Jump to content

need help getting into old server bought at yard sale


RadarG

Recommended Posts

I picked up a origin 200 at a yard sale for 15 bucks. I took it home and powered it up. It powered up just fine. The box is headless and the only way that I can log into it is via telnet. I am unable to get in because I dont know the root password. I have ran a few nmap scans and a nessus scan and here is the info below. Any help getting into this box would be most welcome. Thanks

C:nmap>nmap -A -v 10.28.216.194

Starting Nmap 3.95 ( http://www.insecure.org/nmap ) at 2006-10-21 22:59 Central Standard Time

Initiating ARP Ping Scan against 10.28.216.194 [1 port] at 22:59

The ARP Ping Scan took 0.08s to scan 1 total hosts.

Initiating SYN Stealth Scan against 10.28.216.194 [1670 ports] at 23:00

Discovered open port 21/tcp on 10.28.216.194

Discovered open port 23/tcp on 10.28.216.194

Discovered open port 513/tcp on 10.28.216.194

Discovered open port 37/tcp on 10.28.216.194

Discovered open port 19/tcp on 10.28.216.194

Discovered open port 512/tcp on 10.28.216.194

Discovered open port 514/tcp on 10.28.216.194

Discovered open port 7/tcp on 10.28.216.194

Discovered open port 1/tcp on 10.28.216.194

Discovered open port 1025/tcp on 10.28.216.194

Discovered open port 79/tcp on 10.28.216.194

Discovered open port 13/tcp on 10.28.216.194

Discovered open port 111/tcp on 10.28.216.194

Discovered open port 1024/tcp on 10.28.216.194

Discovered open port 9/tcp on 10.28.216.194

The SYN Stealth Scan took 0.83s to scan 1670 total ports.

Initiating service scan against 15 services on 10.28.216.194 at 23:00

The service scan took 106.97s to scan 15 services on 1 host.

Initiating RPCGrind Scan against 10.28.216.194 at 23:01

The RPCGrind Scan took 0.03s to scan 1 ports on 10.28.216.194.

For OSScan assuming port 1 is open, 2 is closed, and neither are firewalled

For OSScan assuming port 1 is open, 2 is closed, and neither are firewalled

For OSScan assuming port 1 is open, 2 is closed, and neither are firewalled

Host 10.28.216.194 appears to be up ... good.

Interesting ports on 10.28.216.194:

(The 1655 ports scanned but not shown below are in state: closed)

PORT STATE SERVICE VERSION

1/tcp open tcpmux

7/tcp open echo

9/tcp open discard?

13/tcp open daytime

19/tcp open chargen

21/tcp open ftp SGI IRIX ftpd

23/tcp open telnet IRIX telnetd 6.X

37/tcp open time?

79/tcp open finger SGI IRIX or NeXTSTEP fingerd

111/tcp open rpcbind 2 (rpc #100000)

512/tcp open exec

513/tcp open rlogin

514/tcp open tcpwrapped

1024/tcp open kdm?

1025/tcp open NFS-or-IIS?

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi

-bin/servicefp-submit.cgi :

SF-Port37-TCP:V=3.95%I=7%D=10/21%Time=453AECC7%P=i686-pc-windows-windows%r

SF:(NULL,4,"xc8xe5k`")%r(GenericLines,4,"xc8xe5k`")%r(GetRequest,4,"x

SF:c8xe5k`")%r(HTTPOptions,4,"xc8xe5k`")%r(RTSPRequest,4,"xc8xe5k`")%

SF:r(RPCCheck,4,"xc8xe5k`")%r(DNSVersionBindReq,4,"xc8xe5k`")%r(DNSSta

SF:tusRequest,4,"xc8xe5k`")%r(Help,4,"xc8xe5k`")%r(SSLSessionReq,4,"x

SF:c8xe5k`")%r(SMBProgNeg,4,"xc8xe5k`")%r(X11Probe,4,"xc8xe5k`")%r(LP

SF:DString,4,"xc8xe5k`")%r(LDAPBindReq,4,"xc8xe5k`")%r(LANDesk-RC,4,"

SF:xc8xe5k`")%r(TerminalServer,4,"xc8xe5k`")%r(NCP,4,"xc8xe5k`")%r(No

SF:tesRPC,4,"xc8xe5k`")%r(WMSRequest,4,"xc8xe5k`")%r(oracle-tns,4,"xc

SF:8xe5k`");

MAC Address: 08:00:69:0D:98:78 (Silicon Graphics)

No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).

