My internet leverages TCP/IP and UDP for the vast majority of its communication.
All internet communication occurs through an IP address that’s assigned to your machine when it connects to the internet and a specific numeric port based on the specific type of conversation which is to occur.
All web sites, for instance, occur through HTTP conversations which are reserved for port 80, unless it’s secure, in which case it occurs over port 443.
Sometimes you might download files through something called FTP, these conversations all initialize through port 21, and the download occurs through port 20.
If you attempt to establish an HTTP conversation with another computer over say a FTP port – port 20 for instance, you will receive an error or no response.
All the different types of currently publicly documented internet conversations that can occur and all internet communication is technically written about here: https://tools.ietf.org/rfc/index, and if you search for what happens when your browser communicates with web pages communication via HTTP you will find out about how that occurs through RFC 1945 here: https://tools.ietf.org/html/rfc1945.
These RFCs are not designated by port, which makes it tough to find out which RFC applies to which port. So an easy way to find out what RFC applies to what port is to open up windows explorer (NOT Internet explorer). This can be accessed by clicking on your start menu, computer. Then browse to the folder ‘c:\windows\system32\drivers\etc. Once there, you should see the file ‘services’, open this file with notepad. Use CTRL+F to start a search, and type in ‘http’, this should result in this:
# <service name> <port number>/<protocol> [aliases…] [#<comment>]
http 80/tcp www www-http #World Wide Web
As you can see, http is the protocol for port 80, which we can then leverage the RFC 1945 to review the details of what that conversation looks like.
When you connect to a web site via your internet / web browser, say http://www.microsoft.com, a translation occurs to translate that name into a numerical address in the form of (0-255).(0-255).(0-255).(0-255).
This translation is called a Domain Name Service lookup, or DNS lookup for short, and can be done at the command line of any windows machine by going to the ‘START’ menu, selecting ‘RUN’, typing in ‘CMD’, and once that command window opens up, type ‘nslookup www.google.com’ which will result in a response which says ‘Non-Authoritative answer: followed by an address, mine is reporting 220.127.116.11. If you open up your browser, you can then take that number and plug it into your web browser’s address bar instead of www.google.com and it should go right to Google’s web site.
Here’s a text dump of the lookup using nslookup on my computer:
You can exit nslookup by typing ‘exit’.
While at the command line you can find out what your computer’s address is.
While at the ‘command line’ you can type ‘ipconfig’, and next to the line ‘IPV4 Address is a number, us technically inclined peeps refer to this as an IP, and mine is 172.31.99.229.
You can see the ‘dump’ of my network configuration, here, as I leverage the command ‘ipconfig’ to look up my local computer’s address:
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::f12b:d561:e71b:f3f%10
IPv4 Address. . . . . . . . . . . : 172.31.99.229
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 172.31.98.1
In a general sense it is not safe to share your IPs with others, but if you’re on a public WIGI as I am at Starbuck’s and my IP changes on a daily basis every time I reconnect, which I do something called ‘release’ my dynamically allocated IP on a daily basis to avoid tracking, I become very hard target to be trace or have my IP leveraged against me.
It is helpful to understand when someone is communication with your computer. Whenever a TCP conversation is started or is occurring with your computer, a list of all the active conversations that are occurring can be retrieved at the command line by typing in ‘netstat’ at the command line, to ALSO retrieve a list of what conversations CAN OCCUR you add ‘netstat –a’ (the ‘-a’ stands for all).
Hitting ‘enter’ after typing ‘netstat –a’ provides a list of ALL conversations, I will show you what I get when I type this command in…
But first: I have a LOT going on with my system right now, so I’m going to show you a complete dump of all the conversations going on with my computer right now.
There’s a lot here, it’s not necessary to understand it all, just pay attention to the column headers, I will explain what each is after this.
