Full Disclosure mailing list archives
Re: Solaris telnet vulnberability - how many on yournetwork?
From: endrazine <endrazine () gmail com>
Date: Sat, 17 Feb 2007 18:43:45 +0100
Hi,
you dont want to ask nmap to determine the OS based on port 23 scan only.
so, s/p23// in the second nmap call.
hence:
#!/bin/bash
# solaris-telnetd-audit.sh
IPSFILE="./ips.lst"; # file containing IPs to scan
MESSAGE="possible-Solaris-telnet-server-found";
EMAIL="youremail () domain tld";
for IP in `cat $IPSFILE`
do
echo "Trying $IP ...";
if nmap -P0 -n -p23 -sS $IP | grep -i open > /dev/null
then
if nmap -P0 -n -sV $IP | grep -ie 'SunOS' -ie
'Solaris' > /dev/null
then
echo "$MESSAGE -> $IP"; echo $IP >> $0.results;
fi
fi
done
cat $0.results | mail -s $MESSAGE $EMAIL
my 0.02$
Cheers,
endrazine-
pagvac a écrit :
On 2/17/07, Marcin Antkiewicz <fd () kajtek org> wrote:On Sat, 17 Feb 2007, pagvac wrote:The following script might also help find Solaris telnet servers on your network.[...]for IP in `cat $IPSFILE` do echo "Trying $IP ..."; if nmap -P0 -n -p23 -sS $IP | grep -i open > /dev/null then if nmap -P0 -n -p23 -sV $IP | grep -ie 'SunOS' -ie 'Solaris' then echo "$MESSAGE on $IP"; echo $IP >> $0.results; echo $IP | mail -s $MESSAGE $EMAIL fi fi doneThe output would be too noisy on a large network. Few weeks ago I ranNoisy only on the screen/email output. However, notice that *only* the IP addresses found running Solaris telnet servers are written to the results file ($0.results). Perhaps we should change it to the following so that only one email is sent with all the IP addresses found: #!/bin/bash # solaris-telnetd-audit.sh IPSFILE="./ips.lst"; # file containing IPs to scan MESSAGE="possible-Solaris-telnet-server-found"; EMAIL="youremail () domain tld"; for IP in `cat $IPSFILE` do echo "Trying $IP ..."; if nmap -P0 -n -p23 -sS $IP | grep -i open > /dev/null then if nmap -P0 -n -p23 -sV $IP | grep -ie 'SunOS' -ie 'Solaris' > /dev/null then echo "$MESSAGE -> $IP"; echo $IP >> $0.results; fi fi done cat $0.results | mail -s $MESSAGE $EMAIL P.S.: I personally like using genip [http://www.bindshell.net/tools/genip] for generating lists of IP addresses.something that would go like this: ( echo "Sun bxes with telnet"; \ nmap -n -P0 -iL list -p 23 -O -oG - | \ grep -Ei 'Host.+open.+(Solaris|SunOS)' | \ cut -d ' ' -f 2 \ ) | mail -s "Check those" unixadmins () example com -- Marcin Antkiewicz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Solaris telnet vulnberability - how many on yournetwork? Oscar Fajardo Sanchez (Feb 12)
- Re: Solaris telnet vulnberability - how many on yournetwork? Michael Holstein (Feb 12)
- Re: Solaris telnet vulnberability - how many on yournetwork? K K (Feb 12)
- Re: Solaris telnet vulnberability - how many on yournetwork? pagvac (Feb 16)
- Re: Solaris telnet vulnberability - how many on yournetwork? Marcin Antkiewicz (Feb 16)
- Re: Solaris telnet vulnberability - how many on yournetwork? pagvac (Feb 16)
- Re: Solaris telnet vulnberability - how many on yournetwork? endrazine (Feb 17)
- Re: Solaris telnet vulnberability - how many on yournetwork? pagvac (Feb 17)
- Re: Solaris telnet vulnberability - how many on yournetwork? Marcin Antkiewicz (Feb 17)
- Re: Solaris telnet vulnberability - how many on yournetwork? Michael Holstein (Feb 12)