ss : Backtrack 5: Non Menu Items: CLI Commands: ss

The ss command is not necessarily specific to Backtrack but is typically included in most Linux or UNIX distributions. This is definitely a core utility though that should be in any pen testers arsenal as it provides great information about any type of socket socket including DCCP sockets, RAW sockets, TCP sockets, UDP sockets and UNIX sockets. There are various switches that are useful based on the task and below I go into multiple examples of using switches for different scenarios.

ss: Socket Investigation Utility Help Output

SS Command Help Output
root@bt:~/offsec# ss -h
Usage: ss [ OPTIONS ]
ss [ OPTIONS ] [ FILTER ]
-h, –help this message
-V, –version output version information
-n, –numeric don’t resolve service names
-r, –resolve resolve host names
-a, –all display all sockets
-l, –listening display listening sockets
-o, –options show timer information
-e, –extended show detailed socket information
-m, –memory show socket memory usage
-p, –processes show process using socket
-i, –info show internal TCP information
-s, –summary show socket usage summary

-4, –ipv4 display only IP version 4 sockets
-6, –ipv6 display only IP version 6 sockets
-0, –packet display PACKET sockets
-t, –tcp display only TCP sockets
-u, –udp display only UDP sockets
-d, –dccp display only DCCP sockets
-w, –raw display only RAW sockets
-x, –unix display only Unix domain sockets
-f, –family=FAMILY display sockets of type FAMILY

-A, –query=QUERY
QUERY := {all|inet|tcp|udp|raw|unix|packet|netlink}[,QUERY]

-F, –filter=FILE read filter information from FILE
FILTER := [ state TCP-STATE ] [ EXPRESSION ]

All of the switches are listed with a brief description when issuing the “ss -h” command from the CLI within Backtrack Linux. As noted above the ss command is used to investigate the various types of sockets and sockets are communication points on the local computer or remote computers used to exchange data. The ss command on Backtrack Linux is located in the /sbin directory so the full path to ss would be /sbin/ss. Below are various examples of how the ss command can provide information for specific sockets.

Default ss Socket Info Output:

[root@dev ~]# ss
State       Recv-Q Send-Q                                             Local Address:Port                                                 Peer Address:Port
FIN-WAIT-2  0      0                                           ::ffff:70.70.44.44:http                                        ::ffff:67.67.120.120:63058
FIN-WAIT-2  0      0                                           ::ffff:70.70.44.44:http                                        ::ffff:67.67.120.120:63035
ESTAB       0      424                                         ::ffff:70.70.44.44:ssh                                           ::ffff:1.1.30.30:61407
[root@dev ~]#

In the above output we see TCP socket connection information including the local address and port, the peer address and port, and the socket connection state. The default ss output would be the same as issuing the ss command with the -t switch. This is similar information to what netstat might provide however using various switches can provide detailed information about a specific socket type or a set of socket types.

Using ss To Display UNIX Socket Connection Details:

root@bt:~# ss -x
Netid State      Recv-Q Send-Q                                           Local Address:Port                                               Peer Address:Port
u_str ESTAB      0      0                                                            * 7214                                                          * 0
u_str ESTAB      0      0                                         @/com/ubuntu/upstart 7217                                                          * 0
u_str ESTAB      0      0                                                            * 8233                                                          * 0
u_str ESTAB      0      0                                                            * 8234                                                          * 0
u_str ESTAB      0      0                                                            * 8235                                                          * 0
u_str ESTAB      0      0                              /var/run/dbus/system_bus_socket 8236                                                          * 0
u_str ESTAB      0      0                                                            * 8633                                                          * 0
u_str ESTAB      0      0                              /var/run/dbus/system_bus_socket 8634                                                          * 0
u_str ESTAB      0      0                                                            * 8658                                                          * 0
u_str ESTAB      0      0                              /var/run/dbus/system_bus_socket 8659                                                          * 0

Above the ss command -x switch will display information related to the UNIX sockets only. You can combine the switches and it will take some playing around with ss to find the exact switch combinations that provide the information you are looking for.

Use ss To Display All Socket Connection Details:

[root@dev ~]# ss -a
State       Recv-Q Send-Q                                             Local Address:Port                                                 Peer Address:Port
LISTEN      0      0                                                      127.0.0.1:smux                                                            *:*
LISTEN      0      0                                                              *:905                                                             *:*
LISTEN      0      0                                                              *:sunrpc                                                          *:*
LISTEN      0      0                                                              *:netarx                                                          *:*
LISTEN      0      0                                                              *:ftp                                                             *:*
LISTEN      0      0                                                      127.0.0.1:ipp                                                             *:*
LISTEN      0      0                                                      127.0.0.1:pdb                                                             *:*
LISTEN      0      0                                                      127.0.0.1:smtp                                                            *:*
TIME-WAIT   0      0                                                      127.0.0.1:quotad                                                  127.0.0.1:sunrpc
TIME-WAIT   0      0                                                  10.18.199.240:36177                                               10.21.195.202:https
TIME-WAIT   0      0                                                  10.18.199.240:36174                                               10.21.195.202:https
TIME-WAIT   0      0                                                  10.18.199.240:36175                                               10.21.195.202:https

I cut the output off from the “ss -a” command above because there were over a hundred total sockets on the dev server I was using to test the ss output. Notice how not only were there local socket connections but also remote socket connections in the output when using the -a switch which tells ss to display all possible socket connections on that specific computer.