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 QContinuum:0 LISTENING
TCP 0.0.0.0:445 QContinuum:0 LISTENING
TCP 0.0.0.0:1025 QContinuum:0 LISTENING
TCP 0.0.0.0:1026 QContinuum:0 LISTENING
TCP 0.0.0.0:1027 QContinuum:0 LISTENING
TCP 0.0.0.0:1028 QContinuum:0 LISTENING
TCP 0.0.0.0:1029 QContinuum:0 LISTENING
TCP 0.0.0.0:1030 QContinuum:0 LISTENING
TCP 0.0.0.0:1433 QContinuum:0 LISTENING
TCP 0.0.0.0:2383 QContinuum:0 LISTENING
TCP 0.0.0.0:64760 QContinuum:0 LISTENING
TCP 127.0.0.1:1434 QContinuum:0 LISTENING
TCP 127.0.0.1:2172 ads:2173 ESTABLISHED
TCP 127.0.0.1:2173 ads:2172 ESTABLISHED
TCP 172.31.99.229:139 QContinuum:0 LISTENING
TCP 172.31.99.229:21362 pg-in-f189:https ESTABLISHED
TCP 172.31.99.229:29362 64-121-79-185:64704 ESTABLISHED
TCP 172.31.99.229:29536 a184-28-188-114:http CLOSE_WAIT
TCP 172.31.99.229:29549 pg-in-f121:http CLOSE_WAIT
TCP 172.31.99.229:29557 vulcan:http CLOSE_WAIT
TCP 172.31.99.229:29566 li98-146:http CLOSE_WAIT
TCP 172.31.99.229:29567 nuq04s29-in-f14:http CLOSE_WAIT
TCP 172.31.99.229:29580 pg-in-f121:http CLOSE_WAIT
TCP 172.31.99.229:29587 pg-in-f121:http CLOSE_WAIT
TCP 172.31.99.229:29612 nuq04s29-in-f14:http CLOSE_WAIT
TCP 172.31.99.229:30321 pf-in-f108:imaps ESTABLISHED
TCP 172.31.99.229:32225 ip174-70-133-218:8999 ESTABLISHED
TCP 172.31.99.229:33520 co128ds:https ESTABLISHED
TCP 172.31.99.229:36167 18.104.22.168:49567 ESTABLISHED
TCP 172.31.99.229:36443 169-0-99-212:25606 LAST_ACK
TCP 172.31.99.229:36597 ns3017551:62377 ESTABLISHED
TCP 172.31.99.229:36630 22.214.171.124:56257 ESTABLISHED
TCP 172.31.99.229:36646 126.96.36.199:32022 FIN_WAIT_1
TCP 172.31.99.229:36664 dynamic-cpe-pool:56847 LAST_ACK
TCP 172.31.99.229:36728 cable-41-220-104-84:53319 ESTABLISHED
TCP 172.31.99.229:36747 dynamic-adsl-84-223-34-214:43048 LAST_ACK
TCP 172.31.99.229:36762 027b99a1:12915 LAST_ACK
TCP 172.31.99.229:36829 103-230-23-242:26089 FIN_WAIT_2
TCP 172.31.99.229:36878 188.8.131.52:52962 TIME_WAIT
TCP 172.31.99.229:36882 46-129-102-4:9346 SYN_SENT
TCP 172.31.99.229:36883 184.108.40.206:26089 SYN_SENT
TCP 172.31.99.229:36884 220.127.116.11:64321 SYN_SENT
TCP 172.31.99.229:36887 18.104.22.168:11438 SYN_SENT
TCP 172.31.99.229:36888 22.214.171.124:23684 SYN_SENT
TCP 172.31.99.229:36889 c-24-147-127-224:45563 SYN_SENT
TCP 172.31.99.229:36890 126.96.36.199:54918 SYN_SENT
TCP 172.31.99.229:36893 188.8.131.52:57626 SYN_SENT
TCP 172.31.99.229:36896 abts-north-dynamic-239:19639 SYN_SENT
TCP 172.31.99.229:36897 184.108.40.206:37984 SYN_SENT
TCP 172.31.99.229:36899 220.127.116.11:64748 SYN_SENT
TCP 172.31.99.229:36900 18.104.22.168:49814 SYN_SENT
TCP 172.31.99.229:36902 22.214.171.124:18457 SYN_SENT
TCP 172.31.99.229:36903 cpe-109-60-69-89:28512 SYN_SENT
TCP 172.31.99.229:36904 126.96.36.199:64691 TIME_WAIT
TCP 172.31.99.229:36906 ip-89-102-185-181:26562 SYN_SENT
TCP 172.31.99.229:36907 c213-89-138-108:8500 SYN_SENT
TCP 172.31.99.229:36910 host86-190-254-50:11608 SYN_SENT
TCP 172.31.99.229:36911 234:11926 SYN_SENT
TCP 172.31.99.229:36916 104-51-101-10:61992 SYN_SENT
TCP 172.31.99.229:36917 188.8.131.52:15870 SYN_SENT
TCP 172.31.99.229:36918 ip4daac87e:24874 SYN_SENT
TCP 172.31.99.229:36919 dsl:15862 SYN_SENT
TCP 172.31.99.229:36921 32:56458 SYN_SENT
TCP 172.31.99.229:36923 109:34473 SYN_SENT
TCP 172.31.99.229:36924 093105179134:51413 SYN_SENT
TCP 172.31.99.229:36927 S0106002401749804:9134 SYN_SENT
