Hack Like a Pro: Linux Basics for the Aspiring Hacker, Part 8 (Managing Processes)

Linux Basics for the Aspiring Hacker, Part 8 (Managing Processes)

Welcome back, my novice hackers!

In my continuing effort to develop your Linux skills, I now offer you this eighth in my series for Linux Basics for the Aspiring Hacker. In this tutorial, we'll look at system processes and how to manage them.

In Linux, a process is a program running in memory. Typically, your computer is running hundreds of processes simultaneously. If they're system processes, Linux folks refer to them as daemons or demons. You will often see the process name ending with a "d" such httpd, the process or daemon responsible for the http service.

Step 1: See What Processes Are Running

We can see all the processes running on your system by typing:

  • ps aux

These switches will provide all processes (a), the user (u) ,and processes not associated with a terminal (x). This is my favorite set of switches for using ps as it enables me to see which user initiated the process and how much in resources it's using.

Note that each process listed shows us among many things.

  • user
  • PID (process identifier)
  • %CPU
  • %MEM (memory)

If we just wanted to see the all the processes with limited information, we can type:

  • ps -A

You can see all the processes running, but without such information as CPU percentage and memory percentage. Note that airbase-ng is listed with PID 5143 and the last process is the ps command.

Process numbers, or PIDs, are critical for working in Linux, as you often need the PID to manage a process. As you might have seen in some of my Metasploit tutorials, the PID often becomes critical in hacking the victim systems.

Step 2: The Top Command

Similar to the ps command is the top command, except that top shows us only the top processes. In other words, it only shows us the processes using the most resources and it's dynamic, meaning that it is gives us a real-time look at our processes. Simply type:

  • top

As you can see, the processes are listed in the order by how much system resources they are using, and the list is constantly changing as the processes use more or less resources.

Step 3: Killing Processes

Sometimes we will need to stop processes in Linux. The command we use is kill. Don't worry, it sounds more violent than it actually is. This command is particularly important if we have a process that continues to run and use system resources, even after we have tried to stop it. These processes are often referred to as "zombie" processes.

We can kill a process by simply typing kill and the process ID or PID. So to kill my airbase-ng process, I can simply type:

  • kill 5143

We can see in the screenshot above that my airbase-ng process is no longer running.

There are many types of "kills". The default kill (when we use the kill command without any switches) is kill 15 or the termination signal. It allows the process to cleanup and gently terminate its process.

Sometimes, processes still refuse to terminate even when sent the default kill command. In that case, we have to get more serious and use the absolute terminator to do the job. This is kill -9, which takes no prisoners and ends the job without allowing it to say its goodbyes and forces the kernel to terminate it immediately.

Step 4: Change Process Priority

Every process in Linux is given a priority number. As you probably guessed, this priority number determines how important the process is and where it stands in line in terms of using system resources. These priority numbers range from 0 to 127 with 0 being the highest priority and 127 being the lowest.

As the root user or system admin, we can't directly determine the priority of a process—that is the job of the kernel—but we can hint to the kernel that we would like a process to run with a higher priority. We can do this through the nice command. Nice values range from -20 to +19 with the lower values indicating a higher priority.

We can set a processes' nice value by using the nice command, the -n switch, the value of the nice, and then the command we want to run. So, if if we wanted to start our airbase-ng process from our Evil Twin tutorial with the highest priority, we could type:

  • nice -n -20 airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 11 mon0

Later on, if we felt that we wanted to reduce the priority of the airbase-ng command, we could renice it. The renice command requires simply the renice command, the priority level, and unlike the nice command, it only takes the process PID, such as:

  • renice 15 5143

We can see that by renice-ing the airbase-ng command, we have reduced its priority from -20 (highest) to 15 (relatively low).

Step 5: Push a Process into the Background

You probably noticed in running some of my hack tutorials that when we run a command from the shell terminal, the process will take control of that shell until it is complete. If it's an ongoing process, similar to airbase-ng, it will maintain control of that terminal until we stop it. Until that time, we can't use that shell.

If we want to still use that shell, we can send that process into the background and then get control of the shell again. To start a command in the background, we simply need to end the command with the & or ampersand. So, to get airbase-ng to run in the background, we simply type:

  • airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 11 mon0 &

If we want to bring a background job to the foreground, we simply type fg. To send a foreground processes to the background, we can type Control Z to stop it and then and using the bg command with the PID to send it to the background.

That's It for Now...

Stay tuned for more Linux basics for the aspiring hacker. If you haven't checked out the other guides yet, make sure to give them a look. If you have any questions, make sure to comment below or start a thread in the Null Byte forum for help.

Penguins walking and penguin trio photos via Shutterstock

18 Comments

Useful. I learned a good few things on daemon management. :) Quite helpful!

