Art of War - Know yourself You might need to learn how to know what is normal on your system before you can think about if something is wrong. Lets see if you can find out what ports are open and if a new port opened on your system. We can use netstat to do that, but how can we automate the process? PowerShell to the rescue: Ope an administrative command prompt: cmd Start power shell: powershell Take a baseline of current ports: netstat -na >before.txt Open another terminal and start the ftp process, but you do not need to login: ftp ftp.microsoft In the first terminal, take a snapshot again of the current ports: netstat -na >after.txt Compare the two files to see if we have captured our activity of opening a new port for the FTP session: Compare-Object -ReferenceObject(Get-Content .\before.txt) -DifferenceObject (Get-Content .\after.txt)|select inputobject You should see something like: InputObject ----------- TCP 192.168.1.30:58650 134.170.188.232:21 ESTABLISHED Now, we should do all this with a script to see the same results without typing all these commands by hand. Type the following into a text file using notepad and save it as ports.ps1. netstat -na >before.txt start ftp ftp.microsoft start-sleep -s 10 netstat -na >after.txt Compare-Object -ReferenceObject(Get-Content .\before.txt) -DifferenceObject (Get-Content .\after.txt)|select inputobject Write down your current policy settings: get-ExecutionPolicy Modify your systems policy to allow running of scripts: Set-ExecutionPolicy Unrestricted After youre done, make sure to set your execution policy back to the original settings by Set-ExecutionPolicy ..... Questions? What did the above script do? How would you modify the above script to compare the current ports to a baseline file that you might have created weeks ago? What are the execution policy settings options and what do each mean?
Posted on: Sat, 11 Oct 2014 00:23:35 +0000