Q

Home » Work » TCP/IP, Network basics, and Internet Essentials

TCP/IP, Network basics, and Internet Essentials

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 46 other followers

My internet leverages TCP/IP and UDP for the vast majority of its communication.

All internet communication occurs through an IP address that’s assigned to your machine when it connects to the internet and a specific numeric port based on the specific type of conversation which is to occur.

All web sites, for instance, occur through HTTP conversations which are reserved for port 80, unless it’s secure, in which case it occurs over port 443.

Sometimes you might download files through something called FTP, these conversations all initialize through port 21, and the download occurs through port 20.

If you attempt to establish an HTTP conversation with another computer over say a FTP port – port 20 for instance, you will receive an error or no response.

All the different types of currently publicly documented internet conversations that can occur and all internet communication is technically written about here: https://tools.ietf.org/rfc/index, and if you search for what happens when your browser communicates with web pages communication via HTTP you will find out about how that occurs through RFC 1945 here: https://tools.ietf.org/html/rfc1945.

These RFCs are not designated by port, which makes it tough to find out which RFC applies to which port. So an easy way to find out what RFC applies to what port is to open up windows explorer (NOT Internet explorer). This can be accessed by clicking on your start menu, computer. Then browse to the folder ‘c:\windows\system32\drivers\etc. Once there, you should see the file ‘services’, open this file with notepad. Use CTRL+F to start a search, and type in ‘http’, this should result in this:

# <service name> <port number>/<protocol> [aliases…]   [#<comment>]
http                            80/tcp                                          www www-http           #World Wide Web

As you can see, http is the protocol for port 80, which we can then leverage the RFC 1945 to review the details of what that conversation looks like.

When you connect to a web site via your internet / web browser, say http://www.microsoft.com, a translation occurs to translate that name into a numerical address in the form of (0-255).(0-255).(0-255).(0-255).

This translation is called a Domain Name Service lookup, or DNS lookup for short, and can be done at the command line of any windows machine by going to the ‘START’ menu, selecting ‘RUN’, typing in ‘CMD’, and once that command window opens up, type ‘nslookup www.google.com’ which will result in a response which says ‘Non-Authoritative answer: followed by an address, mine is reporting 216.58.216.36. If you open up your browser, you can then take that number and plug it into your web browser’s address bar instead of www.google.com and it should go right to Google’s web site.

Here’s a text dump of the lookup using nslookup on my computer:

C:\Users\Q>nslookup http://www.google.com

Server: resolver1.opendns.com
Address: 208.67.222.222
Non-authoritative answer:
Name:   www.google.com
Addresses: 2607:f8b0:4007:80a::2004
216.58.216.36

You can exit nslookup by typing ‘exit’.

While at the command line you can find out what your computer’s address is.

While at the ‘command line’ you can type ‘ipconfig’, and next to the line ‘IPV4 Address is a number, us technically inclined peeps refer to this as an IP, and mine is 172.31.99.229.

You can see the ‘dump’ of my network configuration, here, as I leverage the command ‘ipconfig’ to look up my local computer’s address:

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::f12b:d561:e71b:f3f%10
IPv4 Address. . . . . . . . . . . : 172.31.99.229
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 172.31.98.1

In a general sense it is not safe to share your IPs with others, but if you’re on a public WIGI as I am at Starbuck’s and my IP changes on a daily basis every time I reconnect, which I do something called ‘release’ my dynamically allocated IP on a daily basis to avoid tracking, I become very hard target to be trace or have my IP leveraged against me.

It is helpful to understand when someone is communication with your computer. Whenever a TCP conversation is started or is occurring with your computer, a list of all the active conversations that are occurring can be retrieved at the command line by typing in ‘netstat’ at the command line, to ALSO retrieve a list of what conversations CAN OCCUR you add ‘netstat –a’ (the ‘-a’ stands for all).

Hitting ‘enter’ after typing ‘netstat –a’ provides a list of ALL conversations, I will show you what I get when I type this command in…

But first: I have a LOT going on with my system right now, so I’m going to show you a complete dump of all the conversations going on with my computer right now.

