14.3 Investigation of Known Vulnerabilities
After performing full TCP and UDP port scanning, along with initial investigation of accessible network services to qualify nmap results and obtain further useful information, you usually know enough to properly investigate known vulnerabilities.
Sites such as MITRE CVE, SecurityFocus, ISS X-Force, and Packet
14.3.1 Cisco IOS Accessible Service Vulnerabilities
Telnet, NTP, and SNMP services are accessible on the Cisco IOS 12.2.8 router at 192.168.10.1 . Through checking MITRE CVE, SecurityFocus, and ISS X-Force, no remotely exploitable issues were identified that affect this version of IOS.
Therefore, the two particular threats to this Cisco IOS router are from:
14.3.2 Solaris 8 Accessible Service Vulnerabilities
OpenSSH 3.1p1 and Sendmail 8.11.6 were found running on the Solaris 8 mail server at 192.168.10.10 . Table 14-3 shows the remotely exploitable issues identified through checking MITRE CVE, SecurityFocus, and ISS X-Force databases for issues relating to OpenSSH 3.1p1.
Table 14-3. Relevant OpenSSH vulnerabilities identified
From investigating CVE-2002-0639 in more detail, I find that OpenSSH is only exploitable if SKEY or BSD_AUTH authentication
Example 14-16 shows how to use the gobblessh patched OpenSSH client (from sshutup-theo.tar.gz , as discussed in Chapter 4) check to see if the remote host supports SKEY or BSD_AUTH authentication mechanisms.
Example 14-16. Checking for authentication support using gobblessh
# ./gobblessh -l root 192.168.10.10 -M skey [*] remote host supports ssh2 [*] server_user: root:skey [*] keyboard-interactive method available [x] bsdauth (skey) not available Permission denied (publickey,password,keyboard-interactive). # ./gobblessh -l root 192.168.10.10 -M bsdauth -S invalid [*] remote host supports ssh2 [*] server_user: root:invalid [*] keyboard-interactive method available [x] bsdauth (invalid) not available Permission denied (publickey,password,keyboard-interactive).
In this case, both SKEY and BSD_AUTH authentication mechanisms aren't supported, and so the CVE-2002-0639 challenge-response exploit won't be effective.
CVE-2003-0190, on the other hand, relies on a timing bug in OpenSSH
The recent memory bugs and buffer management issues identified in OpenSSH (CVE-2003-0682, CVE-2003-0693, and CVE-2003-0695) have no publicly available remote exploit scripts. Due to the way that these bugs are nested and rely on a number of
Table 14-4 shows the remotely exploitable issues identified through checking MITRE CVE, SecurityFocus, and ISS X-Force databases for issues relating to Sendmail 8.11.6.
Table 14-4. Relevant Sendmail vulnerabilities identified
The LSD security research team (http://www.lsd-pl.net) posted an
LSD found that on most Unix platforms, the static buffer isn't followed by such useful data. Their post to the BugTraq mailing list in March 2003 contained the low-level technical details, archived at http://www.securityfocus.com/archive/1/313757. In particular, they found that Solaris 8 running Sendmail 8.11.6 doesn't crash when provided with the
At the time of writing, there are also no public tools or scripts to exploit the recent Sendmail 8.12.9 prescan( ) bugs (CVE-2003-0161 and CVE-2003-0694).
14.3.3 Windows 2000 Accessible Service Vulnerabilities
The two accessible ports on the Windows 2000 server at
are both IIS 5.0 web service instances. By enumerating the enabled IIS subsystems and
Table 14-5. Relevant IIS vulnerabilities identified
After assembling a list of serious remotely exploitable vulnerabilities, visit Packet Storm, SecurityFocus, and