I would like to present a script which gathers information generated by NETSTAT.
It is designed to help in a situation when we have a Windows server with a lot of clients connected from different networks and via different protocols. It is quite hard task to audit all of them. If we going to perform some activities on server like shutting it down for maintenance of decommissioning – the list of clients who are going to be affected by shutdown would be extremely useful.
There are several ways to collect information about connected clients:
- Take statistics data from FWs or similar network devices – this is usually problematic because you need to know FW topology and usually you need to send request to networking team to perform this operation.
- Run sniffer on a server – this is often not allowed because of restrictions to install additional software (especially on security critical computers like domain controllers). Even if it is installed getting right data is not easy – you need to run capture what adds risk of filling the disk, play with filters and then try to extract statistics from it. Even in most popular sniffer Wireshark – I didn’t find any good statistics based on protocol (like show me all distinct LDAP clients)
- Configure per protocol logging in OS and extract data from log sources (event viewer logs or some text log files) – again this is not easy – you need to configure it per protocol and use special parsers to extract data.
As you can see all methods are pretty difficult to implement.
There is a tool NETSTAT for capturing connections statistics. It is included with each Windows system. Only problem is what it runs once and produces output of your current connections. However, we need not just current connections, but all connections during period of time. This is exactly what my script is designed to do. It runs NETSTAT in a loop and constantly extracts current connections info putting it to nested hashtables data structure. After you stop it (by pressing Ctrl+C usually) it shows you statistics on IPs connected to the server:
It took me several hours to program it and hop! hop! tirlihop! now I can collect all data without much problems.
You can find the script here
Instructions:
Script accepts following paramters:
param_LocalIP – if specified it will use this our server IP for collecting data, if not specified in a parameters it will enumerate local IPs and ask you to choose one to gather statistics on. On Windows Server 2008 enumeration routine is not working (because of older Powershell version) so you have to specify this parameter.
param_numberOfNetstats2run – number of netstats to run, It will stop automatically after reaching this number. Usually it runs 2-3 netstats per second.
param_resolveIPs2FQDNs – Perform reverse resolution of collected IPs to hostnames. Default value is “true”. It can take several minutes (may be tens of minutes) after it finish looping netstat to perform this.
param_collectOnlyEstablished – show only connections of “ESTABLISHED” type. Default value is “true”.
param_CreateCSV – generate CSV file with stats on connections collected. Default value is “true”.
$pathToSaveFiles – path to folder where to save both .txt and .csv files. By default it save them to same folder the script is run from
Example Usage:
simplest way: save code to file with .ps1 extension, lets say collectingNetstat.ps1. Open your powershell console. Perform “cd <path to your file>“. Then type “.\collectingNetstat.ps1“. It will ask you IP to gather statistics from. After running it a while press Ctrl+C. As we running it without any parameter it will try to perform reverse DNS queries on all IP – you have to wait till it finish this process. After finishing it will show you path to .txt and .csv files with statistics.
.\collectingNetstat.ps1 -param_numberOfNetstats2run 10 -param_resolveIPs2FQDNs $false – will perform 10 netstats and don’t try to resolve IPs to FQDNs
N.B.
Use it on your own risk. To my view the risks are minimal. The worst thing if you run it in some remote session on a server and forget to switch it off. It collects all connections stats to in-memory hashtables so some lack of memory problems can theoretically occur if you forget to switch it off.
Unfortunately this script is getting TCP-IP connections only so it very usefull for protocols like LDAP, LDAPS, HTTP, HTTPS etc. Unfortunately it doesn’t work with DNS as DNS is using UDP mostly. For DNS statistics we have to analyze DNS log file, I have parser for it – plan to publish it soon.
This is incredibly useful! We were trying to audit LDAP SSL connections and there is not even a good way to do this with even logs, since the only LDAPS specific event is 1220, which logs a failed LDAPS attempt.
Thanks so much for taking the time.