Other than a unique IP address that is being used to communicate between computers in a network, the port being used by a software is also very important. Without an open port, it is just impossible for a software to work. For example, when you use your web browser to access a website, by default it uses a standard port 80 which are assigned by Internet Engineering Task Force (IETF). If the website uses an alternative port 81 for HTTP, you can only access the website if you manually specify the port at the URL which is example.com:81. Entering just example.com at the URL bar will display “The connection has timed out” error.
There are times when you need to investigate what process is using a TCP port probably because the software is unable to initialize due to the port being used or you can check for unknown connections that are used by malicious software. One good example is your computer needs to have an established connection when it is connected to the hacker via a hidden remote administration tool (RAT). Here is how you can easily check which process is using a TCP port.
The easiest way is to use CurrPorts, another useful and simple tool created by Nir Sofer. CurrPorts is portable and doesn’t require installation. Just run the executable file and it will instantly display the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, and so on), the time that the process was created, and the user that created it.
Refer to the Listening state if you want to find the process that is using the TCP port. As for malicious RAT connections, you will have to refer to the Established state because most modern RATs uses reverse connection method instead of direct connection. Reverse connection has more advantages than direct because the victim doesn’t require port forwarding and only periodically tries to connect to the master instead of listening for connection all the time.
If you’re on a computer without CurrPorts, you can use the built-in NetStat tool in Windows to help you figure out what process is using what port. Run the command prompt as administrator (Type cmd at the Search Programs and Files bar, right click on the result and select Run as administrator) and followed by typing the command below.
netstat -a -b
The two boxes which I’ve circled in yellow are the ports and processes. Checking on the ports being used on your computer is something you should do periodically as it is very easy and takes only a couple of minutes of your time.