Setup netcat to listen (the machine receiving the data)

• Command: nc -v -l -p 10000 > command.txt
• Notes: -p is the port that you are opening up to receive the data. You can name the text file anything you want (usually wise to name it something descriptive).

Run a command on the sending machine

• Command: command | nc receiving_machine_ip_address 10000
• When the transfer is complete, kill the command using Ctrl-c

• The System Date and Time
• Current Network Connects
• Open TCP or UDP Ports
• Which Executables Are Opening TCP or UDP Ports
• Cached NetBIOS Name Table
• Users Currently Logged On
• The Internal Routing Table
• Running Processes
• Running Services
• Scheduled Jobs
• Open Files
• Process Memory Dumps

The System Date and Time

Check this to keep the machine time in sync with logs and trusted NTP server.

Windows Commands:

• date
• time

Linux/Unix Command:

• date

Current Network Configuration

Check this to see if an attacker is currently connected or running a brute force attack against the internet. Note that port assignments can be checked at www.portsdb.org.

Windows/Linux/Unix Command:

• netstat -an (Note that the -an flag specifies to check all network connections)

Open TCP or UDP Ports

Check for rogue ports that were not opened by the system. A suspiciously open port can be the sign of a back door created by an attacker. Note that port assignments can be checked at www.portsdb.org.

Windows Command:

• netstat -an

Linux/Unix Command;

• netstat -anp (the p shows the process number that opened the port)

Executables Opening TCP or UDP Ports

Using a tool called FPort distributed from www.foundstone.com, scan which executables are using ports. Compare the list to the list of questionable ports you gathered while running netcat. Research which process are system processes and which are suspicious.

Windows Command:

• FPort

Linux/Unix Command:

• lsof (adding -n command lengthens the output)

Cached NetBIOS Name Tables (Windows only)

Checking the NetBIOS Name Table cache will show the NetBIOS name or IP address of recently connected machines.

Windows Command:

• nbtstat -c (the -c switch instructs nbtstat to dump the cache)

Users Currently Logged On (Windows only)

Using the PSLoggedOn tool in the PSTools suite distributed at www.sysinternals.com you can see who is currently logged into your system. This would catch anybody that is connected remotely.

Windows Command:

• psloggedon

The Internal Routing Table

Checking the Routing Table will identify instances where an attacker is routing his connection to avoid a firewall or gain access from a machine with greater access.

Windows/Linux/Unix Command:

• netstat -rn

Running Processes

Using the pslist tool to check which processes are running will show which processes have been run by an attacker. The elapsed time will help indicate which processes were launched by the system and which were launched by an attacker.

Windows Command:

• pslist

Linux/Unix Command:

• ps -aux

Running Services (Windows only)

Using the PSService tool you can examine the services running on the target machine. Finding a rogue service can be valuable since attackers can run executables from them.

Windows Command:

• psservice

Scheduled Jobs

Attackers can schedule jobs to do things while they are not even there.

Windows Command:

• at

Linux/Unix Command:

• cron

Open Files

The PSfile tool will check for any files opened remotely on the machine. This will help determine more information about the attack.

Windows Command:

• psfile

Linux/Unix Command:

• lsof

Process Memory Dumps (Windows only)

Running process memory dumps and using tools to inspect the data will help gain additional information about the attacker and their intent. This is extensive and requires a large knowledge base to know what to look for.

Windows Command/Tool:

• userdump.exe (provided by Microsoft)

Full System Memory Dumps (Windows only)

Using the dd tool you can dump the entire memory of the target computer. It is wise to map a drive to a remote machine so that you do not overwrite valuable data.

Windows Command/Tools:

• dd

Loaded Kernel Modules (Linux/Unix only)

This command unloads the kernel modules so that you can inspect for items that are not system related.

Linux/Unix Command:

• lsmod

Mounted File Systems (Linux/Unix only)

These commands check for mounted file systems that are unexpected.

Linux/Unix Command:

• mount
• df