TCP/IP fingerprint:

SInfo(V=3.95%P=i686-pc-windows-windows%D=10/21%Tm=453AED36%O=1%C=2%M=080069)

TSeq(Class=RI%gcd=20%SI=2E1%IPID=I%TS=2HZ)

TSeq(Class=RI%gcd=20%SI=5E5%IPID=I%TS=2HZ)

TSeq(Class=RI%gcd=20%SI=4C0%IPID=I%TS=2HZ)

T1(Resp=Y%DF=N%W=C000%ACK=S++%Flags=AS%Ops=MNWNNT)

T1(Resp=Y%DF=N%W=C000%ACK=O%Flags=AS%Ops=MNWNNT)

T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)

T3(Resp=Y%DF=N%W=C000%ACK=O%Flags=A%Ops=NNT)

T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)

T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)

T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)

T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)

PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

Uptime 0.007 days (since Sat Oct 21 22:51:26 2006)

TCP Sequence Prediction: Class=random positive increments

Difficulty=1216 (Medium)

IPID Sequence Generation: Incremental

Service Info: Host: erasv01; OS: IRIX

Nmap finished: 1 IP address (1 host up) scanned in 130.531 seconds

Raw packets sent: 1713 (70.2KB) | Rcvd: 1712 (79.1KB)

Tenable Nessus Security ReportTenable Nessus Security

Report

Start Time:Sun Oct 22 17:26:19 2006 Finish Time:Sun Oct

22 17:30:13 2006

10.28.216.194

10.28.216.19430 Open Ports, 57 Notes, 11 Warnings, 2 Holes.

10.28.216.194[Return to top]

sunrpc (111/tcp)

Port is open

Plugin ID : 11219

The RPC portmapper is running on this port.

An attacker may use it to enumerate your list

of RPC services. We recommend you filter traffic

going to this port.

Risk Factor : Low

CVE : CVE-1999-0632, CVE-1999-0189

BID : 205

Plugin ID : 10223

RPC program #100000 version 2 'portmapper' (portmap

sunrpc rpcbind) is running on this port

Plugin ID : 11111

echo (7/udp)

Port is open

Plugin ID : 11219

Synopsis :

An echo service is running on the remote host.

Description :

The remote host is running the 'echo' service. This

service

echoes any data which is sent to it.

This service is unused these days, so it is strongly

advised that

you disable it, as it may be used by attackers to set up

denial of

services attacks against this host.

Solution:

- Under Unix systems, comment out the 'echo' line in

/etc/inetd.conf

and restart the inetd process

- Under Windows systems, set the following registry key

to 0 :

HKLMSystemCurrentControlSetServicesSimpTCPParametersEnableTcpEcho

HKLMSystemCurrentControlSetServicesSimpTCPParametersEnableUdpEcho

Then launch cmd.exe and type :

net stop simptcp

net start simptcp

To restart the service.

Risk Factor :

None / CVSS Base Score : 0

(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

CVE : CVE-1999-0103, CVE-1999-0635

Plugin ID : 10061

discard (9/udp)

Port is open

Plugin ID : 11219

daytime (13/udp)

Port is open

Plugin ID : 11219

Synopsis :

A daytime service is running on the remote host

Description :

The remote host is running a 'daytime' service. This

service

is designed to give the local time of the day of this

host

to whoever connects to this port.

The date format issued by this service may sometimes

help an attacker

to guess the operating system type of this host, or to

set up

timed authentication attacks against the remote host.

In addition to that, the UDP version of daytime is

running, an attacker

may link it to the echo port of a third party host using

spoofing, thus

creating a possible denial of service condition between

this host and

a third party.

