Penetration Testing mailing list archives
Re: Penetration of HP/UX
From: Philipp Lachberger <ph_lachi () yahoo de>
Date: Tue, 14 Jun 2011 21:26:31 +0200
Hi all, first off - sorry for the late reply. Thanks for all the quick and helpful replies. I just thought I'd answer in summary, thus summing up the threads. The vulnerable system is HP/UX 11.0 (can't say anything about the architecture though). To all of those who pointed me to Exploit-DB and other Exploitation Sites or Frameworks - Thanks! I have looked most of them up before and haven't found anything (yet) with a ported return address for HP/UX. The Sendmail version seems to be vulnerable, so my next step concerning system exploitation would be porting one of the Sendmail Exploits to HP/UX. To all who found my deadly mistake of saying SPARC architecture instead of PA-RISC - Thank you very much (at least I got the Endianess right ;-) ) Everyone who pointed me to Hydra or some other password guessing tool - Thank you, I did that in parallel and have found a valid username/password combination. For all who don't know which word-lists to use and haven't had the money to buy one, there's a site I can link you to (containing loads of free password-files): http://www.skullsecurity.org/wiki/index.php/Passwords @Marco: Thank you very much for the hint to phrack - didn't know there was an issue on HP/UX exploits. But I'll definitely look into it right away @Javatard: Thank you also for the hint on production systems - haven't encountered any issues up to now, but I'll watch the system closely Best Regards, -Philipp On 12.06.2011 21:11, Gilles LAMI wrote:
k logins and passwords may be a chance to enter and go forward (ProFTPD.) Did you give it a try ?
On 13.06.2011 02:01, Paul Melson wrote:
HP-UX runs on either PA-RISC or Itanium CPUs, not SPARC. And it's more an just the issue of endianness, the registers are different, etc. But your general statement that x86 shellcode won't work on this system is correct. That said, you (or someone that knows IA64 ASM anyway) can write shellcode that will work in exploiting vulnerabilities on this box. GIYF. Otherwise, it's time for you to fire up hydra and guess some passwords. Or social. PaulM
On 13.06.2011 00:23, Nur Agus wrote:
Hi Phillip, I have never done UX specific security audiy before, but yes I have been using my favorite port scanner and tools. UX is based on PA-RISC and IA64 Itanium, though PA-RISC has reached its end of sales last year I think. UX have different endian from Linux. It's endian is same with other UNIXes such as AIX and SOLARIS. Thanks
On 12.06.2011 21:26, javatard wrote:
Careful, we run one in production and it is so old it doesn't do TCP/IP natively. We have an adapter on it to do that. A lot of the old systems do not know how to close empty connections (think nMap scan) and if scanned too often they can crash. Just my experience and thoughts.
On 13.06.2011 13:05, Marco Ivaldi wrote:
Philipp, On Wed, 8 Jun 2011, Philipp Lachberger wrote:Hello fellow pen-testers, I've recently encountered a HP/UX Box in a penetration test. Now I've been searching for materials on HP/UX as it is (over here) not a common system to encounter.Which version of HP-UX?All I've found on public search engines were links to exploits from 2001. Have I just not searched thoroughly enough or are there hardly any papers? I would greatly appreciate it if you could give me directions to look at.Here you can find some exploits: http://www.exploit-db.com/ http://www.metasploit.com/ That said, you don't necessarily need an exploit in order to compromise a system (see a few examples below).There are two services listening - Sendmail and ProFTPD, both not obviously wrong configured.Can you enumerate valid users via SMTP? Common things to try: - VRFY $ telnet target 25 220 target ESMTP Sendmail blah blah vrfy test 550 5.1.1 test... User unknown vrfy root 250 2.1.5 Super-User <root@target> - EXPN $ telnet target 25 220 target ESMTP Sendmail blah blah expn test 550 5.1.1 test... User unknown expn root 250 2.1.5 Super-User <root@target> - RCPT TO (extremely common even with modern configurations) $ telnet target 25 220 target ESMTP Sendmail blah blah helo foo 250 target Hello blah blah, pleased to meet you mail from:<test () test com> 250 2.1.0 <test () test com>... Sender ok rcpt to:test 550 5.1.1 test... User unknown rcpt to:root 250 2.1.5 root... Recipient ok Once you identify some valid users, you can mount a brute force attack on the FTP daemon. Even if you can't enumerate valid users through SMTP, you can still try the brute force attack. You can automate the process with an username dictionary and some scripting or with readily-available support tools, such as: http://www.0xdeadbeef.info/code/brutus.pl http://www.thc.org/thc-hydra/ http://www.foofus.net/~jmk/medusa/medusa.html Finally, be sure to report all SMTP/FTP misconfigurations (is TLS available or credentials are transmitted in clear-text? how is TLS configured? is SMTP relaying properly configured? etc.)Exploits don't work for HP/UX as they do for "normal" Linuxes/Unixes. This is because HP/UX (as far as I know) mainly works on SPARC CPU's, thus having Big Endian instructions which is different from standard x86 - or am I wrong?HP-UX runs on PA-RISC and Itanium, not SPARC. Sun Solaris runs on SPARC. Take a look here for some background: http://www.phrack.org/issues.html?issue=58&id=11Thank you all for your time!Hope this helps,
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Penetration of HP/UX, (continued)
- Re: Penetration of HP/UX Abuse 007 (Jun 18)
- Re: Penetration of HP/UX michael getachew (Jun 19)
- Re: Penetration of HP/UX Roland Kessler (Jun 19)
- Re: Penetration of HP/UX michael getachew (Jun 19)
- Re: Penetration of HP/UX Paul Melson (Jun 19)
- Re: Penetration of HP/UX AK (Jun 19)
- Re: Penetration of HP/UX Paul Melson (Jun 19)
- Re: Penetration of HP/UX Abuse 007 (Jun 18)
- Re: Penetration of HP/UX Jan Muenther (Jun 23)
- Re: Penetration of HP/UX Philipp Lachberger (Jun 18)
- Re: Penetration of HP/UX Paul Melson (Jun 18)