There’s a lot here, it’s not necessary to understand it all, just pay attention to the column headers, I will explain what each is after this.

Active Connections
Proto Local Address         Foreign Address       State
TCP   0.0.0.0:135           QContinuum:0           LISTENING
TCP   0.0.0.0:445           QContinuum:0          LISTENING
TCP   0.0.0.0:1025           QContinuum:0           LISTENING
TCP   0.0.0.0:1026           QContinuum:0           LISTENING
TCP   0.0.0.0:1027           QContinuum:0           LISTENING
TCP   0.0.0.0:1028           QContinuum:0           LISTENING
TCP   0.0.0.0:1029           QContinuum:0           LISTENING
TCP   0.0.0.0:1030           QContinuum:0           LISTENING
TCP   0.0.0.0:1433           QContinuum:0           LISTENING
TCP   0.0.0.0:2383           QContinuum:0           LISTENING
TCP   0.0.0.0:64760         QContinuum:0           LISTENING
TCP   127.0.0.1:1434         QContinuum:0           LISTENING
TCP   127.0.0.1:2172         ads:2173               ESTABLISHED
TCP   127.0.0.1:2173         ads:2172               ESTABLISHED
TCP   172.31.99.229:139     QContinuum:0           LISTENING
TCP   172.31.99.229:21362   pg-in-f189:https       ESTABLISHED
TCP   172.31.99.229:29362   64-121-79-185:64704   ESTABLISHED
TCP   172.31.99.229:29536   a184-28-188-114:http   CLOSE_WAIT
TCP   172.31.99.229:29549   pg-in-f121:http       CLOSE_WAIT
TCP   172.31.99.229:29557   vulcan:http           CLOSE_WAIT
TCP   172.31.99.229:29566   li98-146:http         CLOSE_WAIT
TCP   172.31.99.229:29567   nuq04s29-in-f14:http   CLOSE_WAIT
TCP   172.31.99.229:29580   pg-in-f121:http       CLOSE_WAIT
TCP   172.31.99.229:29587   pg-in-f121:http       CLOSE_WAIT
TCP   172.31.99.229:29612  nuq04s29-in-f14:http   CLOSE_WAIT
TCP   172.31.99.229:30321   pf-in-f108:imaps       ESTABLISHED
TCP   172.31.99.229:32225   ip174-70-133-218:8999 ESTABLISHED
TCP   172.31.99.229:33520   co128ds:https         ESTABLISHED
TCP   172.31.99.229:36167   149.200.229.4:49567   ESTABLISHED
TCP   172.31.99.229:36443   169-0-99-212:25606     LAST_ACK
TCP   172.31.99.229:36597   ns3017551:62377       ESTABLISHED
TCP   172.31.99.229:36630   117.254.211.171:56257 ESTABLISHED
TCP   172.31.99.229:36646   95.45.126.62:32022     FIN_WAIT_1
TCP   172.31.99.229:36664   dynamic-cpe-pool:56847 LAST_ACK
TCP   172.31.99.229:36728   cable-41-220-104-84:53319 ESTABLISHED
TCP   172.31.99.229:36747   dynamic-adsl-84-223-34-214:43048 LAST_ACK
TCP   172.31.99.229:36762   027b99a1:12915         LAST_ACK
TCP   172.31.99.229:36829   103-230-23-242:26089   FIN_WAIT_2
TCP   172.31.99.229:36878   2.24.20.241:52962     TIME_WAIT
TCP   172.31.99.229:36882   46-129-102-4:9346     SYN_SENT
TCP   172.31.99.229:36883   197.157.105.72:26089   SYN_SENT
TCP   172.31.99.229:36884   176.32.23.200:64321   SYN_SENT
TCP   172.31.99.229:36887   187.8.203.13:11438     SYN_SENT
TCP   172.31.99.229:36888   190.213.79.49:23684   SYN_SENT
TCP   172.31.99.229:36889   c-24-147-127-224:45563 SYN_SENT
TCP   172.31.99.229:36890   109.255.61.62:54918   SYN_SENT
TCP   172.31.99.229:36893   114.4.56.206:57626     SYN_SENT
TCP   172.31.99.229:36896   abts-north-dynamic-239:19639 SYN_SENT
TCP   172.31.99.229:36897   112.198.118.197:37984 SYN_SENT
TCP   172.31.99.229:36899   178.17.118.79:64748   SYN_SENT
TCP   172.31.99.229:36900   151.67.8.91:49814     SYN_SENT
TCP   172.31.99.229:36902   78.101.40.76:18457     SYN_SENT
TCP   172.31.99.229:36903   cpe-109-60-69-89:28512 SYN_SENT
TCP   172.31.99.229:36904   109.92.0.89:64691     TIME_WAIT
TCP   172.31.99.229:36906   ip-89-102-185-181:26562 SYN_SENT
TCP   172.31.99.229:36907   c213-89-138-108:8500   SYN_SENT
TCP   172.31.99.229:36910   host86-190-254-50:11608 SYN_SENT
