|
|
Penetration Testing
Penetration of HP/UX Jun 08 2011 07:30AM Philipp Lachberger (ph_lachi yahoo de) (4 replies) Re: Penetration of HP/UX Jun 12 2011 10:23PM Nur Agus (nuragus linux gmail com) (1 replies) Re: Penetration of HP/UX Jun 18 2011 09:58PM Abuse 007 (abuse007 gmail com) (1 replies) Re: Penetration of HP/UX Jun 19 2011 04:59AM michael getachew (michaelhoustong yahoo com) (2 replies) Re: Penetration of HP/UX Jun 19 2011 12:09PM Paul Melson (pmelson gmail com) (2 replies) |
|
Privacy Statement |
On Wed, 8 Jun 2011, Philipp Lachberger wrote:
> Hello fellow pen-testers,
>
> I've recently encountered a HP/UX Box in a penetration test. Now I've
> been searching for materials on HP/UX as it is (over here) not a common
> system to encounter.
Which version of HP-UX?
> All I've found on public search engines were links to exploits from
> 2001. Have I just not searched thoroughly enough or are there hardly any
> papers?
>
> I would greatly appreciate it if you could give me directions to look
> at.
Here you can find some exploits:
http://www.exploit-db.com/
http://www.metasploit.com/
That said, you don't necessarily need an exploit in order to compromise a
system (see a few examples below).
> There are two services listening - Sendmail and ProFTPD, both not
> obviously wrong configured.
Can you enumerate valid users via SMTP? Common things to try:
- VRFY
$ telnet target 25
220 target ESMTP Sendmail blah blah
vrfy test
550 5.1.1 test... User unknown
vrfy root
250 2.1.5 Super-User <root@target>
- EXPN
$ telnet target 25
220 target ESMTP Sendmail blah blah
expn test
550 5.1.1 test... User unknown
expn root
250 2.1.5 Super-User <root@target>
- RCPT TO (extremely common even with modern configurations)
$ telnet target 25
220 target ESMTP Sendmail blah blah
helo foo
250 target Hello blah blah, pleased to meet you
mail from:<test (at) test (dot) com [email concealed]>
250 2.1.0 <test (at) test (dot) com [email concealed]>... Sender ok
rcpt to:test
550 5.1.1 test... User unknown
rcpt to:root
250 2.1.5 root... Recipient ok
Once you identify some valid users, you can mount a brute force attack on
the FTP daemon. Even if you can't enumerate valid users through SMTP, you
can still try the brute force attack.
You can automate the process with an username dictionary and some
scripting or with readily-available support tools, such as:
http://www.0xdeadbeef.info/code/brutus.pl
http://www.thc.org/thc-hydra/
http://www.foofus.net/~jmk/medusa/medusa.html
Finally, be sure to report all SMTP/FTP misconfigurations (is TLS
available or credentials are transmitted in clear-text? how is TLS
configured? is SMTP relaying properly configured? etc.)
> Exploits don't work for HP/UX as they do for "normal" Linuxes/Unixes.
> This is because HP/UX (as far as I know) mainly works on SPARC CPU's,
> thus having Big Endian instructions which is different from standard x86
> - or am I wrong?
HP-UX runs on PA-RISC and Itanium, not SPARC. Sun Solaris runs on SPARC.
Take a look here for some background:
http://www.phrack.org/issues.html?issue=58&id=11
> Thank you all for your time!
Hope this helps,
--
------------------------------------------------------------------
Marco Ivaldi OPSA, OPST, OWSE
Senior Security Advisor
@ Mediaservice.net Srl Tel: +39-011-32.72.100
Via San Bernardino, 17 Fax: +39-011-32.46.497
10141 Torino - ITALY http://www.mediaservice.net/
------------------------------------------------------------------
PGP Key - https://keys.mediaservice.net/m_ivaldi.asc
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]