Solution:

- Under Unix systems, comment out the 'daytime' line in

/etc/inetd.conf

and restart the inetd process

- Under Windows systems, set the following registry keys

to 0 :

HKLMSystemCurrentControlSetServicesSimpTCPParametersEnableTcpDaytime

HKLMSystemCurrentControlSetServicesSimpTCPParametersEnableUdpDaytime

Then launch cmd.exe and type :

net stop simptcp

net start simptcp

To restart the service.

Risk Factor :

None / CVSS Base Score : 0

(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

CVE : CVE-1999-0103

Plugin ID : 10052

chargen (19/udp)

Port is open

Plugin ID : 11219

time (37/udp)

Port is open

Plugin ID : 11219

bootps (67/udp)

Port is open

Plugin ID : 11219

tftp (69/udp)

Port is open

Plugin ID : 11219

Synopsis :

A TFTPD server is listening on the remote port.

Description :

The remote host is running a TFTPD (Trivial File

Transfer Protocol).

TFTPD is often used by routers and diskless hosts to

retrieve their

configuration. It is also used by worms to propagage.

Solution:

If you do not use this service, you should disable it.

Risk Factor :

None

CVE : CVE-1999-0616

Plugin ID : 11819

sunrpc (111/udp)

Port is open

Plugin ID : 11219

RPC program #100000 version 2 'portmapper' (portmap

sunrpc rpcbind) is running on this port

Plugin ID : 11111

snmp (161/udp)

Synopsis :

The community name of the remote SNMP server can be

guessed.

Description :

It is possible to obtain the default community names of

the remote

SNMP server.

An attacker may use this information to gain more

knowledge about

the remote host, or to change the configuration of the

remote

system (if the default community allow such

modifications).

Solution:

Disable the SNMP service on the remote host if you do

not use it,

filter incoming UDP packets going to this port, or

change the

default community string.

Risk Factor :

High

Plugin output :

The remote SNMP server replies to the following default

community

strings :

public

CVE : CVE-1999-0517, CVE-1999-0186, CVE-1999-0254,

CVE-1999-0516

BID : 11237, 10576, 177, 2112, 6825, 7081, 7212, 7317,

9681, 986

Other references : IAVA:2001-B-0001

Plugin ID : 10264

Port is open

Plugin ID : 11219

Synopsis :

The System Information of the remote host can be

obtained via SNMP.

Description :

It is possible to obtain the system information about

the remote

host by sending SNMP requests with the OID

1.3.6.1.2.1.1.1.

An attacker may use this information to gain more

knowledge about

the target host.

Solution:

Disable the SNMP service on the remote host if you do

not use it,

or filter incoming UDP packets going to this port.

Risk Factor :

Low

Plugin output :

System information :

sysDescr : Silicon Graphics Challenge/1 running IRIX64

6.4

sysObjectID : 1.3.6.1.4.1.59.1.1

sysUptime : 0d 4h 30m 20s

sysContact : Contact Entry

sysName : erasv01

sysLocation : Location Entry

sysServices : 72

Plugin ID : 10800

Synopsis :

The list of network interfaces cards of the remote host

can be obtained via

SNMP.

Description :

It is possible to obtain the list of the network

interfaces installed

on the remote host by sending SNMP requests with the OID

1.3.6.1.2.1.2.1.0

An attacker may use this information to gain more

knowledge about

the target host.

Solution:

Disable the SNMP service on the remote host if you do

not use it,

or filter incoming UDP packets going to this port.

Risk Factor :

Low

Plugin output :

Interface 1 information :

ifIndex : 1

ifDescr : Silicon Graphics lo Loopback interface

ifPhysAddress :

Interface 2 information :

ifIndex : 2

ifDescr : ef0

ifPhysAddress : 000000000000

Plugin ID : 10551

shell (514/udp)

Port is open

Plugin ID : 11219

ntalk (518/udp)

Port is open

Plugin ID : 11219

kdm (1024/udp)

The rstatd RPC service is running. It provides an

attacker interesting

information such as :

- the CPU usage

- the system uptime

- its network usage

- and more

Letting this service run is not recommended.

