netstat / ss

Native socket and connection inspection commands.

Network Recon & Monitoring Built-in OS CLI Learning Windows Linux macOS

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

Tools to list active connections, listening ports, and the owning processes:

netstat — universal but deprecated on modern Linux (still standard on Windows, with -anob showing PIDs/binaries).
ss (modern Linux) — faster successor to netstat, queries kernel netlink directly. ss -tulpan is the canonical "show me everything listening with PIDs".

During IR these reveal suspicious listeners (backdoors, reverse-shell sockets) and outbound connections to known-bad IPs. Pair with lsof -i for richer per-socket detail.

Use cases

Finding a backdoor listener on a compromised host
Mapping a process to its outbound C2 connection
Auditing exposed services on a hardened server

Example

sudo ss -tulpan
sudo netstat -anob          # Windows (admin)
sudo lsof -i :4444