TCP 172.31.99.229:36929 mtl93-3-82-225-166-117:55897 SYN_SENT
TCP 172.31.99.229:36930 135-23-41-162:37560 SYN_SENT
TCP 172.31.99.229:36931 pool-184-17-229-251:40583 SYN_SENT
TCP 172.31.99.229:36932 184.108.40.206:21137 SYN_SENT
TCP 172.31.99.229:36933 220.127.116.11:13101 SYN_SENT
TCP 172.31.99.229:36935 18.104.22.168:9750 SYN_SENT
TCP 172.31.99.229:36936 cable-94-189-146-37:59696 LAST_ACK
TCP 172.31.99.229:36937 modemcable028:55799 SYN_SENT
TCP 172.31.99.229:36938 cpe-98-25-11-104:61000 SYN_SENT
TCP 172.31.99.229:36939 athedsl-262720:15322 SYN_SENT
TCP 172.31.99.229:36941 ip-31-205-35-150:45058 SYN_SENT
TCP 172.31.99.229:36945 22.214.171.124:27501 SYN_SENT
TCP 172.31.99.229:36946 bl21-236-248:61466 SYN_SENT
TCP 172.31.99.229:36947 126.96.36.199:2085 SYN_SENT
TCP 172.31.99.229:36949 ip-80-209:54373 SYN_SENT
TCP 172.31.99.229:36950 89-180-181-40:1186 SYN_SENT
TCP 172.31.99.229:36951 triband-mum-120:27718 SYN_SENT
TCP 172.31.99.229:36952 188.8.131.52:46571 SYN_SENT
TCP 172.31.99.229:36956 184.108.40.206:3187 SYN_SENT
TCP 172.31.99.229:36960 5:60240 SYN_SENT
TCP 172.31.99.229:36963 220.127.116.11:41162 SYN_SENT
TCP 172.31.99.229:36964 18.104.22.168:19362 SYN_SENT
TCP 172.31.99.229:36966 ppp046176011016:61951 SYN_SENT
TCP 172.31.99.229:36967 27-32-67-173:40638 SYN_SENT
TCP 172.31.99.229:36969 TSB-BR01-41-182-196-225:10309 SYN_SENT
TCP 172.31.99.229:36972 178-220-245-94:10735 ESTABLISHED
TCP 172.31.99.229:36974 89-66-104-249:13643 SYN_SENT
TCP 172.31.99.229:36977 c-2f9ce555:57952 SYN_SENT
TCP 172.31.99.229:36978 156-32-18-190:15825 SYN_SENT
TCP 172.31.99.229:36979 c-24-127-251-112:12825 SYN_SENT
TCP 172.31.99.229:36981 22.214.171.124:62365 SYN_SENT
TCP 172.31.99.229:36982 14-201-164-106:42657 ESTABLISHED
TCP 172.31.99.229:36985 99-85-97-57:6881 SYN_SENT
TCP 172.31.99.229:36986 144:11610 SYN_SENT
TCP 172.31.99.229:36987 AReims-652-1-236-70:45682 ESTABLISHED
TCP 172.31.99.229:36988 109-93-101-208:25963 ESTABLISHED
TCP 172.31.99.229:36990 host-41:17040 ESTABLISHED
TCP 172.31.99.229:36991 126.96.36.199:10952 SYN_SENT
TCP 172.31.99.229:36992 host721680017145:57595 SYN_SENT
TCP 172.31.99.229:36994 ip-193-24-244-2:38659 SYN_SENT
TCP [::]:135 QContinuum:0 LISTENING
TCP [::]:445 QContinuum:0 LISTENING
TCP [::]:1025 QContinuum:0 LISTENING
TCP [::]:1026 QContinuum:0 LISTENING
TCP [::]:1027 QContinuum:0 LISTENING
TCP [::]:1028 QContinuum:0 LISTENING
TCP [::]:1030 QContinuum:0 LISTENING
TCP [::]:1433 QContinuum:0 LISTENING
TCP [::]:2383 QContinuum:0 LISTENING
TCP [::]:64760 QContinuum:0 LISTENING
TCP [::1]:1434 QContinuum:0 LISTENING
UDP 0.0.0.0:64760 *:*
UDP 172.31.99.229:137 *:*
UDP 172.31.99.229:138 *:*
UDP [::]:64760 *:*
To review the information, Proto means “protocol”, which is the port in operation – where I can determine the conversation/
“local address” should generally be one of four things, 127.0.0.1 or 0.0.0.0 which is a reference to the local system – this is called a loopback, we also see 172.31.99.229 which is what I looked up before and learned was the current address assigned to make this computer accessible to the internet and finally there’s [::] which means ‘all network interfaces’ – meaning ANY network adapter on this computer can be referenced on this port. With the ‘any’ option, this is particularly valuable for computers which have multiple network adapters, which is not uncommon for servers but not common for home machines.
