How to Track Hackers

By Jerry Garner

Updated September 28, 2017

If you spend a lot of time connected to the Internet, it is only a matter of time before a hacker attempts to gain access to your computer. Proper security and firewalls are usually all that is needed to prevent them from gaining entry, but computer owners who are less focused on system security may have a hacker slipping through their open ports. If you should find yourself in the unfortunate position of dealing with a hacker, just remember that it is entirely possible to identify and track the hacker so his cyber crimes can be reported to the proper authorities.

Open the DOS prompt on your computer. The way you get to the DOS prompt depends on what version of Windows you are using. If you are using Windows 95 or Windows 98, click "Start." then click "Programs" and end by clicking "MS-DOS." If you are using Windows NT, Windows 2000 or Windows XP, you will arrive at the DOS prompt differently. In this case, you will click "Start," then click "Run," then type either "cmd" or "command." Windows Vista is the simplest of all, since you only have to click "Start," then type "cmd."

Type the following command into the DOS prompt (without quotation marks): "netstat --a." This will open a routine known as Netstat, which will quickly identify all connections into and out of your computer. Typing "netstat --a" will produce a string of information that identifies your IP address, the port your computer is using for the connection, the "foreign address" of the machine you are connected to, the port that machine is using, and also the status of the connection.

Identify what other Netstat commands are available to you. Type "netstat ?", without the question marks. This should show you what commands are available in your version of Netstat. Typical commands include --a, -e, -n, -p proto, -r and --s. You can also combine multiple commands at once, as you will do in the following step.

Combine two commands to refine your search. First, use the command that identifies all connections and listening ports, which is usually "-a." Second, find the command that lists the information in numerical form, which is usually "-n." Type the command into the DOS prompt as "netstat --an." Note that you may need to change the "a" or "n" to something else, if they are identified differently in your version of Netstat.

Search for additional Internet activity. You should only have one connection, using one port. If a hacker has gained access to your system, an additional port will be in use. Running the command from the previous step will allow you to see what IP address the hacker is using, the hacker's hostname and the port number he is connecting through. It is possible to shut down the port and block the IP address, but for the moment, let's trace down who is gaining access to the computer and track what they are doing.

Run a trace route on the information you have obtained about the hacker. This affords you an idea of where the individual is located and what ISP he is using to connect to the Internet. Run the trace route by returning to the DOS prompt and typing "tracert ip address/hostname." Remove the quotation marks and replace "ip address" and "hostname" with the relevant information that was gathered in the previous step. Trace route will then trace the path of the connection, including any servers the connect must pass through before reaching you.

Print out the information about the intrusion, then use your firewall to block the port and IP address used by the hacker. Send a copy of the information to your local police department, the police department in the location that trace route identified for the hacker, the ISP the hacker uses and to the US Department of Justice's cybercrime website. (Follow the link in Resources.) These organizations may want to have a technician generate a detailed computer log of the intrusion and any past intrusions, so do not delete any log files from your computer.


Do not attempt to hack back. Not only would this be illegal, but the hacker may be bouncing her connection from an innocent IP address, and would not be affected by your hack attempt.