Use ss To Display All Socket Connection Details While Resolving Hostnames:

[root@dev ~]# ss -ar
State       Recv-Q Send-Q                                             Local Address:Port                                                 Peer Address:Port
LISTEN      0      0                                          localhost.localdomain:smux                                                            *:*
LISTEN      0      0                                                              *:rpc.status                                                         *:*
LISTEN      0      0                                                              *:rpc.portmapper                                                         *:*
LISTEN      0      0                                                              *:netarx                                                          *:*
LISTEN      0      0                                                              *:ftp                                                             *:*
LISTEN      0      0                                          localhost.localdomain:ipp                                                             *:*
LISTEN      0      0                                          localhost.localdomain:pdb                                                             *:*
LISTEN      0      0                                          localhost.localdomain:smtp                                                            *:*
TIME-WAIT   0      0                                          localhost.localdomain:quotad                                      localhost.localdomain:rpc.portmapper
TIME-WAIT   0      0                                               server.example.com:43729                                      webservices.amazon.com:https
TIME-WAIT   0      0                                               server.example.com:43730                                      webservices.amazon.com:https
TIME-WAIT   0      0                                               server.example.com:43731                                      webservices.amazon.com:https
TIME-WAIT   0      0                                               server.example.com:43732                                      webservices.amazon.com:https

So again we use the -a switch to display all socket connections however this time we included the -r switch which will attempt to resolve hostnames for the local IP address and the peer IP addresses. Again the above command is only display the first dozen or so lines but in reality there were over a hundred socket connections to server.example.com. There are tons of other useful switches depending on the information you are investigating such as the -u switch to display UDP socket connections only. You can also send the ss output to a file using the -D switch. To find more information about ss click to expand the ss man page below.

SS Socket Investigation Utility Man Page:

ss Man Page
SS(8) SS(8)

NAME
ss – another utility to investigate sockets

SYNOPSIS
ss [options] [ FILTER ]

DESCRIPTION
ss is used to dump socket statistics. It allows showing information similar to netstat. It can display more TCP and
state informations than other tools.

OPTIONS
These programs follow the usual GNU command line syntax, with long options starting with two dashes (`-’). A summary of
options is included below.

-h, –help
Show summary of options.

-V, –version
Output version information.

-n, –numeric
Do now try to resolve service names.

-r, –resolve
Try to resolve numeric address/ports.

-a, –all
Display all sockets.

-l, –listening
Display listening sockets.

-o, –options
Show timer information.

-e, –extended
Show detailed socket information

-m, –memory
Show socket memory usage.

-p, –processes
Show process using socket.

-i, –info
Show internal TCP information.

-s, –summary
Print summary statistics. This option does not parse socket lists obtaining summary from various sources. It is
useful when amount of sockets is so huge that parsing /proc/net/tcp is painful.

-4, –ipv4
Display only IP version 4 sockets (alias for -f inet).

-6, –ipv6
Display only IP version 6 sockets (alias for -f inet6).

-0, –packet
Display PACKET sockets.

-t, –tcp
Display only TCP sockets.

-u, –udp
Display only UDP sockets.

-d, –dccp
Display only DCCP sockets.

-w, –raw
Display only RAW sockets.

-x, –unix
Display only Unix domain sockets.

-f FAMILY, –family=FAMILY
Display sockets of type FAMILY. Currently the following families are supported: unix, inet, inet6, link, netlink.

-A QUERY, –query=QUERY
List of socket tables to dump, separated by commas. The following identifiers are understood: all, inet, tcp, udp,
raw, unix, packet, netlink, unix_dgram, unix_stream, packet_raw, packet_dgram.

-D FILE
Do not display anything, just dump raw information about TCP sockets to FILE after applying filters. If FILE is -
stdout is used.

-F FILE, –filter=FILE
Read filter information from FILE. Each line of FILE is interpreted like single command line option. If FILE is -
stdin is used.

FILTER := [ state TCP-STATE ] [ EXPRESSION ]
Please take a look at the official documentation (Debian package iproute-doc) for details regarding filters.

USAGE EXAMPLES
ss -t -a
Display all TCP sockets.

ss -u -a
Display all UDP sockets.

ss -o state established ‘( dport = :ssh or sport = :ssh )’
Display all established ssh connections.

ss -x src /tmp/.X11-unix/*
Find all local processes connected to X server.

ss -o state fin-wait-1 ‘( sport = :http or sport = :https )’ dst 193.233.7/24
List all the tcp sockets in state FIN-WAIT-1 for our apache to network 193.233.7/24 and look at their timers.

SEE ALSO
ip(8), /usr/share/doc/iproute-doc/ss.html (package iproutedoc)

AUTHOR
ss was written by Alexey Kuznetosv,.

This manual page was written by Michael Prokopfor the Debian project (but may be used by others).

SS(8)

Again the ss command is definitely something that is worth becoming familiar with and understanding sockets is key to being successful in the technology industry no matter if you are a pen tester, network admin, sys admin, or programmer.


Kindle Edition: Check Amazon for Pricing Digital Only


List Price: $99.95 USD
New From: $54.95 USD In Stock
Used from: $47.23 USD In Stock

Share