Risk Factor : Low

CVE : CVE-1999-0624

Plugin ID : 10227

Port is open

Plugin ID : 11219

RPC program #100001 version 1 'rstatd' (rstat rup

perfmeter rstat_svc) is running on this port

RPC program #100001 version 2 'rstatd' (rstat rup

perfmeter rstat_svc) is running on this port

RPC program #100001 version 3 'rstatd' (rstat rup

perfmeter rstat_svc) is running on this port

Plugin ID : 11111

ms-lsa (1029/udp)

Port is open

Plugin ID : 11219

general/tcp

Nessus snmp scanner was able to retrieve the open port

list with the community name public

Plugin ID : 14274

Nessus was not able to reliably identify the remote

operating system. It might be:

Enterasys XP 2004 10.0 Switch

F5 Networks Appliance

Juniper M7i

Lexmark Printer

The fingerprint differs from these known signatures on 2

points.

If you know what operating system this host is running,

please send this signature to

os-signatures@nessus.org :

:1:1:1:255:1:255:1:0:255:1:0:255:1:8:255:1:1:1:2:1:1:1:1:1:64:49152:MNWNNT:0:1:1

($Revision: 1.138 $)

Plugin ID : 11936

Information about this scan :

Nessus version : 3.0.3

Plugin feed version : 200610201215

Type of plugin feed : Registered (7 days delay)

Scanner IP : 10.28.216.192

Port scanner(s) : snmp_scanner synscan

Port range : default

Thorough tests : no

Experimental tests : no

Paranoia level : 1

Report Verbosity : 1

Safe checks : yes

Max hosts : 20

Max checks : 4

Scan Start Date : 2006/10/22 17:26

Scan duration : 209 sec

Plugin ID : 19506

shell (514/tcp)

Synopsis :

The rsh service is running.

Description :

The remote host is running the 'rsh' service. This

service is dangerous in

the sense that it is not ciphered - that is, everyone

can sniff the data

that passes between the rsh client and the rsh server.

This includes logins

and passwords.

Also, it may allow poorly authenticated logins without

passwords. If the

host is vulnerable to TCP sequence number guessing (from

any network)

or IP spoofing (including ARP hijacking on a local

network) then it may

be possible to bypass authentication.

Finally, rsh is an easy way to turn file-write access

into full logins

through the .rhosts or rhosts.equiv files.

You should disable this service and use ssh instead.

Solution:

Comment out the 'rsh' line in /etc/inetd.conf

Risk Factor :

Low / CVSS Base Score : 2

(AV:R/AC:H/Au:R/C:P/A:N/I:N/B:C)

CVE : CVE-1999-0651

Plugin ID : 10245

Port is open

Plugin ID : 11219

login (513/tcp)

Synopsis :

The rlogin service is listening on the remote port.

Description :

The remote host is running the 'rlogin' service. This

service is dangerous in

the sense that it is not ciphered - that is, everyone

can sniff the data that

passes between the rlogin client and the rloginserver.

This includes logins

and passwords.

Also, it may allow poorly authenticated logins without

passwords. If the

host is vulnerable to TCP sequence number guessing (from

any network)

or IP spoofing (including ARP hijacking on a local

network) then it may

be possible to bypass authentication.

Finally, rlogin is an easy way to turn file-write access

into full logins

through the .rhosts or rhosts.equiv files.

You should disable this service and use ssh instead.

Solution:

Comment out the 'login' line in /etc/inetd.conf

Risk Factor :

Low / CVSS Base Score : 2

(AV:R/AC:H/Au:R/C:P/A:N/I:N/B:C)

CVE : CVE-1999-0651

Plugin ID : 10205

Port is open

Plugin ID : 11219

exec (512/tcp)

The rexecd service is open. This service is design to

allow users of a network to execute commands remotely.

However, rexecd does not provide any good means of

authentication, so it

may be abused by an attacker to scan a third party host.

