The systat and netstat
services are interesting because current network and system
information can be found easily by connecting to the services using
telnet. The /etc/inetd.conf
file on a system running systat and
netstat typically includes the following lines:
systats stream tcp nowait root /usr/bin/ps ps -ef
netstat stream tcp nowait root /usr/bin/netstat netstat -a
The ps -ef and
netstat -a commands are bound
to TCP ports 11 and 15, respectively. Example 5-1
shows how to use telnet to connect to the
systat service and derive system process
information.
Example 5-1. Using telnet to connect to the systat service
# telnet 192.168.0.1 11
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Jan03 ? 00:00:05 init [2]
root 2 1 0 Jan03 ? 00:00:00 [keventd]
root 3 1 0 Jan03 ? 00:00:00 [ksoftirqd_CPU0]
root 4 1 0 Jan03 ? 00:00:00 [kswapd]
root 5 1 0 Jan03 ? 00:00:00 [bdflush]
root 6 1 0 Jan03 ? 00:00:00 [kupdated]
root 10 1 0 Jan03 ? 00:00:00 [khubd]
root 492 1 0 Jan03 ? 00:00:00 /sbin/syslogd
root 495 1 0 Jan03 ? 00:00:00 /sbin/klogd
root 503 1 0 Jan03 ? 00:00:00 /usr/sbin/dhcpd -q
root 512 1 0 Jan03 ? 00:00:00 /usr/sbin/inetd
root 520 1 0 Jan03 ? 00:00:00 /usr/sbin/sshd
daemon 523 1 0 Jan03 ? 00:00:00 /usr/sbin/atd
root 526 1 0 Jan03 ? 00:00:00 /usr/sbin/cron
root 531 1 0 Jan03 tty1 00:00:00 -bash
root 532 1 0 Jan03 tty2 00:00:00 /sbin/getty 38400
root 533 1 0 Jan03 tty3 00:00:00 /sbin/getty 38400
root 534 1 0 Jan03 tty4 00:00:00 /sbin/getty 38400
root 535 1 0 Jan03 tty5 00:00:00 /sbin/getty 38400
root 536 1 0 Jan03 tty6 00:00:00 /sbin/getty 38400
root 887 1 0 Jan03 ? 00:00:03 /usr/sbin/named
root 913 1 0 Jan03 ? 00:00:00 [eth0]
root 918 1 0 Jan03 ? 00:00:00 [eth1]
root 1985 520 0 08:05 ? 00:00:00 /usr/sbin/sshd
root 1987 1985 0 08:05 pts/0 00:00:00 -bash
root 2066 1987 0 10:44 pts/0 00:00:00 ps -ef
The telnet client can connect to the
netstat service, as shown in Example 5-2.
Example 5-2. Using telnet to connect to the netstat service
# telnet 192.168.0.1 15
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:time *:* LISTEN
tcp 0 0 *:discard *:* LISTEN
tcp 0 0 *:daytime *:* LISTEN
tcp 0 0 no-dns-yet.demon:domain *:* LISTEN
tcp 0 0 192.168.0.1:domain *:* LISTEN
tcp 0 0 mail:domain *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
udp 0 0 *:32769 *:*
udp 0 0 *:discard *:*
udp 0 0 no-dns-yet.demon:domain *:*
udp 0 0 192.168.0.1:domain *:*
udp 0 0 mail:domain *:*
udp 0 0 *:bootps *:*
raw 0 0 *:icmp *:* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 5 [ ] DGRAM 456 /dev/log
unix 2 [ ] DGRAM 1123
unix 2 [ ] DGRAM 516
unix 2 [ ] DGRAM 489
This system information gives insight into the running processes and
network connections. By analyzing this data carefully, you can find
usernames, command-line arguments (which may include passwords or
other sensitive details), and details of internal or trusted
hosts.
