5.2 systat and netstat

The systat and netstat services are interesting because current network and system information can be found easily by connecting to the services using telnet. The /etc/inetd.conf file on a system running systat and netstat typically includes the following lines:

systats stream  tcp  nowait  root /usr/bin/ps      ps -ef

netstat stream  tcp  nowait  root /usr/bin/netstat netstat -a

The ps -ef and netstat -a commands are bound to TCP ports 11 and 15, respectively. Example 5-1 shows how to use telnet to connect to the systat service and derive system process information.

Example 5-1. Using telnet to connect to the systat service
# telnet 192.168.0.1 11

Trying 192.168.0.1...

Connected to 192.168.0.1.

Escape character is '^]'.

UID        PID  PPID  C STIME TTY          TIME CMD

root         1     0  0 Jan03 ?        00:00:05 init [2]

root         2     1  0 Jan03 ?        00:00:00 [keventd]

root         3     1  0 Jan03 ?        00:00:00 [ksoftirqd_CPU0]

root         4     1  0 Jan03 ?        00:00:00 [kswapd]

root         5     1  0 Jan03 ?        00:00:00 [bdflush]

root         6     1  0 Jan03 ?        00:00:00 [kupdated]

root        10     1  0 Jan03 ?        00:00:00 [khubd]

root       492     1  0 Jan03 ?        00:00:00 /sbin/syslogd

root       495     1  0 Jan03 ?        00:00:00 /sbin/klogd

root       503     1  0 Jan03 ?        00:00:00 /usr/sbin/dhcpd -q

root       512     1  0 Jan03 ?        00:00:00 /usr/sbin/inetd

root       520     1  0 Jan03 ?        00:00:00 /usr/sbin/sshd

daemon     523     1  0 Jan03 ?        00:00:00 /usr/sbin/atd

root       526     1  0 Jan03 ?        00:00:00 /usr/sbin/cron

root       531     1  0 Jan03 tty1     00:00:00 -bash

root       532     1  0 Jan03 tty2     00:00:00 /sbin/getty 38400

root       533     1  0 Jan03 tty3     00:00:00 /sbin/getty 38400

root       534     1  0 Jan03 tty4     00:00:00 /sbin/getty 38400

root       535     1  0 Jan03 tty5     00:00:00 /sbin/getty 38400

root       536     1  0 Jan03 tty6     00:00:00 /sbin/getty 38400

root       887     1  0 Jan03 ?        00:00:03 /usr/sbin/named

root       913     1  0 Jan03 ?        00:00:00 [eth0]

root       918     1  0 Jan03 ?        00:00:00 [eth1]

root      1985   520  0 08:05 ?        00:00:00 /usr/sbin/sshd

root      1987  1985  0 08:05 pts/0    00:00:00 -bash

root      2066  1987  0 10:44 pts/0    00:00:00 ps -ef

The telnet client can connect to the netstat service, as shown in Example 5-2.

Example 5-2. Using telnet to connect to the netstat service
# telnet 192.168.0.1 15

Trying 192.168.0.1...

Connected to 192.168.0.1.

Escape character is '^]'.

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address  State

tcp        0      0 *:time                  *:*              LISTEN

tcp        0      0 *:discard               *:*              LISTEN

tcp        0      0 *:daytime               *:*              LISTEN

tcp        0      0 no-dns-yet.demon:domain *:*              LISTEN

tcp        0      0 192.168.0.1:domain      *:*              LISTEN

tcp        0      0 mail:domain             *:*              LISTEN

tcp        0      0 *:ssh                   *:*              LISTEN

tcp        0      0 *:smtp                  *:*              LISTEN

udp        0      0 *:32769                 *:*

udp        0      0 *:discard               *:*

udp        0      0 no-dns-yet.demon:domain *:*

udp        0      0 192.168.0.1:domain      *:*

udp        0      0 mail:domain             *:*

udp        0      0 *:bootps                *:*

raw        0      0 *:icmp                  *:*              7

Active UNIX domain sockets (servers and established)

Proto RefCnt Flags       Type       State         I-Node Path

unix  5      [ ]         DGRAM                    456    /dev/log

unix  2      [ ]         DGRAM                    1123

unix  2      [ ]         DGRAM                    516

unix  2      [ ]         DGRAM                    489

This system information gives insight into the running processes and network connections. By analyzing this data carefully, you can find usernames, command-line arguments (which may include passwords or other sensitive details), and details of internal or trusted hosts.



     
    ASPTreeView.com
     
    Evaluation has ·¶БµЩЪЙexpired.
    Info...