I'd recommend htop as well - its available in most recent distributions of Linux (or at least in common repositories for them such as EPEL for RedHat/CentOS/Scientific Linux) and gives you a more human-readable interface on your running processes. :-)

OTW,

This is just trivial, therefore only read further if you want your article to be immaculate, and again, I could be wrong here, but in the third paragraph of step 4, at the end of line 2 and the beginning of line 3, the word 'if' appears to have been unnecessarily duplicated, it may just be there for dramatisation after all.

Thanks Nemesis. I think I was stuttering when I wrote that.

OTW,

I apologise, but I do not understand how, in step 4, the top priority is listed as 0, but then airbase-ng (PID 5143) later, still in step 4, has a priority of -20.

I would greatly appreciate further explanation,
Thank you,

Nemesis1512

Nemesis:

Great question.

The confusion lies in the difference in terminology. One is the priority and the other is the nice value. Nice values "suggest" to the operating system what priority the command should be run as. The nice values range from -20 to +19. This is different than the priorities which only can be set by the OS. So, I as the sysadmin can suggest to the OS to raise a processes priority, but it doesn't have to. To strongly suggest raising its priority, we re-nice it to -20. To suggest to the OS that this process doesn't require priority, we can re-nice it to +19.

Hope this helps.

OTW

OTW,

I might not have read your article correctly but i still have a confusion, in step 3 you killed airbase-ng process. Then in step 4 you used the nice command not only to change the "nice priority" value, but also to restart the previously killed process. So my question is do we always have to use the nice value on a non-executing process, or can we use the nice command on an already executing deamon?

Soulei1990:

You can set the nice value when you start a daemon and then renice it after it is running.

OTW

In command:nice -n -20 airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 11 mon0,what's "-a 00:09:5B:6F:64:1E --essid "Elroy" -c 11 mon0" means? And i wonder how the nice value hint to the kernel and why we don't use nice value when we use renice command...

I would also recommend pgrep and pkill commands. They are useful to quickly find out pid or kill a process that is started from a particular bin file (and you know the name of that bin). For example, assuming there is 'telegram' running in the background, you can 'pgrep telegram' to get it's pid or 'pkill telegram' to kill this process. And these commands also work with shell regex.

My 2 cents.

In addition to pkill you can also use killall to use the process name instead of the PID (this has less options than pkill). pkill and pgrep may not be available, specially on embedded systems like router, IoT devices, or Android phones.

Another interesting tool is pstree that produces a tree like output indicating who process created what.

kill actually sends a signal to the process. kill -l will show all the available signals. You will see that signal 9 is also called SIGKILL. Therefore, these two commands are equivalent:

kill -9 PID

kill -SIGKILL PID

Other useful signals are SIGUSR1 and SIGUSR2. There are reserved for application use. It is kindof standard that daemons uses these signals to re-read configuration files (usually with SIGUSR1) without stopping and starting the process, and therefore, stopping the service for a brief time.

Great post!

Thanks for those suggestions. They are both excellent tools.

nice -n -20 airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 11 mon0
explain this command ...plz
all below its

From the tutorial, I write;

Every process in Linux is given a priority number. As you probably guessed, this priority number determines how important the process is and where it stands in line in terms of using system resources. These priority numbers range from 0 to 127 with 0 being the highest priority and 127 being the lowest.

As the root user or system admin, we can't directly determine the priority of a process—that is the job of the kernel—but we can hint to the kernel that we would like a process to run with a higher priority. We can do this through the nice command. Nice values range from -20 to +19 with the lower values indicating a higher priority.

We can set a processes' nice value by using the nice command, the -n switch, the value of the nice, and then the command we want to run. So, if if we wanted to start our airbase-ng process from our Evil Twin tutorial with the highest priority, we could type:

Does that explain it?

nice -n -20 airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 11 mon0
me olso cant understand
i understand this ( nice -n -20 airbase-ng )
but not this ( -a 00:09:5B:6F:64:1E --essid "Elroy" -c 11 mon0 )
please help

now i understand the -20 +19

nice priority numbers only matter in relation to other processes. It's up to you to determine the structure you want and how much granularity you need. You can think of it as 3 for very low granularity or 5 groups for better granularity instead of the full range, e.g., High, Medium, Normal, Low, Really Low, and give those an arbitrary number value, say -19, -10, 0, 10, 19.

The numbers in between can be used as needed when you have the one process that's a little more important than Medium Process X, but not as important as High Process Y. Chances are you won't need them, though.

When using the nice command, in the tutorial above, how would you find out the rest of the information on the process you want to prioritize? For example, the line

nice -n -20 airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 11 mon0
How do I find the rest of this line for the intended process?

Hi, what if there are two same processes running and I had to kill one of them?

And also, thanks for all these tutorials. They're helping me a lot.

Share Your Thoughts

  • Hot
  • Latest