> <i>Since I wasn’t root and couldn’t install any tools (guess I could have copied a netstat binary across)</i><p>If you have the ability to write anywhere to disk (e.g., even /tmp, /run), dropping a copy of Busybox (a statically linked, minimal clone of many of the base tools like ifconfig, netstat) has helped me more than once.<p>(I didn't have a working scp on a machine, and it was the ssh "gateway" to another machine that I needed access to. To jump to the next machine, I needed to run either ssh or nc, both of which were defunct (the HDD was dying). Copied busybox over for nc, and it worked like a charm. I had to write a small python script to transform the binary into a printf command to write it out to disk, as essentially nothing but bash builtins worked due to the condition of the disk. Had a minor panic attack when I realized I needed to chmod +x it, but chmod still worked. In hindsight, I think I could have set the umask prior to the printf to avoid that step.)
AWK-less version. Assumes only sed and printf builtin.<p>Bonus: aligned columns[1]<p>(tested on 80x25 and only with text from blog, not actual /proc/net/tcp)<p>[1] Hack. Probably there is a better way to do alignment using only printf; alas I only know a subset of printf features.<p><pre><code> #! /bin/sh
printf '%s\t\t\t%s\n' Local Remote
sed '
/: /!d;
s/.*: //;
s/ /-/;
s/ .*//;
s/[0-9A-F][0-9A-F]/0x& /g;
s/ 0x//4;
s/ 0x//7;
s/://g;
s/-//;
' /proc/net/tcp \
|while read a b c d e g h i j k;do
s=$(printf '%d.%d.%d.%d:%d %d.%d.%d.%d:%-22d\n' \
$d $c $b $a $e $j $i $h $g $k);
l=${s%% *};r=${s#* };
if test ${#s} -lt 45;then
printf '%s\t\t%s\n' $l $r;else
printf '%s\t%s\n' $l $r;fi;
done</code></pre>
The 'modern' iputils alternative to netstat is 'ss'. May or may not exist on some systems where netstat does not.<p>Good info, though. Lots of info to bad had in /proc but needs parsing.
Pro-tip: if you pop a shell, only use it to run your own dropper. Use locally available tools as little as possible. Automate your entire post-exploitation payload and cleanup and get out as soon as possible.<p>Reading this article is like reading about elite navy seals who storm an enemy outpost, get inside, and then get distracted trying to refashion a stapler they find laying around into a lock-picking device to open the safe.
netstat and ifconfig tend to be deprecated on Linux in favor of ss and ip. I do have to wonder if ss was tried, but still, the learning experience is quite valuable. :)
I wonder if ss was available? I'd recommend looking over "Deprecated Linux Networking Commands and their Replacements"[1]. In the case of netstat, `ss -a` is a good place to start.<p>1. <a href="https://dougvitale.wordpress.com/2011/12/21/deprecated-linux-networking-commands-and-their-replacements/" rel="nofollow">https://dougvitale.wordpress.com/2011/12/21/deprecated-linux...</a>
I can't speak to ss and ip, but apparently netstat actually operates by opening these exact files [1].<p>[1] <a href="https://github.com/ecki/net-tools/blob/master/lib/pathnames.h" rel="nofollow">https://github.com/ecki/net-tools/blob/master/lib/pathnames....</a>
Reminds me of an article shared a while ago on HN where someone deleted / and ended up with all binaries gone but still had a working bash session and the /proc fs. Can't find the link, sadly.