This Lab focuses on auditing the network security of Linux hosts. You will audit a Kali Linux host and an Ubuntu 8 host that is intentionally configured to be vulnerable to attacks. The techniques you learn apply to all modern distributions of Linux. By including the auditing techniques as part of routine system administration you can reduce the attack surface of your systems, potentially identify when systems have been compromised, and improve your overall security posture.
The local network for this Lab is contained within a Hyper-V virtual environment. The hosts that you will audit are virtual machines running in the Hyper-V environment.
Upon completion of this Lab you will be able to:
- Perform network security audits of Linux systems
- Understand how to construct commands specific to your auditing needs
- Generate summary reports of system-wide network socket usage
- Identify network sockets being used by specific processes and connections
You should be familiar with:
- TCP and UDP network protocol basics
Auditing Network Socket Statistics with ss
Periodically auditing the ports used by your system is part of an effective security strategy. Unexpected connections and listening ports can indicate the system has been exploited and at the least warrants further investigation to understand the cause. Modern Linux systems use the socket statistics command audit network and other types of sockets. You will use socket statistics to audit a Kali Linux system in this Lab Step. A socket is an endpoint for communication. In this context, a socket is specifically an IP address, a protocol, and a port.
Historically, another tool named
netstat was used to perform the tasks in this Lab on Linux systems. However,
netstat is obsolete on Linux systems and
ss should be used as its replacement. (
netstat is still used by Mac OS X systems)
- At the prompt type the following command and press enter to list a summary (
-s) of socket statistics (
ss) for the system:
The Total refers to the total number of all active streams on the system at that point in time. This number includes more than just network sockets, which are the focus of this Lab. It also includes Unix stream sockets which are used for communicating between processes on the host.
The Transport table divides sockets into several common categories of internet protocol sockets and subdivided based on whether they are IPv4 (IP) or IPv6. The INET category includes RAW, UDP, and TCP. At the moment there is only one raw socket listening. The more sockets that are listening the larger the attack surface of the host. With only one network socket listening there is a small attack surface.
To cause some sockets TCP sockets to be opened, you will use a web browser.
- Open the Firefox web browser:
Wait until the browser appears:
- In the browser, navigate to http://192.168.0.101 to view a website hosted by another VM on the local network:
- In the terminal re-issue the command to list a summary of socket statistics:
After loading the website there are several changes to the summary. The exact changes you see may be different. What is important is how to interpret the data. The TCP: line at the top displays 8 connections of which 3 are established, and 5 are closed. The Transport table shows the 3 established connections appearing under the IP (IPv4) column in the TCP and INET rows. This makes sense since the website’s traffic is served over HTTP which is TCP port 80.
- Enter the following command to view more information about TCP and UDP sockets:
The output displays all TCP and UDP sockets along with the process using the socket when a process can be identified by
ss. The options have the following meanings:
-t: Display TCP sockets
-u: Display UDP sockets
-a: Display both listening and non-listening sockets
-p: Show process using the socket (the final column in the output
In the screenshot above, there are two established (ESTAB) tcp connections. Both connections are between the Kali Linux host (192.168.0.100) and VM hosting the website (192.168.0.101). The website is served using http (Port of peer)and the port on the local machine is selected from the ephemeral port range for use with short-lived connections (45226 and 45228). Both connections are used by firefox.
Note: Your output will differ from the image. If you do not see any rows beginning with tcp or udp, navigate to a different website in Firefox and re-issue the command shortly after.
- Attempt to identify the process associated with the raw socket that is listed in the socket statistics summary. To view the raw sockets following command can be used:
-w option displays raw socket, the
-a displays all socket states, and
-p displays the process using the socket. You can see that NetworkManager is using the raw socket:
Using ss to Audit a Highly Vulnerable System
Kali Linux is a Linux distribution with a focus on security. There was not much network socket activity due to services running on the system. In this Lab Step, you will use
ss to audit the Metasploitable 2 system which is running Ubuntu 8 and configured with many outdated services.
1. In the terminal, enter the following command to connect to the Metasploitable 2 host:
When prompted enter the following:
- Are you sure you want to continue connecting (yes/no)?: yes
- email@example.com’s password: msfadmin
2. Issue the following command to view all TCP and UDP sockets as well as process information:
There are many more sockets listed on this host. Notice the output of ss will replace the port number with the service associated with the port. For example, smtp rather than 25. If this is undesirable you can include the
-n option to always list port numbers.
3. View the socket statistics summary to see how many sockets are active:
The output is slightly different on this host, providing a few additional pieces of information than on Kali Linux. The summary table shows that 54 INET sockets are active in total.
4. Use ss to identify the port that the Kali Linux host is using for its SSH connection to Metasploitable 2. To view raw sockets the following commands can be used:
ss -t | grep ssh
SSH is connection-oriented and uses TCP so only the -t flag is required to view established TCP connections. The Kali Linux host will use an ephemeral port while the Metasploitable 2 host uses port 22 (ssh) for it’s port.
In the image above the port is 58130.