I love learning new things, so this seemed like a gap worth filling, especially as I am looking to take the Check CRT certification (in which Solaris/Oracle are a small part of the syllabus).
I had a bit of a play with OpenSolaris a while back, which gave me a flavor of some of the differences between Linux an Solaris (incidentally the OpenSolaris project seems to be stalled/ending?).
Anyway, I thought I would download the Solaris/Oracle VMs from from the following location and have a play (starting with some basic scanning):
http://www.oracle.com/technetwork/server-storage/solaris/solaris-vm-405695.html
(You need to register with Oracle to download these images)
Setting up a Solaris box
Once the Solaris10_9-10_VM.zip image is downloaded, unpack it with:
unzip Solaris10_9-10_VM.zip
Start VirtualBox, and import the appliance with:
File > Import > select the *.ovf file (and follow the rest of the menu)
Once this is imported you can start the VM and you will get to the following Solaris setup menu.
(Use F2 and F4 to continue through the menus)
Work through these menus, and in around 20 minutes you will be able to login, and will have a working Solaris system:
(Mmmm... lovely; dull grey and purple)
Managing services
Solaris services are managed differently from services in Linux, by using the "svcadm" tool.
So to go ahead and setup some extra services and scan the system:
To set up an apache webserver:
cd /etc/apache2
cp httpd.conf-example httpd.conf
svcadm -v enable /network/http:apache2
.. and check it's running:
svcs -p /network/http:apache2
STATE STIME FMRI
online 10:51:52 svc:/network/http:apache2
10:51:52 1991 httpd
10:51:53 1992 httpd
10:51:53 1993 httpd
10:51:53 1994 httpd
10:51:53 1995 httpd
10:51:53 1996 httpd
Let's also start some other (unnecessary and potentially insecure) services, to expand our target a bit:
svcadm enable network/telnet
svcadm enable network/ftp
svcadm enable network/finger
Scanning with nmap
First lets try a basic scan:
nmap 192.168.1.69
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-08-29 19:28 BST
Nmap scan report for 192.168.1.69
Host is up (0.00052s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
79/tcp open finger
80/tcp open http
111/tcp open rpcbind
MAC Address: 08:00:27:33:49:19 (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 27.71 seconds
So we can see the services I added there, also it looks like ssh (and rpcbind) had been enabled by default.
Now for a more thorough scan using the NSE scripts
nmap --script all 192.168.1.69
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-08-29 19:23 BST
Nmap scan report for 192.168.1.69
Host is up (0.0010s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
21/tcp open ftp
|_ftp-bounce: no banner
22/tcp open ssh
|_banner: SSH-2.0-Sun_SSH_1.1.3
| ssh-hostkey: 1024 78:af:4e:c7:67:0e:18:9b:da:77:c4:6d:c0:a7:1b:7d (DSA)
|_1024 a5:92:ed:16:f5:fc:26:8b:18:d4:5e:b5:9d:0c:21:3b (RSA)
23/tcp open telnet
79/tcp open finger
80/tcp open http
| http-brute:
|_ ERROR: No path was specified (see http-brute.path)
|_citrix-brute-xml: FAILED: No domain specified (use ntdomain argument)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-trace: TRACE is enabled
|_http-date: Mon, 29 Aug 2011 18:24:32 GMT; +1s from local time.
| http-headers:
| Date: Mon, 29 Aug 2011 18:24:34 GMT
| Server: Apache/2.0.63 (Unix) DAV/2
| Content-Location: index.html.en
| Vary: negotiate,accept-language,accept-charset
| TCN: choice
| Last-Modified: Sun, 21 Nov 2004 14:35:21 GMT
| ETag: "4614-5b0-a64a7c40;462a-961-a64a7c40"
| Accept-Ranges: bytes
| Content-Length: 1456
| Connection: close
| Content-Type: text/html
| Content-Language: en
|
|_ (Request type: HEAD)
| http-form-brute:
|_ ERROR: No passvar was specified (see http-form-brute.passvar)
|_http-title: Test Page for Apache Installation
|_http-wp-plugins: nothing found amongst the 100 most popular plugins, use --script-arg http-wp-plugins.search=
| http-domino-enum-passwords:
|_ ERROR: No valid credentials were found (see domino-enum-passwords.username and domino-enum-passwords.password)
111/tcp open rpcbind
MAC Address: 08:00:27:33:49:19 (Cadmus Computer Systems)
Host script results:
|_dns-brute: Can't guess domain of "192.168.1.69"; use dns-brute.domain script argument.
|_path-mtu: PMTU == 1500
|_ipidseq: Unknown
| qscan:
| PORT FAMILY MEAN (us) STDDEV LOSS (%)
| 1 0 732.20 508.23 0.0%
| 21 0 1143.80 853.92 0.0%
| 22 1 1236.80 734.74 0.0%
| 23 1 1248.10 782.83 0.0%
| 79 0 1065.30 794.20 0.0%
| 80 1 1297.50 742.94 0.0%
|_111 1 1577.30 1092.91 0.0%
Nmap done: 1 IP address (1 host up) scanned in 118.38 seconds
That didn't find a great deal extra except that the TRACE option is also enabled, which means that XST (cross-site tracing, a client-side attack) is potentially possible against old browser versions (though this attack is no-longer possible against the majority of modern browsers).
The SSH banner also reveals that we have a Solaris system.
Scanning with Nikto
We can scan the webserver with Nikto using the following command:
We can scan the webserver with Nikto using the following command:
./nikto.pl -host 192.168.1.69
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP: 192.168.1.69
+ Target Hostname: 192.168.1.69
+ Target Port: 80
+ Start Time: 2011-08-30 19:59:48
---------------------------------------------------------------------------
+ Server: Apache/2.0.63 (Unix) DAV/2
+ Apache/2.0.63 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-2117: /: Appears to be a default Apache install.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3233: /index.html.ca: Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information.