TCP   172.31.99.229:36911   234:11926             SYN_SENT
TCP   172.31.99.229:36916   104-51-101-10:61992   SYN_SENT
TCP   172.31.99.229:36917   92.98.190.128:15870   SYN_SENT
TCP   172.31.99.229:36918   ip4daac87e:24874       SYN_SENT
TCP   172.31.99.229:36919   dsl:15862             SYN_SENT
TCP   172.31.99.229:36921   32:56458               SYN_SENT
TCP   172.31.99.229:36923   109:34473             SYN_SENT
TCP   172.31.99.229:36924   093105179134:51413     SYN_SENT
TCP   172.31.99.229:36927   S0106002401749804:9134 SYN_SENT
TCP   172.31.99.229:36929   mtl93-3-82-225-166-117:55897 SYN_SENT
TCP   172.31.99.229:36930   135-23-41-162:37560   SYN_SENT
TCP   172.31.99.229:36931   pool-184-17-229-251:40583 SYN_SENT
TCP   172.31.99.229:36932   109.79.28.12:21137     SYN_SENT
TCP   172.31.99.229:36933   2.190.148.203:13101    SYN_SENT
TCP   172.31.99.229:36935   103.19.253.238:9750   SYN_SENT
TCP   172.31.99.229:36936   cable-94-189-146-37:59696 LAST_ACK
TCP   172.31.99.229:36937   modemcable028:55799   SYN_SENT
TCP   172.31.99.229:36938   cpe-98-25-11-104:61000 SYN_SENT
TCP   172.31.99.229:36939   athedsl-262720:15322   SYN_SENT
TCP   172.31.99.229:36941   ip-31-205-35-150:45058 SYN_SENT
TCP   172.31.99.229:36945   60.51.68.69:27501     SYN_SENT
TCP   172.31.99.229:36946   bl21-236-248:61466     SYN_SENT
TCP   172.31.99.229:36947   125.212.121.26:2085   SYN_SENT
TCP   172.31.99.229:36949   ip-80-209:54373       SYN_SENT
TCP   172.31.99.229:36950   89-180-181-40:1186     SYN_SENT
TCP   172.31.99.229:36951   triband-mum-120:27718 SYN_SENT
TCP   172.31.99.229:36952   190.213.57.148:46571   SYN_SENT
TCP   172.31.99.229:36956   116.68.121.49:3187     SYN_SENT
TCP   172.31.99.229:36960   5:60240               SYN_SENT
TCP   172.31.99.229:36963   109.98.164.168:41162   SYN_SENT
TCP   172.31.99.229:36964   69.80.43.94:19362     SYN_SENT
TCP   172.31.99.229:36966   ppp046176011016:61951 SYN_SENT
TCP   172.31.99.229:36967   27-32-67-173:40638     SYN_SENT
TCP   172.31.99.229:36969   TSB-BR01-41-182-196-225:10309 SYN_SENT
TCP   172.31.99.229:36972   178-220-245-94:10735   ESTABLISHED
TCP   172.31.99.229:36974   89-66-104-249:13643   SYN_SENT
TCP   172.31.99.229:36977   c-2f9ce555:57952      SYN_SENT
TCP   172.31.99.229:36978   156-32-18-190:15825   SYN_SENT
TCP   172.31.99.229:36979   c-24-127-251-112:12825 SYN_SENT
TCP   172.31.99.229:36981   77.127.198.36:62365   SYN_SENT
TCP   172.31.99.229:36982   14-201-164-106:42657   ESTABLISHED
TCP   172.31.99.229:36985   99-85-97-57:6881       SYN_SENT
TCP   172.31.99.229:36986   144:11610             SYN_SENT
TCP   172.31.99.229:36987   AReims-652-1-236-70:45682 ESTABLISHED
TCP   172.31.99.229:36988   109-93-101-208:25963   ESTABLISHED
TCP   172.31.99.229:36990   host-41:17040         ESTABLISHED
TCP   172.31.99.229:36991   150.129.174.43:10952   SYN_SENT
TCP   172.31.99.229:36992   host721680017145:57595 SYN_SENT
TCP   172.31.99.229:36994   ip-193-24-244-2:38659 SYN_SENT
TCP   [::]:135               QContinuum:0           LISTENING
TCP   [::]:445               QContinuum:0           LISTENING
TCP   [::]:1025             QContinuum:0           LISTENING
TCP   [::]:1026             QContinuum:0           LISTENING
TCP   [::]:1027             QContinuum:0           LISTENING
TCP   [::]:1028             QContinuum:0           LISTENING
TCP   [::]:1030             QContinuum:0           LISTENING
TCP   [::]:1433            QContinuum:0           LISTENING
TCP   [::]:2383             QContinuum:0           LISTENING
TCP   [::]:64760             QContinuum:0           LISTENING
TCP   [::1]:1434             QContinuum:0           LISTENING
UDP   0.0.0.0:64760        *:*
UDP   172.31.99.229:137     *:*
UDP   172.31.99.229:138     *:*
UDP   [::]:64760             *:*