Solution: comment out the 'exec' line in /etc/inetd.conf

and restart the

inetd process

Risk Factor : Medium

CVE : CVE-1999-0618

Plugin ID : 10203

Port is open

Plugin ID : 11219

finger (79/tcp)

The remote finger service accepts to redirect requests.

That is, users can

perform requests like :

finger user@host@victim

This allows an attacker to use this computer as a relay

to gather information

on a third party network.

Solution Disable the remote finger daemon (comment out

the 'finger' line

in /etc/inetd.conf and restart the inetd process) or

upgrade it to a more

secure one.

Risk Factor : Low

CVE : CVE-1999-0105, CVE-1999-0106

Plugin ID : 10073

There is a bug in the remote finger service which, when

triggered, allows

a user to force the remote finger daemon to display the

list of the accounts

that have never been used, by issuing the request :

finger .@target

This list will help an attacker to guess the operating

system type. It will

also tell him which accounts have never been used, which

will often make him

focus his attacks on these accounts.

Here is the list of accounts we could obtain :

Login name: operator

Directory: /us2/convt01 Shell:

/us2/obj/convt.o/shell/sd.menu

Never logged in.

No Plan.

Login name: convert

Directory: /us2/convt01 Shell:

/us2/obj/convt.o/shell/menu

Never logged in.

No Plan.

Login name: susi

Directory: /

Never logged in.

No Plan.

Login name: sebd

Directory: /

Never logged in.

No Plan.

Solution: disable the finger service in /etc/inetd.conf

and restart the inetd

process, or upgrade your finger service.

Risk Factor : Medium

CVE : CVE-1999-0198

Plugin ID : 10072

The 'finger' service provides useful information to

attackers, since it allows

them to gain usernames, check if a machine is being

used, and so on...

Here is the output we obtained for 'root' :

Login name: root In real life: Super-User

Directory: /

Last login at Wed Oct 6, 2004 on ttyb

No Plan.

Solution: comment out the 'finger' line in

/etc/inetd.conf

Risk Factor : Low

CVE : CVE-1999-0612

Plugin ID : 10068

Port is open

Plugin ID : 11219

A finger server seems to be running on this port

Plugin ID : 10330

time (37/tcp)

Port is open

Plugin ID : 11219

A time server seems to be running on this port

Plugin ID : 10330

daytime (13/tcp)

Port is open

Plugin ID : 11219

Synopsis :

A daytime service is running on the remote host

Description :

The remote host is running a 'daytime' service. This

service

is designed to give the local time of the day of this

host

to whoever connects to this port.

The date format issued by this service may sometimes

help an attacker

to guess the operating system type of this host, or to

set up

timed authentication attacks against the remote host.

In addition to that, the UDP version of daytime is

running, an attacker

may link it to the echo port of a third party host using

spoofing, thus

creating a possible denial of service condition between

this host and

a third party.

Solution:

- Under Unix systems, comment out the 'daytime' line in

/etc/inetd.conf

and restart the inetd process

- Under Windows systems, set the following registry keys

to 0 :

HKLMSystemCurrentControlSetServicesSimpTCPParametersEnableTcpDaytime

HKLMSystemCurrentControlSetServicesSimpTCPParametersEnableUdpDaytime

Then launch cmd.exe and type :

net stop simptcp

net start simptcp

To restart the service.

Risk Factor :

None / CVSS Base Score : 0

(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

CVE : CVE-1999-0103

Plugin ID : 10052

discard (9/tcp)

Port is open

Plugin ID : 11219

The remote host is running a 'discard' service. This

service

typically sets up a listening socket and will ignore all

the

data which it receives.

This service is unused these days, so it is advised that

you

disable it.

Solution:

- Under Unix systems, comment out the 'discard' line in

/etc/inetd.conf

and restart the inetd process

- Under Windows systems, set the following registry key

to 0 :

HKLMSystemCurrentControlSetServicesSimpTCPParametersEnableTcpDiscard

Then launch cmd.exe and type :

net stop simptcp

net start simptcp

To restart the service.

