Exploring the Powershell Alternative to netstat

This post is going to be a very quick rundown of Get-NetTCPConnection, the Powershell cmdlet that serves as a powerful alternative to netstat.

Note: In any comparisons I make between netstat and Get-NetTCPConnection, I am referring to the Windows implementation of netstat.

Why you might want to use Get-NetTCPConnection

  • Easier to get targetted information by filtering on any properties
  • You never have to google how to use it (just use Get-Help and Get-Member)
  • Tab completion
  • Easier to get present specific data in a spcific format (select, sort, etc)
  • Easier to generate things like reports (use pipe and select to output specifics to html or csv
  • Everything is actionable (pipe your results another cmdlet, example down below)

Why you might want to use netstat

  • It’s cross-platform (Get-NetTCPConnection does not work yet on Powershell for Linux as it’s part of .Net Core)
  • You are looking for UDP traffic (you have to use an entirely separate cmdlet for UDP)

Using Get-NetTCPConnection

The first thing I do when discovering a cmdlet is look at the methods and properties available. Do this by running

Get-NetTCPConnection | gm

gm.png

As with most cmdlets, the properties make it pretty clear how to access the information you want. To get anything that’s listening you can run

Get-NetTCPConnection | ? {$_.State -eq "Listen"}

Let’s make it more specific and check for anything that’s listening from any remote address

Get-NetTCPConnection | ? {($_.State -eq "Listen") -and ($_.RemoteAddress -eq "0.0.0.0")}

Now let’s look at what’s listening on port 443, and just display the process responsible, the local port, the state, and the remote address

443

Just like most other get cmdlets, this information can easily be output to a file in a nice format. In this case I’m going to get TCP connections which are listening for connections from any remote address and export all properties of those connections to a CSV

Get-NetTCPConnection | ? {($_.State -eq "Listen") -and ($_.RemoteAddress -eq "0.0.0.0")} | select * | Export-Csv net-connect.csv -NoTypeInformation

And because of Powershell’s object-oriented nature, it’s very easy to relate and take action on the queries you make. For example, let’s say I want to take this same query, everything listening to requests from any IP, and correlate that information to the appropriate process name

$processes = (Get-NetTCPConnection | ? {($_.State -eq "Listen") -and ($_.RemoteAddress -eq "0.0.0.0")}).OwningProcess

foreach ($process in $processes) {Get-Process -PID $process | select ID,ProcessName}

linked-cropped1

Or as a last example, maybe I want to take it a step further and and kill all of those processes responsible (don’t do this).

foreach ($process in $processes) {Get-Process -PID $process | Stop-Process -Force}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s