To review the information, Proto means “protocol”, which is the port in operation – where I can determine the conversation/

“local address” should generally be one of four things, 127.0.0.1 or 0.0.0.0 which is a reference to the local system – this is called a loopback, we also see 172.31.99.229 which is what I looked up before and learned was the current address assigned to make this computer accessible to the internet and finally there’s [::] which means ‘all network interfaces’ – meaning ANY network adapter on this computer can be referenced on this port. With the ‘any’ option, this is particularly valuable for computers which have multiple network adapters, which is not uncommon for servers but not common for home machines.

“Foreign Address” is the remote machine I am connected to on the internet. Since I am active in the torrent community, I have numerous ‘high port’ connections being made (21000+) which aren’t generally going to be listed in services. I will outline the value in this in a moment.

And finally, there’s the “State” – which outlines the current connection state of the machine. If my computer is ‘awaiting a connection’, which means I have an application running in windows which is waiting for a connection to establish to it, then I will see ‘listening’ on the state and a ‘*.*’ for the foreign address. If the connection is ongoing and data is being transferred between my computer and a remote computer, then I will see ‘ESTABLISHED’. If the connection is in the process of closing, I will generally see ‘CLOSE_WAIT’, and if it’s been a long time since a response has been received, the connection between my machine and another will naturally drop off and I will see ‘TIME_WAIT’ .

So let’s say I suspect someone is messing with my machine remotely.

I will then leverage the ‘remote address’ to track down hackers targeting my machine.

But the above ‘netstat’ command does not provide the right information, how can I track someone down with something named ‘vulcan’? Additionally, it would be nice to know which processes on my system are accepting remote connections or have them established.

So what I do is run this command at the command line ‘netstat –a –b –n -o’

As stated before, the ‘-a’ option will retrieve every connection open OR currently available on this computer. The ‘-b’ option will show the process/application that is leveraging this line’s communication ‘channel’. And the ‘-n’ puts the names of the foreign connections in the easier to use numeric formats. Finally, the ‘-o’ option shows a process id. The process ID is invaluable for tracing down ‘hidden’ applications that might leverage methods to hide the name of the application from you.

