Re: [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork?

endrazine Sat, 17 Feb 2007 09:44:17 -0800

Hi,

you dont want to ask nmap to determine the OS based on port 23 scan only.
so, s/p23// in the second nmap call.
hence:


#!/bin/bash

# solaris-telnetd-audit.sh

IPSFILE="./ips.lst"; # file containing IPs to scan
MESSAGE="possible-Solaris-telnet-server-found";
EMAIL="[EMAIL PROTECTED]";

for IP in `cat $IPSFILE`
do
        echo "Trying $IP ...";
        if nmap -P0 -n -p23 -sS $IP | grep -i open > /dev/null
        then
                if nmap -P0 -n -sV $IP | grep -ie 'SunOS' -ie
'Solaris' > /dev/null
                then
                        echo "$MESSAGE -> $IP"; echo $IP >> $0.results;
                fi
        fi
done

cat $0.results | mail -s $MESSAGE $EMAIL



my 0.02$

Cheers,

endrazine-




pagvac a Ã©crit :
> On 2/17/07, Marcin Antkiewicz <[EMAIL PROTECTED]> wrote:
>   
>> On Sat, 17 Feb 2007, pagvac wrote:
>>     
>>> The following script might also help find Solaris telnet servers on
>>> your network.
>>>       
>> [...]
>>
>>     
>>> for IP in `cat $IPSFILE`
>>> do
>>>        echo "Trying $IP ...";
>>>        if nmap -P0 -n -p23 -sS $IP | grep -i open > /dev/null
>>>        then
>>>                if nmap -P0 -n -p23 -sV $IP | grep -ie 'SunOS' -ie 'Solaris'
>>>                then
>>>                        echo "$MESSAGE on $IP"; echo $IP >>
>>> $0.results; echo $IP | mail -s $MESSAGE $EMAIL
>>>                fi
>>>        fi
>>> done
>>>       
>> The output would be too noisy on a large network. Few weeks ago I ran
>>     
>
> Noisy only on the screen/email output. However, notice that *only* the
> IP addresses found running Solaris telnet servers are written to the
> results file ($0.results).
>
> Perhaps we should change it to the following so that only one email is
> sent with all the IP addresses found:
>
> #!/bin/bash
>
> # solaris-telnetd-audit.sh
>
> IPSFILE="./ips.lst"; # file containing IPs to scan
> MESSAGE="possible-Solaris-telnet-server-found";
> EMAIL="[EMAIL PROTECTED]";
>
> for IP in `cat $IPSFILE`
> do
>         echo "Trying $IP ...";
>         if nmap -P0 -n -p23 -sS $IP | grep -i open > /dev/null
>         then
>                 if nmap -P0 -n -p23 -sV $IP | grep -ie 'SunOS' -ie
> 'Solaris' > /dev/null
>                 then
>                         echo "$MESSAGE -> $IP"; echo $IP >> $0.results;
>                 fi
>         fi
> done
>
> cat $0.results | mail -s $MESSAGE $EMAIL
>
>
> P.S.: I personally like using genip
> [http://www.bindshell.net/tools/genip] for generating lists of IP
> addresses.
>
>   
>> something that would go like this:
>>
>>
>>    ( echo "Sun bxes with telnet";                 \
>>      nmap -n -P0 -iL list -p 23 -O -oG - |        \
>>      grep -Ei 'Host.+open.+(Solaris|SunOS)' |     \
>>      cut -d ' ' -f 2                              \
>>    ) | mail -s "Check those" [EMAIL PROTECTED]
>>
>>
>> --
>> Marcin Antkiewicz
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>     
>
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork?

Reply via email to