“Foreign Address” is the remote machine I am connected to on the internet. Since I am active in the torrent community, I have numerous ‘high port’ connections being made (21000+) which aren’t generally going to be listed in services. I will outline the value in this in a moment.
And finally, there’s the “State” – which outlines the current connection state of the machine. If my computer is ‘awaiting a connection’, which means I have an application running in windows which is waiting for a connection to establish to it, then I will see ‘listening’ on the state and a ‘*.*’ for the foreign address. If the connection is ongoing and data is being transferred between my computer and a remote computer, then I will see ‘ESTABLISHED’. If the connection is in the process of closing, I will generally see ‘CLOSE_WAIT’, and if it’s been a long time since a response has been received, the connection between my machine and another will naturally drop off and I will see ‘TIME_WAIT’ .
So let’s say I suspect someone is messing with my machine remotely.
I will then leverage the ‘remote address’ to track down hackers targeting my machine.
But the above ‘netstat’ command does not provide the right information, how can I track someone down with something named ‘vulcan’? Additionally, it would be nice to know which processes on my system are accepting remote connections or have them established.
So what I do is run this command at the command line ‘netstat –a –b –n -o’
As stated before, the ‘-a’ option will retrieve every connection open OR currently available on this computer. The ‘-b’ option will show the process/application that is leveraging this line’s communication ‘channel’. And the ‘-n’ puts the names of the foreign connections in the easier to use numeric formats. Finally, the ‘-o’ option shows a process id. The process ID is invaluable for tracing down ‘hidden’ applications that might leverage methods to hide the name of the application from you.
Here’s what I have running on this computer.
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 704
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 428
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 808
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING 532
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING 888
TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING 1184
TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING 516
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 1576
TCP 0.0.0.0:2383 0.0.0.0:0 LISTENING 1712
TCP 0.0.0.0:64760 0.0.0.0:0 LISTENING 2744
TCP 127.0.0.1:1434 0.0.0.0:0 LISTENING 1576
TCP 127.0.0.1:2172 127.0.0.1:2173 ESTABLISHED 1108
TCP 127.0.0.1:2173 127.0.0.1:2172 ESTABLISHED 1108
TCP 172.31.99.229:139 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
TCP 172.31.99.229:37418 188.8.131.52:993 ESTABLISHED 2740
TCP 172.31.99.229:41685 184.108.40.206:443 ESTABLISHED 1108
TCP 172.31.99.229:47121 220.127.116.11:64704 ESTABLISHED 2744
TCP 172.31.99.229:49697 18.104.22.168:80 CLOSE_WAIT 2740
TCP 172.31.99.229:49704 22.214.171.124:80 CLOSE_WAIT 2740
TCP 172.31.99.229:49757 126.96.36.199:80 CLOSE_WAIT 2740
TCP 172.31.99.229:49802 188.8.131.52:80 CLOSE_WAIT 2740
TCP 172.31.99.229:49803 184.108.40.206:80 CLOSE_WAIT 2740
TCP 172.31.99.229:49804 220.127.116.11:80 CLOSE_WAIT 2740
