The systat and netstat services are interesting because current network and system information can be found easily by connecting to the services using telnet. The /etc/inetd.conf file on a system running systat and netstat typically includes the following lines:
systats stream tcp nowait root /usr/bin/ps ps -ef netstat stream tcp nowait root /usr/bin/netstat netstat -a
The ps -ef and netstat -a commands are bound to TCP ports 11 and 15, respectively. Example 5-1 shows how to use telnet to connect to the systat service and derive system process information.
# telnet 192.168.0.1 11 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. UID PID PPID C STIME TTY TIME CMD root 1 0 0 Jan03 ? 00:00:05 init [2] root 2 1 0 Jan03 ? 00:00:00 [keventd] root 3 1 0 Jan03 ? 00:00:00 [ksoftirqd_CPU0] root 4 1 0 Jan03 ? 00:00:00 [kswapd] root 5 1 0 Jan03 ? 00:00:00 [bdflush] root 6 1 0 Jan03 ? 00:00:00 [kupdated] root 10 1 0 Jan03 ? 00:00:00 [khubd] root 492 1 0 Jan03 ? 00:00:00 /sbin/syslogd root 495 1 0 Jan03 ? 00:00:00 /sbin/klogd root 503 1 0 Jan03 ? 00:00:00 /usr/sbin/dhcpd -q root 512 1 0 Jan03 ? 00:00:00 /usr/sbin/inetd root 520 1 0 Jan03 ? 00:00:00 /usr/sbin/sshd daemon 523 1 0 Jan03 ? 00:00:00 /usr/sbin/atd root 526 1 0 Jan03 ? 00:00:00 /usr/sbin/cron root 531 1 0 Jan03 tty1 00:00:00 -bash root 532 1 0 Jan03 tty2 00:00:00 /sbin/getty 38400 root 533 1 0 Jan03 tty3 00:00:00 /sbin/getty 38400 root 534 1 0 Jan03 tty4 00:00:00 /sbin/getty 38400 root 535 1 0 Jan03 tty5 00:00:00 /sbin/getty 38400 root 536 1 0 Jan03 tty6 00:00:00 /sbin/getty 38400 root 887 1 0 Jan03 ? 00:00:03 /usr/sbin/named root 913 1 0 Jan03 ? 00:00:00 [eth0] root 918 1 0 Jan03 ? 00:00:00 [eth1] root 1985 520 0 08:05 ? 00:00:00 /usr/sbin/sshd root 1987 1985 0 08:05 pts/0 00:00:00 -bash root 2066 1987 0 10:44 pts/0 00:00:00 ps -ef
The telnet client can connect to the netstat service, as shown in Example 5-2.
# telnet 192.168.0.1 15 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:time *:* LISTEN tcp 0 0 *:discard *:* LISTEN tcp 0 0 *:daytime *:* LISTEN tcp 0 0 no-dns-yet.demon:domain *:* LISTEN tcp 0 0 192.168.0.1:domain *:* LISTEN tcp 0 0 mail:domain *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:smtp *:* LISTEN udp 0 0 *:32769 *:* udp 0 0 *:discard *:* udp 0 0 no-dns-yet.demon:domain *:* udp 0 0 192.168.0.1:domain *:* udp 0 0 mail:domain *:* udp 0 0 *:bootps *:* raw 0 0 *:icmp *:* 7 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 5 [ ] DGRAM 456 /dev/log unix 2 [ ] DGRAM 1123 unix 2 [ ] DGRAM 516 unix 2 [ ] DGRAM 489
This system information gives insight into the running processes and network connections. By analyzing this data carefully, you can find usernames, command-line arguments (which may include passwords or other sensitive details), and details of internal or trusted hosts.