Re: Penetration of HP/UX

[Philipp Lachberger <ph_lachi () yahoo de>]

Hi all,

first off - sorry for the late reply.

Thanks for all the quick and helpful replies. I just thought I'd answer
in summary, thus summing up the threads.

The vulnerable system is HP/UX 11.0 (can't say anything about the
architecture though).

To all of those who pointed me to Exploit-DB and other Exploitation
Sites or Frameworks - Thanks!
I have looked most of them up before and haven't found anything (yet)
with a ported return address for HP/UX. The Sendmail version seems to be
vulnerable, so my next step concerning system exploitation would be
porting one of the Sendmail Exploits to HP/UX.

To all who found my deadly mistake of saying SPARC architecture instead
of PA-RISC - Thank you very much (at least I got the Endianess right ;-) )

Everyone who pointed me to Hydra or some other password guessing tool -
Thank you, I did that in parallel and have found a valid
username/password combination.
For all who don't know which word-lists to use and haven't had the money
to buy one, there's a site I can link you to (containing loads of free
password-files):
http://www.skullsecurity.org/wiki/index.php/Passwords

@Marco: Thank you very much for the hint to phrack - didn't know there
was an issue on HP/UX exploits. But I'll definitely look into it right away

@Javatard: Thank you also for the hint on production systems - haven't
encountered any issues up to now, but I'll watch the system closely

Best Regards,
-Philipp

On 12.06.2011 21:11, Gilles LAMI wrote:
> k logins and passwords may be a chance to enter and go forward (ProFTPD.)
> Did you give it a try ?

On 13.06.2011 02:01, Paul Melson wrote:
> HP-UX runs on either PA-RISC or Itanium CPUs, not SPARC.  And it's more an just the issue of endianness, the 
> registers are different, etc.  But your general statement that x86 shellcode won't work on this system is correct.  
>
> That said, you (or someone that knows IA64 ASM anyway) can write shellcode that will work in exploiting 
> vulnerabilities on this box.  GIYF.
>
> Otherwise, it's time for you to fire up hydra and guess some passwords. Or social.
>
> PaulM

On 13.06.2011 00:23, Nur Agus wrote:
> Hi Phillip,
>
> I have never done UX specific security audiy before, but yes I have been using my favorite port scanner and tools. 
>
> UX is based on PA-RISC and IA64 Itanium, though PA-RISC has reached its end of sales last year I think. 
>
> UX have different endian from Linux. It's endian is same with other UNIXes such as AIX and SOLARIS. 
>
> Thanks


On 12.06.2011 21:26, javatard wrote:
> Careful, we run one in production and it is so old it doesn't do
> TCP/IP natively. We have an adapter on it to do that. A lot of the old
> systems do not know how to close empty connections (think nMap scan)
> and if scanned too often they can crash.
>
> Just my experience and thoughts.



On 13.06.2011 13:05, Marco Ivaldi wrote:
> Philipp,
>
> On Wed, 8 Jun 2011, Philipp Lachberger wrote:
>
> > Hello fellow pen-testers,
> >
> > I've recently encountered a HP/UX Box in a penetration test. Now I've
> > been searching for materials on HP/UX as it is (over here) not a
> > common system to encounter.
>
> Which version of HP-UX?
>
> > All I've found on public search engines were links to exploits from
> > 2001. Have I just not searched thoroughly enough or are there hardly
> > any papers?
> >
> > I would greatly appreciate it if you could give me directions to look
> > at.
>
> Here you can find some exploits:
>
> http://www.exploit-db.com/
> http://www.metasploit.com/
>
> That said, you don't necessarily need an exploit in order to
> compromise a system (see a few examples below).
>
> > There are two services listening - Sendmail and ProFTPD, both not
> > obviously wrong configured.
>
> Can you enumerate valid users via SMTP? Common things to try:
>
> - VRFY
>     $ telnet target 25
>     220 target ESMTP Sendmail blah blah
>     vrfy test
>     550 5.1.1 test... User unknown
>     vrfy root
>     250 2.1.5 Super-User <root@target>
> - EXPN
>     $ telnet target 25
>     220 target ESMTP Sendmail blah blah
>     expn test
>     550 5.1.1 test... User unknown
>     expn root
>     250 2.1.5 Super-User <root@target>
> - RCPT TO (extremely common even with modern configurations)
>     $ telnet target 25
>     220 target ESMTP Sendmail blah blah
>     helo foo
>     250 target Hello blah blah, pleased to meet you
>     mail from:<test () test com>
>     250 2.1.0 <test () test com>... Sender ok
>     rcpt to:test
>     550 5.1.1 test... User unknown
>     rcpt to:root
>     250 2.1.5 root... Recipient ok
>
> Once you identify some valid users, you can mount a brute force attack
> on the FTP daemon. Even if you can't enumerate valid users through
> SMTP, you can still try the brute force attack.
>
> You can automate the process with an username dictionary and some
> scripting or with readily-available support tools, such as:
>
> http://www.0xdeadbeef.info/code/brutus.pl
> http://www.thc.org/thc-hydra/
> http://www.foofus.net/~jmk/medusa/medusa.html
>
> Finally, be sure to report all SMTP/FTP misconfigurations (is TLS
> available or credentials are transmitted in clear-text? how is TLS
> configured? is SMTP relaying properly configured? etc.)
>
> > Exploits don't work for HP/UX as they do for "normal" Linuxes/Unixes.
> > This is because HP/UX (as far as I know) mainly works on SPARC CPU's,
> > thus having Big Endian instructions which is different from standard
> > x86 - or am I wrong?
>
> HP-UX runs on PA-RISC and Itanium, not SPARC. Sun Solaris runs on
> SPARC. Take a look here for some background:
>
> http://www.phrack.org/issues.html?issue=58&id=11
>
> > Thank you all for your time!
>
> Hope this helps,


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------