TCP 172.31.99.229:49819 18.104.22.168:80 CLOSE_WAIT 2740
TCP 172.31.99.229:49853 22.214.171.124:80 CLOSE_WAIT 2740
TCP 172.31.99.229:50612 126.96.36.199:6881 ESTABLISHED 2744
TCP 172.31.99.229:51571 188.8.131.52:60075 TIME_WAIT 0
TCP 172.31.99.229:51732 184.108.40.206:55284 ESTABLISHED 2744
TCP 172.31.99.229:51735 220.127.116.11:8999 ESTABLISHED 2744
TCP 172.31.99.229:52526 18.104.22.168:17186 ESTABLISHED 2744
TCP 172.31.99.229:52625 22.214.171.124:31165 FIN_WAIT_1 2744
TCP 172.31.99.229:52907 126.96.36.199:8999 ESTABLISHED 2744
TCP 172.31.99.229:52909 188.8.131.52:443 ESTABLISHED 2740
TCP 172.31.99.229:53035 184.108.40.206:49538 ESTABLISHED 2744
TCP 172.31.99.229:53067 220.127.116.11:53362 FIN_WAIT_2 2744
TCP 172.31.99.229:53147 18.104.22.168:8999 ESTABLISHED 2744
TCP 172.31.99.229:53179 22.214.171.124:8999 FIN_WAIT_1 2744
TCP 172.31.99.229:53200 126.96.36.199:20271 FIN_WAIT_2 2744
TCP 172.31.99.229:53271 188.8.131.52:16541 ESTABLISHED 2744
TCP 172.31.99.229:53297 184.108.40.206:63005 FIN_WAIT_2 2744
TCP 172.31.99.229:53320 220.127.116.11:30005 LAST_ACK 2744
TCP 172.31.99.229:53327 18.104.22.168:53319 ESTABLISHED 2744
TCP 172.31.99.229:53343 22.214.171.124:6881 TIME_WAIT 0
TCP 172.31.99.229:53353 126.96.36.199:21559 SYN_SENT 2744
TCP 172.31.99.229:53356 188.8.131.52:48506 SYN_SENT 2744
TCP 172.31.99.229:53357 184.108.40.206:48349 SYN_SENT 2744
TCP 172.31.99.229:53362 220.127.116.11:20793 SYN_SENT 2744
TCP 172.31.99.229:53363 18.104.22.168:60020 ESTABLISHED 2744
TCP 172.31.99.229:53365 22.214.171.124:15021 SYN_SENT 2744
TCP 172.31.99.229:53367 126.96.36.199:26792 TIME_WAIT 0
TCP 172.31.99.229:53368 188.8.131.52:24200 SYN_SENT 2744
TCP 172.31.99.229:53372 184.108.40.206:1 SYN_SENT 2744
TCP 172.31.99.229:53373 220.127.116.11:45070 SYN_SENT 2744
TCP 172.31.99.229:53376 18.104.22.168:10273 SYN_SENT 2744
TCP 172.31.99.229:53379 22.214.171.124:13936 SYN_SENT 2744
TCP 172.31.99.229:53381 126.96.36.199:58422 SYN_SENT 2744
TCP 172.31.99.229:53383 188.8.131.52:13156 SYN_SENT 2744
TCP 172.31.99.229:53385 184.108.40.206:42012 SYN_SENT 2744
TCP 172.31.99.229:53390 220.127.116.11:38470 SYN_SENT 2744
TCP 172.31.99.229:53391 18.104.22.168:58564 SYN_SENT 2744
TCP 172.31.99.229:53394 22.214.171.124:20990 SYN_SENT 2744
TCP 172.31.99.229:53395 126.96.36.199:19976 SYN_SENT 2744
TCP 172.31.99.229:53398 188.8.131.52:29281 SYN_SENT 2744
TCP 172.31.99.229:53403 184.108.40.206:44028 SYN_SENT 2744
TCP 172.31.99.229:53405 220.127.116.11:49961 SYN_SENT 2744
TCP 172.31.99.229:53407 18.104.22.168:9551 SYN_SENT 2744
TCP 172.31.99.229:53408 22.214.171.124:12680 SYN_SENT 2744
TCP 172.31.99.229:53411 126.96.36.199:23346 SYN_SENT 2744
TCP 172.31.99.229:53416 188.8.131.52:35436 SYN_SENT 2744
TCP 172.31.99.229:53417 184.108.40.206:30966 SYN_SENT 2744
TCP 172.31.99.229:53418 220.127.116.11:45793 SYN_SENT 2744
TCP 172.31.99.229:53425 18.104.22.168:61293 SYN_SENT 2744
TCP 172.31.99.229:53426 22.214.171.124:33282 SYN_SENT 2744
TCP 172.31.99.229:53431 126.96.36.199:54751 SYN_SENT 2744
TCP 172.31.99.229:53432 188.8.131.52:4966 SYN_SENT 2744
TCP 172.31.99.229:53433 184.108.40.206:1024 SYN_SENT 2744
TCP 172.31.99.229:53435 220.127.116.11:21339 SYN_SENT 2744
TCP 172.31.99.229:53436 18.104.22.168:49293 SYN_SENT 2744
TCP 172.31.99.229:53439 22.214.171.124:59051 SYN_SENT 2744
TCP 172.31.99.229:53443 126.96.36.199:27855 SYN_SENT 2744
