View Other Properties

Contents

View Other Properties

How to List /etc/hosts Entries Across All Mac, Windows, and Linux Devices

Using Kolide, you can easily view and query /etc/hosts Entries across your fleet.

Introduction

The etc/hosts file is a routing mechanism used by devices to determine where network traffic should be routed to when encountering a given host. Modifications can be made to reroute traffic from one intended source to another, for example, to prevent communication with a given domain you could add a rule like:

127.0.0.1 annoying-advertiser-domain.com

This approach is sometimes utilized by malware authors to do things like hijacking a search provider. For example, malware might add an entry like:

117.23.087.21 google.com

This would reroute the browser when navigating to google.com to instead present the attacker's fake google search page, which they could then use for phishing attacks or obnoxious adware purposes.

By default the /etc/hosts file will have the following configurations:

Debian Linux:

127.0.0.1 localhost
127.0.1.1 hostname.fqdn.example.com  
# The following lines are desirable for IPv6 capable hosts  
::1 ip6-localhost ip6-loopback 
fe00::0 ip6-localnet 
ff00::0 ip6-mcastprefix 
ff02::1 ip6-allnodes 
ff02::2 ip6-allrouters

macOS:

127.0.0.1 localhost 
255.255.255.255 broadcasthost 
::1 localhost 
fe80::1%lo0 localhost

Windows: Empty (No entries)

What /etc/hosts Entry Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect /etc/hosts Entries from Mac, Windows, and Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

/etc/hosts Entries Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

address Text

IP address mapping

hostnames Text

Raw hosts mapping

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Find /etc/hosts entries which would prevent accessing critical services
Kolide SQL
SELECT 
  device_name, 
  hostnames, 
  address 
FROM device_etc_hosts 
WHERE hostnames ILIKE '%hangouts.google.com%'
   OR hostnames ILIKE '%zoom.us%'
   OR hostnames ILIKE '%slack.com%'
Example Results
address hostnames device_name
127.0.0.1 hangouts.google.com Jasons-MacBook-Pro
127.0.0.1 slack.com Jasons-MacBook-Pro
127.0.0.1 application.zoom.us Daves-MacBook-Pro
Find devices where access to software license validation checking has been compromised (eg. practivate.adobe.com)
Kolide SQL
SELECT 
  device_name, 
  CASE WHEN LENGTH(hostnames) > 63 
       THEN CONCAT(SUBSTRING(hostnames,1,64),'...') 
       ELSE hostnames 
    END AS hostnames_truncated,
  address
 FROM device_etc_hosts 
 WHERE hostnames ILIKE '%adobe%'
Example Results
address hostnames device_name
127.0.0.1 practivate.adobe.* Mac-mini
127.0.0.1 activate.wip.adobe.com Mac-mini
127.0.0.1 adobe-dns-1.adobe.com Mac-mini

Why Should I Collect /etc/hosts Entries?

Because the etc/hosts file can be utilized by malware to reroute intended web traffic to a malicious website, it is important for security teams to be able to review and audit modifications to the etc/hosts file on devices.

Etc/hosts can also indicate situations where software licensing activation is being bypassed which can be cause for concern due to the increased likelihood of fines by the software publisher, or infection with malware by the license cracking utility.

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

Pirated software is sometimes packaged with utilities which modify the etc/hosts file to prevent communication with license validation tools and update services. The presence of certain entries in your etc/hosts file could indicate to an administrator if you are running pirated software.

For example if an entry like the following existed:

http://127.0.0.1 practivate.adobe.com/

It would be a likely indicator that at some point your device had a pirated installation of an Adobe product, and their activation service was prevented from communicating with your device.

When you use Kolide to list /etc/hosts Entry data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.

Share this story:

Related Device Properties:

New
DNS Resolvers
network, dns
New
ARP Cache Entries
network
New
Mac App Schemes
apps, network, default-software
View full list of Kolide's Device Properties
Book A Demo
Book A Demo