Here’s what I have running on this computer.

 

Active Connections

 

Proto Local Address         Foreign Address       State           PID
TCP   0.0.0.0:135           0.0.0.0:0             LISTENING       704
RpcSs
[svchost.exe]
TCP   0.0.0.0:445           0.0.0.0:0             LISTENING       4
Can not obtain ownership information
TCP   0.0.0.0:1025           0.0.0.0:0             LISTENING       428
[wininit.exe]
TCP   0.0.0.0:1026           0.0.0.0:0             LISTENING       808
eventlog
[svchost.exe]
TCP   0.0.0.0:1027           0.0.0.0:0             LISTENING       532
[lsass.exe]
TCP   0.0.0.0:1028           0.0.0.0:0             LISTENING       888
Schedule
[svchost.exe]
TCP   0.0.0.0:1029           0.0.0.0:0             LISTENING       1184
[msmdsrv.exe]
TCP   0.0.0.0:1030           0.0.0.0:0             LISTENING       516
[services.exe]
TCP   0.0.0.0:1433           0.0.0.0:0             LISTENING       1576
[sqlservr.exe]
TCP   0.0.0.0:2383           0.0.0.0:0             LISTENING       1712
[msmdsrv.exe]
TCP   0.0.0.0:64760         0.0.0.0:0             LISTENING       2744
[uTorrent.exe]
TCP   127.0.0.1:1434         0.0.0.0:0             LISTENING       1576
[sqlservr.exe]
TCP   127.0.0.1:2172         127.0.0.1:2173         ESTABLISHED     1108
[firefox.exe]
TCP   127.0.0.1:2173         127.0.0.1:2172         ESTABLISHED     1108
[firefox.exe]
TCP   172.31.99.229:139     0.0.0.0:0             LISTENING       4
Can not obtain ownership information
TCP   172.31.99.229:37418   173.194.202.108:993   ESTABLISHED     2740
[OUTLOOK.EXE]
TCP   172.31.99.229:41685   173.194.203.189:443   ESTABLISHED     1108
[firefox.exe]
TCP   172.31.99.229:47121   64.121.79.185:64704   ESTABLISHED     2744
[uTorrent.exe]
TCP   172.31.99.229:49697   184.28.188.114:80     CLOSE_WAIT     2740
[OUTLOOK.EXE]
TCP   172.31.99.229:49704   173.194.203.121:80     CLOSE_WAIT     2740
[OUTLOOK.EXE]
TCP   172.31.99.229:49757   212.113.132.182:80     CLOSE_WAIT     2740
[OUTLOOK.EXE]
TCP   172.31.99.229:49802   97.107.137.146:80     CLOSE_WAIT     2740
[OUTLOOK.EXE]
TCP   172.31.99.229:49803   216.58.192.14:80       CLOSE_WAIT     2740
[OUTLOOK.EXE]
TCP   172.31.99.229:49804   173.194.203.121:80     CLOSE_WAIT     2740
[OUTLOOK.EXE]
TCP   172.31.99.229:49819   173.194.203.121:80     CLOSE_WAIT     2740
[OUTLOOK.EXE]
TCP   172.31.99.229:49853   216.58.192.14:80       CLOSE_WAIT     2740
[OUTLOOK.EXE]
TCP   172.31.99.229:50612   197.88.109.71:6881     ESTABLISHED     2744
[uTorrent.exe]
TCP   172.31.99.229:51571   105.226.153.243:60075 TIME_WAIT       0
TCP   172.31.99.229:51732   77.54.135.22:55284     ESTABLISHED     2744
[uTorrent.exe]
TCP   172.31.99.229:51735   177.188.13.211:8999   ESTABLISHED     2744
[uTorrent.exe]
TCP   172.31.99.229:52526   2.121.137.66:17186     ESTABLISHED     2744
[uTorrent.exe]
TCP   172.31.99.229:52625   122.50.128.110:31165   FIN_WAIT_1     2744
[uTorrent.exe]
TCP   172.31.99.229:52907   46.186.72.76:8999     ESTABLISHED     2744
[uTorrent.exe]
TCP   172.31.99.229:52909   157.56.19.87:443      ESTABLISHED     2740
[OUTLOOK.EXE]
TCP   172.31.99.229:53035   93.28.93.133:49538     ESTABLISHED     2744
[uTorrent.exe]
TCP   172.31.99.229:53067   94.3.234.2:53362       FIN_WAIT_2     2744
[uTorrent.exe]
TCP   172.31.99.229:53147   174.70.133.218:8999   ESTABLISHED     2744
[uTorrent.exe]
TCP   172.31.99.229:53179   89.210.132.222:8999   FIN_WAIT_1     2744
[uTorrent.exe]
TCP   172.31.99.229:53200   125.99.183.118:20271   FIN_WAIT_2     2744
[uTorrent.exe]
TCP   172.31.99.229:53271   117.216.193.138:16541 ESTABLISHED     2744
[uTorrent.exe]
TCP   172.31.99.229:53297   103.252.5.206:63005   FIN_WAIT_2     2744
[uTorrent.exe]
TCP   172.31.99.229:53320   118.176.149.91:30005   LAST_ACK       2744
[uTorrent.exe]
TCP   172.31.99.229:53327   41.220.104.84:53319   ESTABLISHED     2744
[uTorrent.exe]
TCP   172.31.99.229:53343   84.109.13.149:6881     TIME_WAIT       0
TCP   172.31.99.229:53353   59.101.181.114:21559   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53356   2.51.177.223:48506     SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53357   197.237.122.241:48349 SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53362   77.174.144.108:20793   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53363   178.48.206.76:60020   ESTABLISHED     2744
[uTorrent.exe]
TCP   172.31.99.229:53365   2.224.13.10:15021     SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53367   85.4.81.75:26792       TIME_WAIT       0
