Full Disclosure mailing list archives
Re: Solaris telnet vulnberability - how many on yournetwork?
From: pagvac <unknown.pentester () gmail com>
Date: Sat, 17 Feb 2007 20:11:39 +0000
Hello Endrazine! That's more complete but more slow at the same time due to service fingerprinting being launched against 1665 ports rather than just one. However, increasing the chance of finding a vulnerable target it's a good idea. Thanks! :-) Here is version 0.03 of "solaris-telnetd-audit.sh", which avoids sending an empty email when NO Solaris telnet servers have been found (only last lines have been changed). I guess the next feature we could add to the script is actually exploiting the bug in order to narrow down which systems are vulnerable. Perhaps we could use curl to automate the telnet -l "-fusername" login process using all common Solaris usernames? #!/bin/bash # solaris-telnetd-audit.sh IPSFILE="./ips.lst"; # file containing IPs to scan MESSAGE="possible-Solaris-telnet-server-found"; EMAIL="youremail () domain tld"; for IP in `cat $IPSFILE` do echo "Trying $IP ..."; if nmap -P0 -n -p23 -sS $IP | grep -i open > /dev/null then if nmap -P0 -n -sV $IP | grep -ie 'SunOS' -ie 'Solaris' > /dev/null then echo "$MESSAGE: $IP"; echo $IP >> $0.results; fi fi done if test -e $0.results then cat $0.results | mail -s $MESSAGE $EMAIL else echo "No Solaris telnet servers were found" | mail -s "Solaris telnet servers" $EMAIL; fi On 2/17/07, endrazine <endrazine () gmail com> wrote:
Hi, you dont want to ask nmap to determine the OS based on port 23 scan only. so, s/p23// in the second nmap call. hence: #!/bin/bash # solaris-telnetd-audit.sh IPSFILE="./ips.lst"; # file containing IPs to scan MESSAGE="possible-Solaris-telnet-server-found"; EMAIL="youremail () domain tld"; for IP in `cat $IPSFILE` do echo "Trying $IP ..."; if nmap -P0 -n -p23 -sS $IP | grep -i open > /dev/null then if nmap -P0 -n -sV $IP | grep -ie 'SunOS' -ie 'Solaris' > /dev/null then echo "$MESSAGE -> $IP"; echo $IP >> $0.results; fi fi done cat $0.results | mail -s $MESSAGE $EMAIL my 0.02$ Cheers, endrazine- pagvac a Ã(c)crit :On 2/17/07, Marcin Antkiewicz <fd () kajtek org> wrote:On Sat, 17 Feb 2007, pagvac wrote:The following script might also help find Solaris telnet servers on your network.[...]for IP in `cat $IPSFILE` do echo "Trying $IP ..."; if nmap -P0 -n -p23 -sS $IP | grep -i open > /dev/null then if nmap -P0 -n -p23 -sV $IP | grep -ie 'SunOS' -ie 'Solaris' then echo "$MESSAGE on $IP"; echo $IP >> $0.results; echo $IP | mail -s $MESSAGE $EMAIL fi fi doneThe output would be too noisy on a large network. Few weeks ago I ranNoisy only on the screen/email output. However, notice that *only* the IP addresses found running Solaris telnet servers are written to the results file ($0.results). Perhaps we should change it to the following so that only one email is sent with all the IP addresses found: #!/bin/bash # solaris-telnetd-audit.sh IPSFILE="./ips.lst"; # file containing IPs to scan MESSAGE="possible-Solaris-telnet-server-found"; EMAIL="youremail () domain tld"; for IP in `cat $IPSFILE` do echo "Trying $IP ..."; if nmap -P0 -n -p23 -sS $IP | grep -i open > /dev/null then if nmap -P0 -n -p23 -sV $IP | grep -ie 'SunOS' -ie 'Solaris' > /dev/null then echo "$MESSAGE -> $IP"; echo $IP >> $0.results; fi fi done cat $0.results | mail -s $MESSAGE $EMAIL P.S.: I personally like using genip [http://www.bindshell.net/tools/genip] for generating lists of IP addresses.something that would go like this: ( echo "Sun bxes with telnet"; \ nmap -n -P0 -iL list -p 23 -O -oG - | \ grep -Ei 'Host.+open.+(Solaris|SunOS)' | \ cut -d ' ' -f 2 \ ) | mail -s "Check those" unixadmins () example com -- Marcin Antkiewicz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- pagvac [http://ikwt.com/] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Solaris telnet vulnberability - how many on yournetwork? Oscar Fajardo Sanchez (Feb 12)
- Re: Solaris telnet vulnberability - how many on yournetwork? Michael Holstein (Feb 12)
- Re: Solaris telnet vulnberability - how many on yournetwork? K K (Feb 12)
- Re: Solaris telnet vulnberability - how many on yournetwork? pagvac (Feb 16)
- Re: Solaris telnet vulnberability - how many on yournetwork? Marcin Antkiewicz (Feb 16)
- Re: Solaris telnet vulnberability - how many on yournetwork? pagvac (Feb 16)
- Re: Solaris telnet vulnberability - how many on yournetwork? endrazine (Feb 17)
- Re: Solaris telnet vulnberability - how many on yournetwork? pagvac (Feb 17)
- Re: Solaris telnet vulnberability - how many on yournetwork? Marcin Antkiewicz (Feb 17)
- Re: Solaris telnet vulnberability - how many on yournetwork? Michael Holstein (Feb 12)