LPI Linux Certification in a Nutshell (66 page)
Read LPI Linux Certification in a Nutshell Online
Authors: Adam Haeder; Stephen Addison Schneiter; Bruno Gomes Pessanha; James Stanger
Tags: #Reference:Computers
netstat
The command
/bin/netstat
is a
generic, all-purpose network information tool. It will give you
information about network connections, routing tables, interface
statistics, and many other low-level details of your current network
configuration. From a security standpoint, one of the most useful
options of
netstat
is its ability to tell you
what network ports are currently “open” on your system, what network
connections exist, and what state those connections are in.
netstat
was defined, with examples, in
Chapter 21
. Here are few
more examples, focusing on the security-related information provided
by
netstat
.
Show protocol statistics. This is an example from a moderately
busy public web server that has been up for 41 days:
#netstat -sIp:
996714394 total packets received
0 forwarded
0 incoming packets discarded
996354233 incoming packets delivered
743668424 requests sent out
Icmp:
308127 ICMP messages received
488 input ICMP message failed.
ICMP input histogram:
destination unreachable: 669
timeout in transit: 2
redirects: 277573
echo requests: 29877
echo replies: 6
48625 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 18748
echo replies: 29877
Tcp:
4092366 active connection openings
6613024 passive connection openings
28785 failed connection attempts
479914 connection resets received
46 connections established
995776060 segments received
742269993 segments send out
1026415 segments retransmitted
7056 bad segments received.
135994 resets sent
Udp:
30804 packets received
18657 packets to unknown port received.
0 packet receive errors
323385 packets sent
TcpExt:
77483 invalid SYN cookies received
22981 resets received for embryonic SYN_RECV sockets
ArpFilter: 0
6555736 TCP sockets finished time wait in fast timer
2463 time wait sockets recycled by time stamp
1004 packets rejects in established connections because of timestamp
17501900 delayed acks sent
24177 delayed acks further delayed because of locked socket
Quick ack mode was activated 92779 times
16609 times the listen queue of a socket overflowed
16609 SYNs to LISTEN sockets ignored
465508199 packets directly queued to recvmsg prequeue.
2188914674 packets directly received from backlog
1015042059 packets directly received from prequeue
414843326 packets header predicted
421778135 packets header predicted and directly queued to user
TCPPureAcks: 52593173
TCPHPAcks: 313477583
TCPRenoRecovery: 3251
TCPSackRecovery: 109485
TCPSACKReneging: 219
TCPFACKReorder: 409
TCPSACKReorder: 61
TCPRenoReorder: 287
TCPTSReorder: 1367
TCPFullUndo: 1433
TCPPartialUndo: 5607
TCPDSACKUndo: 75787
TCPLossUndo: 60128
TCPLoss: 93645
TCPLostRetransmit: 31
TCPRenoFailures: 1693
TCPSackFailures: 44900
TCPLossFailures: 10718
TCPFastRetrans: 182057
TCPForwardRetrans: 21100
TCPSlowStartRetrans: 167274
TCPTimeouts: 428080
TCPRenoRecoveryFail: 2148
TCPSackRecoveryFail: 19641
TCPSchedulerFailed: 107692
TCPRcvCollapsed: 0
TCPDSACKOldSent: 89093
TCPDSACKOfoSent: 1003
TCPDSACKRecv: 165272
TCPDSACKOfoRecv: 521
TCPAbortOnSyn: 0
TCPAbortOnData: 11898
TCPAbortOnClose: 2165
TCPAbortOnMemory: 0
TCPAbortOnTimeout: 11617
TCPAbortOnLinger: 0
TCPAbortFailed: 0
TCPMemoryPressures: 0
Display all the active TCP connections:
#netstat --tcp -nActive Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.23.11:80 209.34.195.194:4898 SYN_RECV
tcp 0 0 192.168.23.11:80 71.126.90.107:50254 SYN_RECV
tcp 0 0 192.168.23.11:769 192.168.23.10:2049 ESTABLISHED
tcp 0 0 192.168.23.11:992 192.168.23.10:2049 ESTABLISHED
tcp 0 0 192.168.23.11:80 66.199.0.164:32211 TIME_WAIT
tcp 0 0 192.168.23.11:80 68.13.184.187:3249 ESTABLISHED
tcp 0 0 192.168.23.11:80 68.13.85.103:2972 TIME_WAIT
tcp 0 0 192.168.23.11:80 70.165.111.157:14068 TIME_WAIT
tcp 0 0 192.168.23.11:80 68.110.27.241:32808 TIME_WAIT
tcp 0 0 192.168.23.11:80 71.199.119.34:49469 TIME_WAIT
This output shows us that there are a number of connections to
TCP port 80 on our server (192.168.23.11). These connections are
from many different hosts, as is typical with a busy web server. One
of the interesting things about a report like this is the “State”
information. A TCP connection goes through a number of different
states as the connection is requested and created, data is
transmitted, and the connection is completed and closed. From a
security standpoint, it’s a good idea to be familiar with the
different states a TCP connection will be in. Some high-profile
denial of service attacks in the past have taken advantage of the
relatively long timeout values in TCP connections to completely
exhaust the kernel memory of a system, by making thousands of TCP
connections but never completing the response, and thus causing the
system under attack to hold these thousands of TCP connections open
until they finally time out. If you see a lot of connections in the
“TIME_WAIT” state for long periods, you may be the victim of such an
attack. To modify the default value, edit the file
/proc/sys/net/ipv4/tcp_fin_timeout
. For
more information on the
/proc
filesystem and how to use it to tune your running system, refer to
the text file
Documentation/filesystems/proc.txt
in
your Linux kernel source.