TCP   172.31.99.229:53368   64.237.226.220:24200   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53372   51.39.134.142:1       SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53373   188.71.193.33:45070   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53376   212.251.112.111:10273 SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53379   165.255.115.61:13936   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53381   58.250.176.55:58422   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53383   104.245.204.177:13156 SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53385   41.182.14.103:42012    SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53390   93.169.118.52:38470   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53391   174.98.160.151:58564   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53394   5.55.24.228:20990     SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53395   86.59.161.63:19976     SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53398   41.57.109.62:29281     SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53403   217.96.3.179:44028     SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53405   121.222.237.108:49961 SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53407   87.112.239.182:9551   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53408   105.105.34.140:12680   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53411   37.107.176.100:23346   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53416   31.11.102.100:35436   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53417   124.107.32.174:30966   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53418   86.52.9.186:45793     SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53425   191.184.206.138:61293 SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53426   67.169.204.200:33282   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53431   85.150.116.183:54751   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53432   23.112.252.193:4966   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53433   39.47.163.49:1024     SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53435   71.59.180.156:21339   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53436   80.111.218.111:49293   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53439   94.173.33.245:59051   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53443   108.19.220.184:27855   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53444   97.96.107.246:42357   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53445   41.130.80.74:1024     SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53455   76.120.194.124:56017   TIME_WAIT       0
TCP   172.31.99.229:53456   24.133.60.162:38346   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53457   50.153.157.67:12800   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53460   121.32.133.197:16005   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53461   197.41.135.183:21015   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53462   41.224.148.76:34258   SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53463   79.13.43.238:10705     SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53464   89.2.147.196:26396     SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53465   70.83.202.63:12706     SYN_SENT       2744
[uTorrent.exe]
TCP   172.31.99.229:53466   220.156.161.22:25323   SYN_SENT       2744
[uTorrent.exe]
TCP   [::]:135               [::]:0                 LISTENING       704
RpcSs
[svchost.exe]
TCP   [::]:445               [::]:0                 LISTENING       4
Can not obtain ownership information
TCP   [::]:1025             [::]:0                 LISTENING       428
[wininit.exe]
TCP   [::]:1026             [::]:0                 LISTENING       808
eventlog
[svchost.exe]
TCP   [::]:1027             [::]:0                 LISTENING       532
[lsass.exe]
TCP   [::]:1028             [::]:0                 LISTENING       888
Schedule
[svchost.exe]
TCP   [::]:1030             [::]:0                 LISTENING       516
[services.exe]
TCP   [::]:1433             [::]:0                 LISTENING       1576
[sqlservr.exe]
TCP   [::]:2383             [::]:0                 LISTENING       1712
[msmdsrv.exe]
TCP   [::]:64760             [::]:0                 LISTENING       2744
[uTorrent.exe]
TCP   [::1]:1434             [::]:0                 LISTENING       1576
[sqlservr.exe]
TCP   [fe80::f12b:d561:e71b:f3f%10]:53450 [fe80::dabb:2cff:feb9:bb26%10]:10507 SYN_SENT       2744
[uTorrent.exe]
UDP   0.0.0.0:64760         *:*                                   2744
[uTorrent.exe]
UDP   172.31.99.229:137     *:*                                   4
Can not obtain ownership information
UDP   172.31.99.229:138     *:*                                   4
Can not obtain ownership information
UDP   [::]:64760             *:*                                   2744
[uTorrent.exe]