Risk Factor : Low

CVE : CVE-1999-0636

Plugin ID : 11367

echo (7/tcp)

Port is open

Plugin ID : 11219

An echo server is running on this port

Plugin ID : 10330

Synopsis :

An echo service is running on the remote host.

Description :

The remote host is running the 'echo' service. This

service

echoes any data which is sent to it.

This service is unused these days, so it is strongly

advised that

you disable it, as it may be used by attackers to set up

denial of

services attacks against this host.

Solution:

- Under Unix systems, comment out the 'echo' line in

/etc/inetd.conf

and restart the inetd process

- Under Windows systems, set the following registry key

to 0 :

HKLMSystemCurrentControlSetServicesSimpTCPParametersEnableTcpEcho

HKLMSystemCurrentControlSetServicesSimpTCPParametersEnableUdpEcho

Then launch cmd.exe and type :

net stop simptcp

net start simptcp

To restart the service.

Risk Factor :

None / CVSS Base Score : 0

(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

CVE : CVE-1999-0103, CVE-1999-0635

Plugin ID : 10061

tcpmux (1/tcp)

Port is open

Plugin ID : 11219

A tcpmux server seems to be running on this port

Plugin ID : 10330

blackjack (1025/tcp)

Port is open

Plugin ID : 11219

kdm (1024/tcp)

Port is open

Plugin ID : 11219

RPC program #391002 version 1 'sgi_fam' (fam) is running

on this port

Plugin ID : 11111

telnet (23/tcp)

Synopsis :

A telnet server is listening on the remote port

Description :

The remote host is running a telnet server.

Using telnet is not recommended as logins, passwords and

commands

are transferred in clear text.

An attacker may eavesdrop on a telnet session and obtain

the

credentials of other users.

Solution:

Disable this service and use SSH instead

Risk Factor :

Medium / CVSS Base Score : 4

(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C)

Plugin output:

Remote telnet banner:

IRIX (erasv01)

login:

Plugin ID : 10281

Port is open

Plugin ID : 11219

A telnet server seems to be running on this port

Plugin ID : 10330

ftp (21/tcp)

It is possible to gather the

real path of the public area of the ftp server

(like /home/ftp) by issuing the following

command :

CWD

We determined that the root of the remote FTP server is

located

under '/us1/obj/anftp.o'.

This problem may help an attacker to find where

to put a .rhost file using other security

flaws.

Risk Factor : Low

CVE : CVE-1999-0201

Plugin ID : 10087

It is possible to force the FTP server to connect to

third parties hosts by using

the PORT command.

This problem allows intruders to use your network

resources to scan other hosts, making

them think the attack comes from your network, or it can

even allow them to go through

your firewall.

Solution: Upgrade to the latest version of your FTP

server, or use another FTP server.

Risk Factor : Medium

CVE : CVE-1999-0017

BID : 126

Plugin ID : 10081

Port is open

Plugin ID : 11219

An FTP server is running on this port.

Here is its banner :

220 erasv01 FTP server ready.

Plugin ID : 10330

Synopsis :

An FTP server is listening on this port

Description :

It is possible to obtain the banner of the remote FTP

server

by connecting to the remote port.

Risk Factor :

None

Plugin output :

The remote FTP banner is :

220 erasv01 FTP server ready.

Plugin ID : 10092

Synopsis :

Anonymous logins are allowed on the remote FTP server.

Description :

This FTP service allows anonymous logins. If you do not

want to share data

with anyone you do not know, then you should deactivate

the anonymous account,

since it can only cause troubles.

Risk Factor :

Low / CVSS Base Score : 2

(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

CVE : CVE-1999-0497

Plugin ID : 10079

chargen (19/tcp)

Port is open

Plugin ID : 11219

Chargen is running on this port

Plugin ID : 10330

general/icmp

Synopsis :

It is possible to determine the exact time set on the

remote host.

Description :

The remote host answers to an ICMP timestamp request.

This allows an attacker

to know the date which is set on your machine.

This may help him to defeat all your time based

authentication protocols.

Solution: filter out the ICMP timestamp requests (13),

and the outgoing ICMP

timestamp replies (14).

