lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 17 Feb 2007 20:11:39 +0000
From: pagvac <unknown.pentester@...il.com>
To: endrazine <endrazine@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Solaris telnet vulnberability - how many on
	yournetwork?

Hello Endrazine!

That's more complete but more slow at the same time due to service
fingerprinting being launched against 1665 ports rather than just one.
However, increasing the chance of finding a vulnerable target it's a
good idea. Thanks! :-)

Here is version 0.03 of "solaris-telnetd-audit.sh", which avoids
sending an empty email when NO Solaris telnet servers have been found
(only last lines have been changed).

I guess the next feature we could add to the script is actually
exploiting the bug in order to narrow down which systems are
vulnerable. Perhaps we could use curl to automate the telnet -l
"-fusername" login process using all common Solaris usernames?

#!/bin/bash

# solaris-telnetd-audit.sh

IPSFILE="./ips.lst"; # file containing IPs to scan
MESSAGE="possible-Solaris-telnet-server-found";
EMAIL="youremail@...ain.tld";

for IP in `cat $IPSFILE`
do

        echo "Trying $IP ...";
        if nmap -P0 -n -p23 -sS $IP | grep -i open > /dev/null
        then
                if nmap -P0 -n -sV $IP | grep -ie 'SunOS' -ie
'Solaris' > /dev/null
                then
                        echo "$MESSAGE: $IP"; echo $IP >> $0.results;
                fi
        fi
done

if test -e $0.results
then
        cat $0.results | mail -s $MESSAGE $EMAIL
else
        echo "No Solaris telnet servers were found" | mail -s "Solaris
telnet servers" $EMAIL;
fi

On 2/17/07, endrazine <endrazine@...il.com> wrote:
> Hi,
>
> you dont want to ask nmap to determine the OS based on port 23 scan only.
> so, s/p23// in the second nmap call.
> hence:
>
> #!/bin/bash
>
> # solaris-telnetd-audit.sh
>
> IPSFILE="./ips.lst"; # file containing IPs to scan
> MESSAGE="possible-Solaris-telnet-server-found";
> EMAIL="youremail@...ain.tld";
>
> for IP in `cat $IPSFILE`
> do
>         echo "Trying $IP ...";
>         if nmap -P0 -n -p23 -sS $IP | grep -i open > /dev/null
>         then
>                 if nmap -P0 -n -sV $IP | grep -ie 'SunOS' -ie
> 'Solaris' > /dev/null
>                 then
>                         echo "$MESSAGE -> $IP"; echo $IP >> $0.results;
>                 fi
>         fi
> done
>
> cat $0.results | mail -s $MESSAGE $EMAIL
>
>
>
> my 0.02$
>
> Cheers,
>
> endrazine-
>
>
>
>
> pagvac a Ã(c)crit :
> > On 2/17/07, Marcin Antkiewicz <fd@...tek.org> wrote:
> >
> >> On Sat, 17 Feb 2007, pagvac wrote:
> >>
> >>> The following script might also help find Solaris telnet servers on
> >>> your network.
> >>>
> >> [...]
> >>
> >>
> >>> for IP in `cat $IPSFILE`
> >>> do
> >>>        echo "Trying $IP ...";
> >>>        if nmap -P0 -n -p23 -sS $IP | grep -i open > /dev/null
> >>>        then
> >>>                if nmap -P0 -n -p23 -sV $IP | grep -ie 'SunOS' -ie 'Solaris'
> >>>                then
> >>>                        echo "$MESSAGE on $IP"; echo $IP >>
> >>> $0.results; echo $IP | mail -s $MESSAGE $EMAIL
> >>>                fi
> >>>        fi
> >>> done
> >>>
> >> The output would be too noisy on a large network. Few weeks ago I ran
> >>
> >
> > Noisy only on the screen/email output. However, notice that *only* the
> > IP addresses found running Solaris telnet servers are written to the
> > results file ($0.results).
> >
> > Perhaps we should change it to the following so that only one email is
> > sent with all the IP addresses found:
> >
> > #!/bin/bash
> >
> > # solaris-telnetd-audit.sh
> >
> > IPSFILE="./ips.lst"; # file containing IPs to scan
> > MESSAGE="possible-Solaris-telnet-server-found";
> > EMAIL="youremail@...ain.tld";
> >
> > for IP in `cat $IPSFILE`
> > do
> >         echo "Trying $IP ...";
> >         if nmap -P0 -n -p23 -sS $IP | grep -i open > /dev/null
> >         then
> >                 if nmap -P0 -n -p23 -sV $IP | grep -ie 'SunOS' -ie
> > 'Solaris' > /dev/null
> >                 then
> >                         echo "$MESSAGE -> $IP"; echo $IP >> $0.results;
> >                 fi
> >         fi
> > done
> >
> > cat $0.results | mail -s $MESSAGE $EMAIL
> >
> >
> > P.S.: I personally like using genip
> > [http://www.bindshell.net/tools/genip] for generating lists of IP
> > addresses.
> >
> >
> >> something that would go like this:
> >>
> >>
> >>    ( echo "Sun bxes with telnet";                 \
> >>      nmap -n -P0 -iL list -p 23 -O -oG - |        \
> >>      grep -Ei 'Host.+open.+(Solaris|SunOS)' |     \
> >>      cut -d ' ' -f 2                              \
> >>    ) | mail -s "Check those" unixadmins@...mple.com
> >>
> >>
> >> --
> >> Marcin Antkiewicz
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >>
> >
> >
> >
>
>


-- 
pagvac
[http://ikwt.com/]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