fold into the light credentialed scanning mentioned by the blog post Enhanced Botnet Detection with Nessus by also enabling plugin 58651.

When considering filtering on the plugin output of 58651 do be aware of the subtle differences across operating systems:

Mac OS X Lion:

Plugin Output: Netstat output :
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 44 10.100.15.5.22 10.0.0.61.50001 ESTABLISHED
tcp4 0 0 10.100.15.5.49438 192.168.1.4.445 ESTABLISHED
tcp4 0 0 10.100.15.5.49428 17.149.36.178.5223 ESTABLISHED
tcp4 0 0 *.22 *.* LISTEN
tcp6 0 0 *.22 *.* LISTEN
tcp4 0 0 127.0.0.1.631 *.* LISTEN
...

Windows XP:

Plugin Output: Netstat output :
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 764
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1059 0.0.0.0:0 LISTENING 832
TCP 0.0.0.0:1241 0.0.0.0:0 LISTENING 944
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 720
TCP 0.0.0.0:5800 0.0.0.0:0 LISTENING 1384
TCP 0.0.0.0:5900 0.0.0.0:0 LISTENING 1384
TCP 0.0.0.0:8834 0.0.0.0:0 LISTENING 944
TCP 10.100.20.3:135 10.0.0.61:37546 ESTABLISHED 764
TCP 10.100.20.3:139 0.0.0.0:0 LISTENING 4
TCP 10.100.20.3:445 10.0.0.61:60142 ESTABLISHED 4
TCP 10.100.20.3:1059 10.0.0.61:60846 ESTABLISHED 832
TCP 10.100.20.3:3396 192.168.1.4:445 ESTABLISHED 4
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 1644
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 544
UDP 0.0.0.0:1063 *:* 900
...

Ubuntu 11:

Plugin Output: Netstat output :
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 44 10.100.30.23:22 10.0.0.61:45287 ESTABLISHED
tcp 0 0 10.100.30.23:37771 192.168.1.4:445 ESTABLISHED
tcp 0 0 10.100.30.23:57265 192.168.1.4:139 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:631 :::* LISTEN
udp 0 0 0.0.0.0:57291 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
...

The example report when examined in detail shows the connections to 192.168.1.4 for destination ports 139 and/or 445. To generate the example report multiple operating systems, RHEL, Mac OS X, Ubuntu and Windows, were used to connect to a Samba network share.