Wednesday, October 10, 2007

Security assessments of Solaris systems

One of the banes of our lives whilst doing vulnerability assessments of Solaris has been finding what process owns a given TCP port that may be listening. On Linux this is easy to establish with a 'netstat -p', but Solaris has always called for the additional lsof package to help out. You could always mess about with pfiles to find the answer, but now somebody has kindly written a wrapper around it and created pcp.

Here's a quick example...

root@web ~ # netstat -an | grep LISTEN *.* 0 0 49152 0 LISTEN *.* 0 0 49152 0 LISTEN *.* 0 0 49152 0 LISTEN *.* 0 0 49152 0 LISTEN

During our assessment we spot the open port 587, and we're a little unsure about it. So we run pcp with the '-p' switch and the port number...

root@web ~ # pcp -p 587
PID Process Name and Port
853 /usr/lib/sendmail 587
sockname: AF_INET port: 587

Et voila! It's sendmail with a process ID of 853. So simple.

pcp is a great tool to establish what process owns a listening port, and makes assessing Solaris systems considerably easier!

No comments: