0

In my InfoSec course assignment, we were given the task to analyze the different communications that were displayed when we run the command netstat -an. While analyzing I saw the following communication: TCP [::]:135 [::]:0 LISTENING, which I have not really encountered before and do not know how to interpret.

I searched for the answer on the web and couldn't find much information related to my specific question.

Improve this question
2
  • 1
    Compare this to some other netstat -an line you know how to analyze. Can you identify any recognizable parts on the mystery line at all?
    – telcoM
    Commented Nov 21, 2024 at 11:38
  • [::] is the IPv6 short form address of the all-zeros host, the IPv4 equivalent of localhost IP Address 127.*.*.*. :135 is a port number.
    – waltinator
    Commented Nov 21, 2024 at 20:47

1 Answer 1

Reset to default
0

I'm going to show a few examples of running netstat -an | grep '\<22\>':

Linux:

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:22            127.0.0.1:34498         TIME_WAIT  
tcp        0      0 127.0.0.1:22            127.0.0.1:34500         TIME_WAIT  
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 fd39:27f6:6e56:1::60140 fd39:27f6:6e56:3:216:22 TIME_WAIT  
tcp6       0      0 ::1:22                  ::1:40272               TIME_WAIT  
tcp6       0      0 ::1:22                  ::1:40274               TIME_WAIT

NetBSD:

tcp        0      0  *.22                   *.*                    LISTEN
tcp6       0      0  *.22                   *.*                    LISTEN

In both cases, I tried running telnet 0.0.0.0 22 and telnet :: 22 a couple times beforehand. NetBSD didn't allow the second, requiring ::1 instead. NetBSD also did not show any of the localhost TIME_WAIT connections, and Linux doesn't show the client side ones.

What this shows:

  • localhost is 127.0.0.1 and ::1.
  • The unspecified address is 0.0.0.0 and ::. A LISTEN may use the unspecified address, but actual connections must use specified addresses. NetBSD displays the unspecified address as "*".
  • Your netstat includes the brackets used for distinguishing the IPv6 address from the port when parsing. (This isn't actually needed unless a port number is optional.)
  • Your netstat modifies the state names from RFC 793. (is it Windows?)
  • The 22 port number is the one used for ssh.
  • A port number of * or 0 is an unspecified port number.

In your case, the port is 135, and I won't identify that for you.

If you want to lookup the assigned service of a port, search /etc/services, or just omit the -n option when running netstat. If you want to know what it means, that can be tougher. If the port is being used for it's assigned function, the name and the comments in /etc/services will tell you what it is, and something about it. If the port is being used otherwise... then you have to track down the process. If you are using Linux, you might try adding -p (and maybe running as root) to find the process. Or the lsof command might help. Alternatively, you can start shutting things down until the LISTEN disappears.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.