administrator’s best friends—is the ps command. Run it in your command line to see what processes are active:
kali >ps
PID TTY TIME CMD 39659 pts/0 00:00:01 bash 39665 pts/0 00:00:00 ps
The Linux kernel, the inner core of the operating system that controls nearly everything, assigns a unique process ID (PID) to each process sequentially, as the processes are created. When working with these processes in Linux, you often need to specify their PIDs, so it is far more important to note the PID of the process than the name of the process.
Alone, the ps command doesn’t really provide you with much information. Running the
ps command without any options lists the processes started (said to be invoked) by the currently loggedin user (in our case, root) and what processes are running on that terminal. Here, it simply says that the bash shell is open and running and that we ran the ps command. We want and need far more information than that, particularly on those processes run by other users and by the system in the background. Without this information, we know very little of what is actually taking place on our system.
Running the ps command with the options aux will show all processes running on the system for all users, as shown in Listing 61. Note that you don’t prefix these options with a dash (-) and that everything is in lowercase; because Linux is casesensitive, using uppercase options woud give you significantly different results.
kali >ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND Root 1 0.0 0.4 202540 6396 ? Ss Apr24 0:46 /sbin/init
Root 2 0.0 0.0 0 0 ? S Apr24 0:00 [kthreadd]
Root 3 0.0 0.0 0 0 ? S Apr24 0:26 [ksoftirqd/0]
snip
root 39706 0.0 0.2 36096 3204 pts/0 R+ 15:05 0:00 ps aux
Listing 61: Using the aux options to see processes for all users
As you can see, this command now lists so many processes, they likely run off the bottom of your screen. The first process is init, listed in the final column, and the last
WOW! eBook
process is the command we ran to display, ps aux. Many of the details (PID, %CPU, TIME,
COMMAND, and so on) may be different on your system but should have the same format.
For our purposes, here are the most important columns in this output:
USER The user who invoked the process
PID The process ID
%CPU The percent of CPU this process is using
%MEM The percent of memory this process is using
COMMAND The name of the command that started the process
In general, to perform any action on a process, we must specify its PID. Let’s see how to use this identifier to our advantage.
Filtering by Process Name
When we inquire about or perform an action on processes, we usually don’t want all of the processes displayed on the screen. It’s simply a problem of too much information.
Most often, we want to find information on a single process. To do so, we can use the filtering command grep, which I introduced in Chapter 1.
To demonstrate, we’ll use the Metasploit exploitation framework, the most widely used exploitation framework and nearly every hacker’s good friend. This comes installed on your Kali system, so start Metasploit with the following:
kali >msfconsole
Once the exploitation framework has been started, let’s see whether we can find it in the list of processes. To do so, use the ps aux command and then pipe it (|) to grep
looking for the string msfconsole, as in Listing 62.
kali >ps aux|grepmsfconsole
root 39756 0.0 0.0 4304 716 pts/2 Ss+ 15:13 0:00 sh c service postgresql start && msfdb init & msfconsole
root 39759 35.1 15.2 4304 227888 pts/2 Sl+ 15:13 1:36 ruby /usr/bin/
msfconsole
root 39892 0.0 0.0 4304 940 pts/2 S+ 15:18 0:00 grep msfconsole
WOW! eBook
Listing 62: Filtering a ps search to find a particular process
From the filtered output in this listing, you should see all the processes that match the term msfconsole. The PostgreSQL database, which is the database Metasploit uses, is shown first, then the msfconsole program itself from /usr/bin/msfconsole. Finally, you should see the grep command you used to look for msfconsole. Notice that the output did not include the column header list from ps. Since the keyword, msfconsole, is not in the header, it is not displayed. Even so, the results are displayed in the same format.
From this, you can learn some important information. If, for example, you need to know how many resources Metasploit is using, you can consult the third column (the CPU column), to see that it’s using 35.1 percent of your CPU, and consult the fourth column to see that it’s using 15.2 percent of your system memory. That’s quite a bit. It’s a demanding beast!
Finding the Greediest Processes with top
When you enter the ps command, the processes are displayed in the order they were started, and since the kernel assigns PIDs in the order they have started, what you see are processes ordered by PID number.
In many cases, we want to know which processes are using the most resources. This is where the top command comes in handy because it displays the processes ordered by resources used, starting with the largest. Unlike the ps command, which gives us a one
time snapshot of the processes, top refreshes the list dynamically—by default, every 10 seconds. You can watch and monitor those resourcehungry processes, as shown in Listing 63.
kali >top
top 15:31:17 up 2 days, ^;50, 4 users, load average: 0.00, 0.04, 0.09 Tasks: 176 total, 1 running, 175 sleeping, 0 stopped, 0 zombie
%Cpu(s): 1.3 us, 0.7 sy, ).) ni, 97.4 id, 0.0 wa, 0.0 hi 0.0 si 0.0
KiB Mem : 1491220 total, 64848 free, 488272 used, 938100 buff/cache KiB Swap : 1046524 total, 1044356 free, 2168 used. 784476 avail MEM
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 39759 root 20 0 893180 247232 11488 S 0.7 16.6 1:47.88 ruby
39859 root 20 0 27308 16796 14272 S 0.3 1.2 1:47.88 postgres 39933 root 20 0 293936 61500 29108 S 0.7 4.1 1:47.88 Xorg
snip
WOW! eBook
Listing 63: Finding the greediest processes with top
System administrators often keep top running in a terminal to monitor use of process resources. As a hacker, you may want to do the same, especially if you have multiple tasks running on your system. While you have top running, pressing the H or ? key will bring up a list of interactive commands, and pressing Q will quit top. You’ll use top again soon to manage your processes in “Changing Process Priority with nice” on page 65 and
“Killing Processes” on page 66.