Risk Factor :

None / CVSS Base Score : 0

(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

Plugin output :

The difference between the local and remote clocks is

-25 seconds

CVE : CVE-1999-0524

Plugin ID : 10114

unknown (844/tcp)

RPC program #100083 version 1 is running on this port

Plugin ID : 11111

unknown (842/udp)

The tooltalk RPC service is running.

A possible implementation fault in the ToolTalk object

database server may allow an

attacker to execute arbitrary commands as root.

This warning may be a false positive since the presence

of this vulnerability is only

* accurately identified with local access.

Solution: Disable this service.

See Also : CERT Advisory CA-98.11

Risk Factor : High

CVE : CVE-1999-0003, CVE-1999-0693

BID : 122, 641

Other references : CERT:CA-98.11

Plugin ID : 10239

The tooltalk RPC service is running.

There is a format string bug in many versions

of this service, which allow an attacker to gain

root remotely.

In addition to this, several versions of this service

allow remote attackers to overwrite abitrary memory

locations with a zero and possibly gain privileges

via a file descriptor argument in an AUTH_UNIX

procedure call which is used as a table index by the

_TT_ISCLOSE procedure.

This warning may be a false positive since the presence

of the bug was not verified locally.

Solution: Disable this service or patch it

See Also : CERT Advisories CA-2001-27 and CA-2002-20

Risk Factor : High

CVE : CVE-2002-0677, CVE-2001-0717, CVE-2002-0679

BID : 3382, 5082

Other references : IAVA:2001-a-0011, IAVA:2002-b-0005,

IAVA:2002-t-0012

Plugin ID : 10787

RPC program #100083 version 1 is running on this port

Plugin ID : 11111

general/udp

For your information, here is the traceroute from

10.28.216.192 to 10.28.216.194 :

10.28.216.192

10.28.216.194

Plugin ID : 10287

Link to comment
Share on other sites

Forgiv me for been cynical, but no one will tell you how to get the password for it, paticulaly if it has to be done remotly for what ever reason, simply for the reason that you could actualy be targeting some elses box. If you where to target some ones actual box and you got cought, who ever told you how to brake in effectivly becomes an acessorie to your crime.

Link to comment
Share on other sites

I understand your point but this is my own box. If I had an ISO that worked I would have all ready nuked it. Seeing how its a MIPS system and headless it makes it a bit difficult. Using your analogy I could use the hacksaw usb and blame hak5. Looks like this a poor hacking forum.

Link to comment
Share on other sites

The hak.5 crew do it as a demonstration, they demonstrate attacks and then surrgest ways in witch you can prevent such attacks.

Using the same argument you could say that most of the presenters at defcon should be imprisoned for knowing and showing others how to do potentily illegal stuff. The key word there been potentialy.

Surrly there must be some thing physicly on the device that allows you to reset it.

Link to comment
Share on other sites

IRIX 6.4 uses the XFS filesystem by default.

Open up the machine, and place its harddisk(s) in your own box, mount it and then edit the passwd file and/or shadow file to suit your preferences.

Link to comment
Share on other sites

IRIX 6.4 uses the XFS filesystem by default.

Open up the machine, and place its harddisk(s) in your own box, mount it and then edit the passwd file and/or shadow file to suit your preferences.

Good call Cooper! I would have just put debian on it!

Link to comment
Share on other sites

Thats a great idea. I never thought of that. The bummer about that way is that I dont have a SCSI controller card. Are you sure this can be done because the system has three hardrives. Could the drives be using RAID?

It could be using RAID. You'll know when you hook up the drives. If it is using RAID, chances are it'll be hardware RAID, so you'll know _really_ fast when you hook the drive up to a different machine if it is. Don't worry about it. Just be careful not to write anything to the drive.

Link to comment
Share on other sites

I understand your point but this is my own box. If I had an ISO that worked I would have all ready nuked it. Seeing how its a MIPS system and headless it makes it a bit difficult. Using your analogy I could use the hacksaw usb and blame hak5. Looks like this a poor hacking forum.

This isnt a hacking forum. This is the everything else section on the ha5 fan forums.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...