Wednesday, October 10, 2007

Security assessments of Solaris systems

One of the banes of our lives whilst doing vulnerability assessments of Solaris has been finding what process owns a given TCP port that may be listening. On Linux this is easy to establish with a 'netstat -p', but Solaris has always called for the additional lsof package to help out. You could always mess about with pfiles to find the answer, but now somebody has kindly written a wrapper around it and created pcp.

Here's a quick example...


root@web ~ # netstat -an | grep LISTEN
88.111.12.111.80           *.*                0      0 49152      0 LISTEN
127.0.0.1.25               *.*                0      0 49152      0 LISTEN
127.0.0.1.587              *.*                0      0 49152      0 LISTEN
88.111.12.111.22           *.*                0      0 49152      0 LISTEN


During our assessment we spot the open port 587, and we're a little unsure about it. So we run pcp with the '-p' switch and the port number...


root@web ~ # pcp -p 587
PID     Process Name and Port
_________________________________________________________
853     /usr/lib/sendmail       587
        sockname: AF_INET 127.0.0.1  port: 587
_________________________________________________________



Et voila! It's sendmail with a process ID of 853. So simple.

pcp is a great tool to establish what process owns a listening port, and makes assessing Solaris systems considerably easier!
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)