KALI – How to use Netstat and LSOF to locate open network connections – The Visual Guide
Often Kali has several commands which produce identical output.
Routing Tables – identical output
ACTIVE NETWORK CONNECTIONS
If we want to view active network connections, because you suspect malware or a trojan, there are 3 main commands:
netstat -ap = active with PID’s
netstat -lp = active server connections
-lp will omit client connections, to make it easier to read.
A netstat dupe is “lsof”
As everything in Unix is a file, including devices and internet connections, the “list open files” or lsof will reveal active network connections for us. lsof is a fabulous command.
List Users for a particular file
If we wanted to find out who’s using SSH – we type in lsof and the path to the SSH program.
Here we see that SSHD (SSH server) is being used by PID 1017 – and the user id root.
List a Users Open Files
lsof -u root or lsof -u USERID
lsof -u monitors open files by USER. Root of course has a lot of files open, so pipe the output via | more.
List Processes for a particular Program
lsof -c monitors “calls” made by a program or file. This is great to monitor the calls being made by a program – and a trojan would have some strange external calls.
lsof -c sshd
Note the last entry states TCP *:SSH (LISTEN)
This is the SSH daemon in LISTENING mode – waiting for a network connection.
Anyway, that’s some DUPES, for detecting active network connections.
For windows 7 users, go with