Table 22-4
displays the
different states a TCP connection goes through.
Table 22-4. States of a TCP connection
State name | Description |
|---|---|
CLOSED | The connection is |
LISTEN | Listening for an incoming |
SYN_RCVD | SYN stands for SYNCHRONIZE, used |
SYN_SENT | This state indicates the |
ESTABLISHED | In this state, the TCP three-way |
FIN_WAIT_1 | FIN stands for FINISH, meaning |
FIN_WAIT_2 | After one end receives an |
CLOSING | The connection is in the process |
CLOSE_WAIT | The state a connection is in after |
LAST_ACK | One end of the connection is in |
TIME_WAIT | After a TCP connection is closed, |
On the Exam
netstat
is an important tool that you
will encounter often in your Linux career. Become familiar with
the more common command-line options, and understand when it is
appropriate to use the
netstat
command,
because you will see a number of references to it on the LPI
exams.
nmap
nmap[scan type] [options] (target specifications)
nmap
(the network mapper) is a
very powerful port-scanning tool. Its primary purpose is to scan a
remote host (or entire subnet) and report back what TCP or UDP ports
are open on each system. However, this powerful tool can do much
more, including
OS fingerprinting and vulnerability scanning.
- -sP
Don’t port scan; just report what hosts respond to a
ping request. This is commonly called a
ping sweep
. See the later
examples.- -n
Don’t do DNS resolution.
- -sS
Perform a TCP SYN scan (the default).
- -sU
Perform a UDP scan.
- -p
port_range Scan only the specified ports.
- -sV
Perform a service or version scan on open ports. This is
useful when attempting to determine what software is running
on the remote machine.- -O
Attempt to determine the operating system of the system
being scanned.
Perform a “standard” TCP scan on a remote system:
#nmap 192.168.1.220Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-14 21:11 CST
Interesting ports on server.domain.com (192.168.1.220):
Not shown: 979 closed ports
PORT STATE SERVICE
42/tcp open nameserver
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1025/tcp open NFS-or-IIS
1029/tcp open ms-lsa
1084/tcp open ansoft-lm-2
1090/tcp open unknown
1094/tcp open unknown
1121/tcp open unknown
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-term-serv
10000/tcp open snet-sensor-mgmt
MAC Address: 00:07:E9:82:6B:D8 (Intel)
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
nmap
performs its work relatively
quickly, and lets us know that of the 1,700 or so common ports that
were scanned, 21 ports were found open that
nmap
considers “interesting.” If you want to
scan every possible open TCP port (from 1 to 65535), give the
–p
option:
#nmap -p 1-65535 192.168.1.220Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-14 21:15 CST
Interesting ports on server.domain.com (192.168.1.220):
Not shown: 65512 closed ports
PORT STATE SERVICE
42/tcp open nameserver
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1025/tcp open NFS-or-IIS
1029/tcp open ms-lsa
1084/tcp open ansoft-lm-2
1090/tcp open unknown
1094/tcp open unknown
1121/tcp open unknown
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-term-serv
4601/tcp open unknown
9675/tcp open unknown
10000/tcp open snet-sensor-mgmt
MAC Address: 00:07:E9:82:6B:D8 (Intel)
Nmap done: 1 IP address (1 host up) scanned in 17.80 seconds
This scan took a little bit longer, but it showed us an
additional three open TCP ports that the default scan did not
show.
Attempt to perform an “
OS fingerprint” on a remote system:
#nmap -O 192.168.1.220Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-14 21:18 CST
Interesting ports on server.domain.com (192.168.1.220):
Not shown: 979 closed ports
PORT STATE SERVICE
42/tcp open nameserver
<...output truncated...>
10000/tcp open snet-sensor-mgmt
MAC Address: 00:07:E9:82:6B:D8 (Intel)
Device type: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 1 hop
OS detection performed. Please report any incorrect results \
at http://nmap.org/submit/.
nmap
performs some interesting
manipulations of the standard TCP connection states in an attempt to
guess what operating system the scanned host is running. For more
information, visit the
nmap
site
.
Discover what hosts are “up” on a subnet (or at least which
ones are responding to
ping
). This example was
run on a different machine, so the version of
nmap
and the IP subnet are different from the
previous example:
#nmap -sP 10.0.0.0/24Starting Nmap 4.52 ( http://insecure.org ) at 2010-01-14 21:21 CST
Host 10.0.0.1 appears to be up.
Host 10.0.0.100 appears to be up.
MAC Address: 00:1B:EA:F2:C4:70 (Nintendo Co.)
Host 10.0.0.101 appears to be up.
MAC Address: 00:21:00:9E:45:15 (Unknown)
Host 10.0.0.102 appears to be up.
MAC Address: 00:21:00:72:54:4A (Unknown)
Host 10.0.0.103 appears to be up.
MAC Address: 00:21:85:C2:2D:A5 (Unknown)
Host 10.0.0.104 appears to be up.
MAC Address: 00:19:21:27:8E:83 (Elitegroup Computer System Co.)
Host 10.0.0.106 appears to be up.
MAC Address: 00:14:22:61:E3:D9 (Dell)
Host router (10.0.0.210) appears to be up.
MAC Address: 00:12:17:30:B4:9C (Cisco-Linksys)
Nmap done: 256 IP addresses (8 hosts up) scanned in 4.928 seconds