As you can see, there are a LOT of applications which say ‘Can not obtain ownership information’. Normally, these should be of concern.

For me, I don’t run virus protection, and am fine with hackers getting on my machines, I learned through hacking, and if you don’t screw with me by slowing my machine down or making my life difficult, then I am fine with you hacking me and pulling things from my computer.

However. IF you screw with me and cause me or my property harm. That means pegging my CPU with a process you run. That means causing any harm to my computer or data. Then I’ll hunt you down and send you a message in my own way to deter any further attempts on my part in my own unique ways. This can include dramatic action such as taking your computer system and potentially even your network down entirely and permanently, It can also include the use of your identity in ways that will fit the crime. It can also include loading a custom virus on your machine I create just for you. It can also mean I simply play a practical joke on you if your offense is deemed respectfully intrusive. It depends on my mood.

One method I leverage to locate computers connected to mine is through the foreign address.

Take a look at the first utorrent line returned, let’s say I just want to locate peers who I am connected to.

Here’s the line I am looking at:

TCP   172.31.99.229:47121   64.121.79.185:64704   ESTABLISHED     2744 [uTorrent.exe]

With this line, we have a remote address my computer is currently connected to at 64.121.79.185. There’s an awesome web site utility called iplocator on the internet which might give me general locational information of the remote location at geobytes, here: http://geobytes.com/iplocator/

With this, I learn the IP of this computer sharing movies, video games, or tv shows with me is located in Boston, Massachusetts and the latitude of this connection is at 42.353500 and longitude of this connection on the globe is at -71.062698.

But this isn’t enough information, is it? If I wanted to drop a nuclear bomb on the person connected to me, Boston’s a big city and has a lot of suburbs to it.

With this, I drop to the command line, again and run this command ‘tracert 64.121.79.185’ – which will show me a precise route on how to get to the location of the connected computer.

The results of running this command is:

C:\Users\Q>tracert 64.121.79.185

Tracing route to 64-121-79-185.c3-0.tlg-ubr2.atw-tlg.pa.cable.rcn.com [64.121.79.185] over a maximum of 30 hops:

1     *       *       *     Request timed out.
2   41 ms     2 ms     1 ms 192.168.0.1
3   13 ms   22 ms   52 ms 10.42.0.1
4   35 ms   254 ms   68 ms tge0-9-0-25.vnnzca2402h.socal.rr.com [76.167.27.125]
5   56 ms   14 ms   11 ms agg11.vnnycajz02r.socal.rr.com [72.129.14.98]
6   30 ms   33 ms   23 ms agg29.tustcaft01r.socal.rr.com [72.129.13.2]
7   15 ms   23 ms   31 ms bu-ether16.tustca4200w-bcr00.tbone.rr.com [66.109.6.64]
8   14 ms   21 ms   16 ms bu-ether14.lsancarc0yw-bcr00.tbone.rr.com [66.109.6.4]
9   17 ms   75 ms   15 ms 0.ae4.pr0.lax00.tbone.rr.com [107.14.19.86]
10   54 ms   26 ms   18 ms 66.109.9.122
11   116 ms   84 ms   239 ms ae-11-11.bar2.Philadelphia1.Level3.net [4.69.153.90]
12   88 ms   92 ms   84 ms RCN-CORPORA.bar2.Philadelphia1.Level3.net [4.30.46.34]
13   84 ms   101 ms   95 ms port-chan2.tlg-ubr2.atw-tlg.pa.cable.rcn.net [208.59.252.43]
14     *       *       *     Request timed out.
15     *       *       *     Request timed out.
16     *       *       *     Request timed out.
17     *       *       *     Request timed out.
18     *       *       *     Request timed out.
19     *       *       *     Request timed out.
20     *       *       *     Request timed out.
21     *       *       *     Request timed out.
22     *       *       *     Request timed out.
23     *       *       *     Request timed out.
24     *       *       *     Request timed out.
25     *       *       *     Request timed out.
26     *       *       *     Request timed out.
27     *       *       *     Request timed out.
28     *       *       *     Request timed out.
29     *       *       *     Request timed out.
30     *       *       *     Request timed out.

Trace complete.

So with this command being run, I have just seen that the remote user may NOT be in Boston after all, and may actually be in Philadelphia. So now we need two nuclear bombs to nail him, her or it, but that has no guarantee still.

This is where a little social engineering comes in. I have absolutely no doubt that this remote user’s IP is given to them through RCN.NET. So I go to the web site for RCN.Net, an luck out and see it forwards to RCN.COM where I click on the ‘contact us’ link. I see the phone number – 1-800-746-4726, so I need ammunition.

My cover story when I call this number is that I am a lawyer in the state of California representing MGM Studios and an IP on RCN’s network is sharing intellectual property which belongs to MGM. We’re going to pursue legal action against the individual in question, so if RCN does not want to be held liable, they are obligated under the DMCA (full text available here: https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act ) to release this client’s private information – including their home number and address, or face legal action themselves in federal court.

19 times out of 20, this will result in the divulgence of the client’s information.

From there, I now have both the current address on the internet of this remote system connected to me, as well as a physical address. Typically, the internet address is somewhat static, so I can then leverage social engineering to find out information about the users located at this billing address to find out likes, dislikes, and determine likely candidates for their passwords. I can do a name search to find out where they’ve lived and aliases. I can look up property they have on public records. I can pretend to be them and order records to my address, which in one of those records is sure to be an obscured version of their social security number. And from there, I can order credit cards and whatnot using their name and identity.

But that’s not me. I prefer leveraging tools like nMap (available here: https://nmap.org/download.html), to obtain vulnerabilities in their computer.

But leveraging their name, I can then obtain emails, and then leverage email and their social network pretending I am one of their friends and send them something like a cute powerpoint slideshow of kittens to open a program written in something called VBA or leveraging a zero day overflow exploit to execute a programmed back door for me to gain access to their system which then lets me directly connect to their system and do what I want wherever I am in the world.

But that’s all way beyond this basic lesson in network communications.

The internet’s not a scary place.

But no matter who you are. No matter where you are in the world.

I consider the information in this article the very very basic in network communications that each and every one of you SHOULD know to keep yourself and your identity safe on the internet, and how to help official investigation into corporations, agencies, and individuals who may be leveraging your computer and computer resources against your will.

Whether you’re in Marketing. Or a musician leveraging the internet to sell your music. Whether you’re leading a company. Or you are the President.

Knowing THIS basic communication and diagnostic information on your system is crucial to safeguarding you and your identity and not having to pay extortive fees to mafia like ‘protection services’ such as McAfee’s and Norton’s to keep you safe when they are largely the ones creating the very same exploits they claim to be protecting you from.

Enter your email address to follow this blog and receive notifications of new posts by email.