TCP 172.31.99.229:53444 188.8.131.52:42357 SYN_SENT 2744
TCP 172.31.99.229:53445 184.108.40.206:1024 SYN_SENT 2744
TCP 172.31.99.229:53455 220.127.116.11:56017 TIME_WAIT 0
TCP 172.31.99.229:53456 18.104.22.168:38346 SYN_SENT 2744
TCP 172.31.99.229:53457 22.214.171.124:12800 SYN_SENT 2744
TCP 172.31.99.229:53460 126.96.36.199:16005 SYN_SENT 2744
TCP 172.31.99.229:53461 188.8.131.52:21015 SYN_SENT 2744
TCP 172.31.99.229:53462 184.108.40.206:34258 SYN_SENT 2744
TCP 172.31.99.229:53463 220.127.116.11:10705 SYN_SENT 2744
TCP 172.31.99.229:53464 18.104.22.168:26396 SYN_SENT 2744
TCP 172.31.99.229:53465 22.214.171.124:12706 SYN_SENT 2744
TCP 172.31.99.229:53466 126.96.36.199:25323 SYN_SENT 2744
TCP [::]:135 [::]:0 LISTENING 704
TCP [::]:445 [::]:0 LISTENING 4
Can not obtain ownership information
TCP [::]:1025 [::]:0 LISTENING 428
TCP [::]:1026 [::]:0 LISTENING 808
TCP [::]:1027 [::]:0 LISTENING 532
TCP [::]:1028 [::]:0 LISTENING 888
TCP [::]:1030 [::]:0 LISTENING 516
TCP [::]:1433 [::]:0 LISTENING 1576
TCP [::]:2383 [::]:0 LISTENING 1712
TCP [::]:64760 [::]:0 LISTENING 2744
TCP [::1]:1434 [::]:0 LISTENING 1576
TCP [fe80::f12b:d561:e71b:f3f%10]:53450 [fe80::dabb:2cff:feb9:bb26%10]:10507 SYN_SENT 2744
UDP 0.0.0.0:64760 *:* 2744
UDP 172.31.99.229:137 *:* 4
Can not obtain ownership information
UDP 172.31.99.229:138 *:* 4
Can not obtain ownership information
UDP [::]:64760 *:* 2744
As you can see, there are a LOT of applications which say ‘Can not obtain ownership information’. Normally, these should be of concern.
For me, I don’t run virus protection, and am fine with hackers getting on my machines, I learned through hacking, and if you don’t screw with me by slowing my machine down or making my life difficult, then I am fine with you hacking me and pulling things from my computer.
However. IF you screw with me and cause me or my property harm. That means pegging my CPU with a process you run. That means causing any harm to my computer or data. Then I’ll hunt you down and send you a message in my own way to deter any further attempts on my part in my own unique ways. This can include dramatic action such as taking your computer system and potentially even your network down entirely and permanently, It can also include the use of your identity in ways that will fit the crime. It can also include loading a custom virus on your machine I create just for you. It can also mean I simply play a practical joke on you if your offense is deemed respectfully intrusive. It depends on my mood.
One method I leverage to locate computers connected to mine is through the foreign address.
Take a look at the first utorrent line returned, let’s say I just want to locate peers who I am connected to.
Here’s the line I am looking at:
TCP 172.31.99.229:47121 188.8.131.52:64704 ESTABLISHED 2744 [uTorrent.exe]
With this line, we have a remote address my computer is currently connected to at 184.108.40.206. There’s an awesome web site utility called iplocator on the internet which might give me general locational information of the remote location at geobytes, here: http://geobytes.com/iplocator/
With this, I learn the IP of this computer sharing movies, video games, or tv shows with me is located in Boston, Massachusetts and the latitude of this connection is at 42.353500 and longitude of this connection on the globe is at -71.062698.