... etc ...
+ OSVDB-3233: /index.html.var: Apache default foreign language file found. All default files should be removed from the web server as they may give an attacker additional system information.
+ OSVDB-3233: /cgi-bin/printenv: Apache 2.0 default script is executable and gives server environment variables. All default scripts should be removed. It may also allow XSS types of attacks. http://www.securityfocus.com/bid/4431.
+ OSVDB-3233: /cgi-bin/test-cgi: Apache 2.0 default script is executable and reveals system information. All default scripts should be removed.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6448 items checked: 2 error(s) and 36 item(s) reported on remote host
+ End Time: 2011-08-30 20:01:05 (77 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
As you can see, there is various default content there from my Apache install (this should all be removed in a production website, to prevent attackers from gaining extra information. Additionally we can see that we have an old version of Apache.
Scanning with Nessus
Now for a scan with Nessus to see what that can see:
In the Nessus report, there is a "High Severity" Denial of Service vulnerability for Apache.
This is a fairly recent exploit that many sites and services are currently vulnerable to. More information on this vulnerability is available at the following location:
http://archives.neohapsis.com/archives/fulldisclosure/2011-08/0203.html
Also, there are various information disclosure issues from the other running services (FTP, Telnet, Finger, SSH) which give us OS and service versions, and username information.
Finger and fingerd enumeration with a basic "for" loop
Nobody installs fingerd these days if they want to be secure (but hey, I trying to make the target bigger and practice some enumeration).
Nessus found the user root using finger, but is is also possible to find other accounts. This version of the finger daemon searches the user description in addition to the username, so you can also find users via words in the description as well.
Here is how to install the finger client on Backtrack and run a couple of different queries:
apt-get install finger
finger root@192.168.1.69
[192.168.1.69]
Login Name TTY Idle When Where
root Super-User console 2 Mon 07:55 :0
root Super-User pts/3 2 Mon 08:29 :0.0
finger user@192.168.1.69
[192.168.1.69]
Login Name TTY Idle When Where
nobody NFS Anonymous Access < . . . . >
noaccess No Access User < . . . . >
nobody4 SunOS 4.x NFS Anonym < . . . . >
So, if there were other users on the system, we could try a dictionary attack to find them using finger in a "for" loop.
Given a list of names in "usernames.txt", we can use the following commandline for loop to iterate through them, and strip out anything found, dumping it to a file:
for name in $(cat usernames.txt); do finger $name@192.168.1.69 | awk 'NR!=1 && NR!=2' | grep -v ??? | cut -d " " -f1 | sort -u >> foundnames.txt; done
cat foundnames.txt | sort -u
adm
gdm
listen
lp
noaccess
nobody
nobody4
nuucp
postgres
root
smmsp
svctag
uucp
webservd
This could be a useful enumeration, which might make a dictionary attack against SSH (for example) a lot quicker.
Thanks for this info Ben, i'm also a recent OSCP and just making a start on CREST ICE.
ReplyDeleteI have heard also that a large portion of the exam is based around solaris issues. Good luck
It is a proven Cloud based policy life cycle platform that supports Property & Casualty and Accident & Health product lines.
ReplyDeleteSolartis Insurance coverages
Tikuyembekeza kuti mudzakhala ndi nkhani zabwino. Ndimasangalala kuona nkhaniyi
ReplyDeletemua chó bull pháp có giấy tờ
cần mua chó bull pháp
cách nuôi chó bull pháp
đặc điểm chó bull pháp
I have read your blog and I gathered some needful information from your blog. Keep update your blog. Awaiting for your next update. Thanks
ReplyDeleteDedicatedHosting4u.com
Hey Guys !
ReplyDeleteUSA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
All Leads have genuine & valid information
**HEADERS IN LEADS**
First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address
*Price for SSN lead $2
*You can ask for sample before any deal
*If anyone buy in bulk, we can negotiate
*Sampling is just for serious buyers
==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
->$5 PER EACH
->Hope for the long term deal
->Interested buyers will be welcome
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
هاند ميد
ReplyDeleteصباغ فى عجمان
دهان في عجمان
Hi Guy's
ReplyDeleteFresh & valid spammed USA SSN+Dob Leads with DL available in bulk.
>>1$ each SSN+DOB
>>2$ each with SSN+DOB+DL
>>5$ each for premium (also included relative info)
Prices are negotiable in bulk order
Serious buyer contact me no time wasters please
Bulk order will be preferable
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
OTHER STUFF YOU CAN GET
SSN+DOB Fullz
CC's with CVV's (vbv & non-vbv)
USA Photo ID'S (Front & back)
All type of tutorials available
(Carding, spamming, hacking, scam page, Cash outs, dumps cash outs)
SMTP Linux Root
DUMPS with pins track 1 and 2
Socks, rdp's, vpn's
Server I.P's
HQ Emails with passwords
Looking for long term business
For trust full vendor, feel free to contact
CONTACT
Telegram > @leadsupplier
ICQ > 752822040
Email > leads.sellers1212@gmail.com
lebron james shoes
ReplyDeletesupreme t shirt
off white
kyrie 5 spongebob
stone island
kevin durant shoes
yeezy wave runner 700
golden goose shoes
supreme sweatshirt
golden goose
bape
ReplyDeleteoff white shoes
air jordan
goyard outlet
bape
fear of god outlet
bape hoodies
off white
bape
cheap kyrie shoes