
Netstat without netstat - wolframio
https://staaldraad.github.io/2017/12/20/netstat-without-netstat/
======
deathanatos
> _Since I wasn’t root and couldn’t install any tools (guess I could have
> copied a netstat binary across)_

If you have the ability to write anywhere to disk (e.g., even /tmp, /run),
dropping a copy of Busybox (a statically linked, minimal clone of many of the
base tools like ifconfig, netstat) has helped me more than once.

(I didn't have a working scp on a machine, and it was the ssh "gateway" to
another machine that I needed access to. To jump to the next machine, I needed
to run either ssh or nc, both of which were defunct (the HDD was dying).
Copied busybox over for nc, and it worked like a charm. I had to write a small
python script to transform the binary into a printf command to write it out to
disk, as essentially nothing but bash builtins worked due to the condition of
the disk. Had a minor panic attack when I realized I needed to chmod +x it,
but chmod still worked. In hindsight, I think I could have set the umask prior
to the printf to avoid that step.)

~~~
laumars
I know you've already solved this problem, but a few tips I've learned along
the way in case you - or anyone else - runs into this problem again:

If only Bash worked then you can use Bash's builtin TCP/IP stack[1][2] to
transfer data (inc files)[1][2]

[1] [http://www.linuxjournal.com/content/tech-tip-tcpip-access-
us...](http://www.linuxjournal.com/content/tech-tip-tcpip-access-using-bash)

[2] [http://www.linuxjournal.com/content/more-using-bashs-
built-d...](http://www.linuxjournal.com/content/more-using-bashs-built-devtcp-
file-tcpip)

This is how I got around a similar problem as yourself regarding needing to
get a file on a system which was severely locked down.

Also you can get around the `chmod +x` problem by calling ld directly[3]

[3] [https://superuser.com/a/341471](https://superuser.com/a/341471)

~~~
rdtsc
I like Bash's TCP thing. First time I saw it thought a coworker was pulling my
leg. Since then I've used it in a few places like talking to a metrics daemon
on localhost, or just debugging various issues. The most fun thing is to show
it to others as almost everyone is surprised about it.

------
feelin_googley
AWK-less version. Assumes only sed and printf builtin.

Bonus: aligned columns[1]

(tested on 80x25 and only with text from blog, not actual /proc/net/tcp)

[1] Hack. Probably there is a better way to do alignment using only printf;
alas I only know a subset of printf features.

    
    
       #! /bin/sh
       printf '%s\t\t\t%s\n' Local Remote
       sed '
         /: /!d;
         s/.*: //;
         s/ /-/;
         s/ .*//;
         s/[0-9A-F][0-9A-F]/0x& /g;
         s/ 0x//4;
         s/ 0x//7;
         s/://g;
         s/-//;
        ' /proc/net/tcp \
        |while read a b c d e g h i j k;do
         s=$(printf '%d.%d.%d.%d:%d %d.%d.%d.%d:%-22d\n' \
                     $d $c $b $a $e $j $i $h $g $k);
         l=${s%% *};r=${s#* };
         if test ${#s} -lt 45;then 
         printf '%s\t\t%s\n' $l $r;else
         printf '%s\t%s\n' $l $r;fi;
         done

------
lathiat
The 'modern' iputils alternative to netstat is 'ss'. May or may not exist on
some systems where netstat does not.

Good info, though. Lots of info to bad had in /proc but needs parsing.

~~~
Annatar
ss is also one of the biggest travesties: every other UNIX-like and UNIX OS
has netstat, just GNU/Linux won’t because someone thinks they know better.

~~~
vbernat
Unlike other Unix, Linux doesn't control its userland. net-tools (ifconfig,
netstat, arp, route, etc.) was maintained by a separate person, was mostly a
dead project (it has been revived very recently) and many scripts heavily
relied on their interface (both input and output). To be able to push new
features, kernel devs had to develop a set of tools to expose those features
to users in a coherent way.

So, yes, maybe they know better.

~~~
Annatar
Only in GNU/Linux can it happen that core networking utilities like netstat,
arp and ifconfig fall into neglect. Because no, they don't know any better.

------
zx2c4
Pro-tip: if you pop a shell, only use it to run your own dropper. Use locally
available tools as little as possible. Automate your entire post-exploitation
payload and cleanup and get out as soon as possible.

Reading this article is like reading about elite navy seals who storm an enemy
outpost, get inside, and then get distracted trying to refashion a stapler
they find laying around into a lock-picking device to open the safe.

~~~
tudelo
"only use it to run your own dropper"

Can you clarify this? I'm not really sure what it means.

~~~
zx2c4
[https://en.wikipedia.org/wiki/Dropper_(malware)](https://en.wikipedia.org/wiki/Dropper_\(malware\))

------
chungy
netstat and ifconfig tend to be deprecated on Linux in favor of ss and ip. I
do have to wonder if ss was tried, but still, the learning experience is quite
valuable. :)

~~~
emmelaich
Exactly what I thought.

I've also had to deal with a lot of this 'security'. It really inhibits normal
work so much that security is probably _reduced_.

Any machine should have tcpdump, netcat, lsof, strace as well. If you want to
make it more secure - well set permissions appropriately and/or use
selinux/apparmor.

Hell, may as well put osquery on it as well. Why make life difficult for
people to do their jobs?

At an interview I was asked how to diagnose a running program. I mentioned
strace of course, but they were also looking for gdb use. I've not had gdb on
any prod machine for 'security reasons'. :-(

------
discreditable
I wonder if ss was available? I'd recommend looking over "Deprecated Linux
Networking Commands and their Replacements"[1]. In the case of netstat, `ss
-a` is a good place to start.

1\. [https://dougvitale.wordpress.com/2011/12/21/deprecated-
linux...](https://dougvitale.wordpress.com/2011/12/21/deprecated-linux-
networking-commands-and-their-replacements/)

------
niftich
I can't speak to ss and ip, but apparently netstat actually operates by
opening these exact files [1].

[1] [https://github.com/ecki/net-
tools/blob/master/lib/pathnames....](https://github.com/ecki/net-
tools/blob/master/lib/pathnames.h)

~~~
txutxu
ss too, uses the same files than thew article, see:

    
    
        strace -e open ss -s

~~~
vbernat
This is more an exception than a rule. ss mostly uses the netlink interface,
except when using "-s".

------
_jomo
Reminds me of an article shared a while ago on HN where someone deleted / and
ended up with all binaries gone but still had a working bash session and the
/proc fs. Can't find the link, sadly.

------
devericx
Super helpful article for a budding penetration tester such as myself! Thanks
for sharing.

------
trobotham
pretty interesting.