But this isn’t enough information, is it? If I wanted to drop a nuclear bomb on the person connected to me, Boston’s a big city and has a lot of suburbs to it.
With this, I drop to the command line, again and run this command ‘tracert 220.127.116.11’ – which will show me a precise route on how to get to the location of the connected computer.
The results of running this command is:
Tracing route to 64-121-79-185.c3-0.tlg-ubr2.atw-tlg.pa.cable.rcn.com [18.104.22.168] over a maximum of 30 hops:
1 * * * Request timed out.
2 41 ms 2 ms 1 ms 192.168.0.1
3 13 ms 22 ms 52 ms 10.42.0.1
4 35 ms 254 ms 68 ms tge0-9-0-25.vnnzca2402h.socal.rr.com [22.214.171.124]
5 56 ms 14 ms 11 ms agg11.vnnycajz02r.socal.rr.com [126.96.36.199]
6 30 ms 33 ms 23 ms agg29.tustcaft01r.socal.rr.com [188.8.131.52]
7 15 ms 23 ms 31 ms bu-ether16.tustca4200w-bcr00.tbone.rr.com [184.108.40.206]
8 14 ms 21 ms 16 ms bu-ether14.lsancarc0yw-bcr00.tbone.rr.com [220.127.116.11]
9 17 ms 75 ms 15 ms 0.ae4.pr0.lax00.tbone.rr.com [18.104.22.168]
10 54 ms 26 ms 18 ms 22.214.171.124
11 116 ms 84 ms 239 ms ae-11-11.bar2.Philadelphia1.Level3.net [126.96.36.199]
12 88 ms 92 ms 84 ms RCN-CORPORA.bar2.Philadelphia1.Level3.net [188.8.131.52]
13 84 ms 101 ms 95 ms port-chan2.tlg-ubr2.atw-tlg.pa.cable.rcn.net [184.108.40.206]
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
So with this command being run, I have just seen that the remote user may NOT be in Boston after all, and may actually be in Philadelphia. So now we need two nuclear bombs to nail him, her or it, but that has no guarantee still.
This is where a little social engineering comes in. I have absolutely no doubt that this remote user’s IP is given to them through RCN.NET. So I go to the web site for RCN.Net, an luck out and see it forwards to RCN.COM where I click on the ‘contact us’ link. I see the phone number – 1-800-746-4726, so I need ammunition.
My cover story when I call this number is that I am a lawyer in the state of California representing MGM Studios and an IP on RCN’s network is sharing intellectual property which belongs to MGM. We’re going to pursue legal action against the individual in question, so if RCN does not want to be held liable, they are obligated under the DMCA (full text available here: https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act ) to release this client’s private information – including their home number and address, or face legal action themselves in federal court.
19 times out of 20, this will result in the divulgence of the client’s information.
From there, I now have both the current address on the internet of this remote system connected to me, as well as a physical address. Typically, the internet address is somewhat static, so I can then leverage social engineering to find out information about the users located at this billing address to find out likes, dislikes, and determine likely candidates for their passwords. I can do a name search to find out where they’ve lived and aliases. I can look up property they have on public records. I can pretend to be them and order records to my address, which in one of those records is sure to be an obscured version of their social security number. And from there, I can order credit cards and whatnot using their name and identity.
But that’s not me. I prefer leveraging tools like nMap (available here: https://nmap.org/download.html), to obtain vulnerabilities in their computer.
But leveraging their name, I can then obtain emails, and then leverage email and their social network pretending I am one of their friends and send them something like a cute powerpoint slideshow of kittens to open a program written in something called VBA or leveraging a zero day overflow exploit to execute a programmed back door for me to gain access to their system which then lets me directly connect to their system and do what I want wherever I am in the world.
But that’s all way beyond this basic lesson in network communications.
The internet’s not a scary place.
But no matter who you are. No matter where you are in the world.
I consider the information in this article the very very basic in network communications that each and every one of you SHOULD know to keep yourself and your identity safe on the internet, and how to help official investigation into corporations, agencies, and individuals who may be leveraging your computer and computer resources against your will.
Whether you’re in Marketing. Or a musician leveraging the internet to sell your music. Whether you’re leading a company. Or you are the President.
Knowing THIS basic communication and diagnostic information on your system is crucial to safeguarding you and your identity and not having to pay extortive fees to mafia like ‘protection services’ such as McAfee’s and Norton’s to keep you safe when they are largely the ones creating the very same exploits they claim to be protecting you from.