Friday, August 5, 2022

TryHackMe Write-Up | Sysinternals Task 5  Networking Utilities

 TCPView

"TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality." (official definition)

This is a good time to mention that Windows has a built-in utility that provides the same functionality. This tool is called Resource Monitor. There are many ways to open this tool. From the command line use resmon.

https://assets.tryhackme.com/additional/sysinternals/resource-monitor0.png

Expand TCP Connections to view the Remote Address for each Process with an outbound connection.

https://assets.tryhackme.com/additional/sysinternals/resource-monitor.png

This tool can also be called from the Performance tab within Task Manager. Look at the bottom left for the link to open Resource Monitor.

https://assets.tryhackme.com/additional/sysinternals/resource-monitor2.png

Now back to TCPView.

https://assets.tryhackme.com/additional/sysinternals/tcpview.png

The below image shows the default view for TCPView.

https://assets.tryhackme.com/additional/sysinternals/tcpview0.png

In the below image, I unselected Show Unconnected Endpoints in the Options menu.

https://assets.tryhackme.com/additional/sysinternals/tcpview1.png

Now the output only displays processes with an established outbound connection.

Other tools fall under the Networking Utilities category. I encourage you to explore these tools at your own leisure.

Link: https://docs.microsoft.com/en-us/sysinternals/downloads/networking-utilities

Answer the questions below

Using WHOIS tools, what is the ISP/Organization for the remote address in the screenshots above?

How to: I tried using the WHOIS tools on the windows system but it kept getting the output “The requested name is valid, but no data of the requested type was found.” So to start off go to https://whois.domaintools.com and type in the search bar the IP from the remote machine above (52.242.211.89) click search. Now look for organization, copy the name and paste it over in the answer box. 

Answer: Microsoft Corporation

No comments:

Post a Comment

TryHackMe Write-Up | Sysinternals Task 9  Miscellaneous

BgInfo "It automatically displays relevant information about a Windows computer on the desktop's background, such as the computer ...