Good times with snmp

Posted on July 18, 2012 by AnarchyAngel

At the last meeting dw5304 gave a demo on snmp scanning and gaining access to things you shouldn’t have access to with a few home brew windows apps he coded up. Its been a while since I messed with snmp but his demo got me back into it, so I made a little python script to scan subnets for open snmp servers with the read/write string set to private. Here is the code:

#! /usr/bin/env python import commands from scapy.all import *

base = "10.2.1." #IP range to scan minus the last octet. f = open('/tmp/snmp_output.txt', 'w+') for i in range(1, 255): ip = base+str(i) print ip+"\n" p = IP(dst=ip)/UDP(dport=161, sport=39445)/SNMP(community="private",PDU=SNMPget(id=1411092799, varbindlist=[SNMPvarbind(oid=ASN1_OID("1.3.6.1.2.1.1.1.0"))])) pkt = sr1(p, timeout=1) if pkt and pkt.sprintf("%IP.proto%") != "icmp": p1 = pkt.sprintf("%SNMP.PDU%").split("ASN1_STRING['", 1) p2 = p1[1].split("'", 1) print pkt.sprintf("%IP.src%")+" - "+p2[0] f.write(pkt.sprintf("%IP.src%")+" - "+p2[0]+"\n") f.close() print "\nDONE!!!!!!!!!!!!!!!\n"

Its a little hacked together and could use improvement but it works “feel free to send in any improvements you make”. It puts all the found servers IPs in /tmp/snmp_output.txt along with their system description enumerated via snmp. Here is a sample output:

10.1.10.87 - Ruckus Wireless Inc (C) 2006 10.1.10.156 - Ruckus Wireless Inc (C) 2006 10.1.10.190 - Ruckus Wireless Inc (C) 2006 10.1.10.193 - Ruckus Wireless Inc (C) 2006 10.1.10.203 - Ruckus Wireless Inc (C) 2006 10.1.10.221 - Ruckus Wireless Inc (C) 2006 10.1.11.92 - 24-port 10/100 + 2-Port Gigabit Switch with WebView and PoE 10.1.11.93 - Product: GW 4 FXS;SW Version: 5.80A.023.006

Once you find a few servers you can do snmpwalks on them and scour it for juicy info.
Here are some good OIDs to look for and/or set: *found most of this online & got some from dw5304

ip.ipForwarding.0 <-this tells you if its forwarding packets or not "useful to DoS a device" 1.3.6.1.2.1.4.24.2.1.1 <-ipforwardingdest sysName.0 <-device name 1.3.6.1.4.1.4413.2.2.2.1.1.1.4.0 i 1 ... EnableTelnetServer. 1.3.6.1.4.1.4413.2.2.2.1.1.1.1.0....telnetIpStackInterfaces. 1.3.6.1.4.1.4413.2.2.2.1.1.1.2.0....telnetUserName.. 1.3.6.1.4.1.4413.2.2.2.1.1.1.3.0....telnetPassword.. 1.3.6.1.4.1.4413.2.2.2.1.1.1.4.0....telnetServerControl. 1.3.6.1.4.1.4413.2.2.2.1.1.1.5.0....telnetSessionIp. 1.3.6.1.4.1.4413.2.2.2.1.1.1.6.0....telnetSessionInProgress. 1.3.6.1.4.1.4413.2.2.2.1.1.1.7.0....telnetForceUserLogout. 1.3.6.1.2.1.1.1.0 = System Description 1.3.6.1.2.1.1.3.0 = Modem up time 1.3.6.1.2.1.4 = Some useful information (walk) 1.3.6.1.2.1.4.20.1.1.0 = HFC IP (getnext) 1.3.6.1.2.1.4.20.1.3.0 = HFC Subnet (getnext) 1.3.6.1.2.1.2.2.1.6.2= Mac 1.3.6.1.2.1.10.127.1.1.3.1.3.1 = Maximum upload bandwidth 1.3.6.1.2.1.10.127.1.1.3.1.5.1 = Maximum download bandwidth 1.3.6.1.2.1.10.127.1.1.4.1 = Current status (walk) 1.3.6.1.2.1.17.4.3.1.1.0 = Hosts behind modem 1.3.6.1.2.1.10.1.4.4.0 = TFTP Configuration file server IP 1.3.6.1.2.1.10.1.4.5.0 = Configuration file name 1.3.6.1.2.1.10.1.3.5.0 = Current firmware 1.3.6.1.2.1.10.1.4.2.0 = DHCP Server IP 1.3.6.1.2.1.10.1.4.3.0 = Time Server IP 1.3.6.1.2.1.10.1.5.8.1.7 = View Log (walk) 1.3.6.1.2.1.10.127.1.1.1.1.2.3 = Downstream Frequency 1.3.6.1.2.1.10.1.4.5.0 = Image File 1.3.6.1.2.1.17.4.3.1.1 = Learned MAC (Get Next) ---[ Read / Write OIDs 1.3.6.1.2.1.10.1.1.3.0 = Boot modem (1=boot now) 1.3.6.1.2.1.10.1.3.1.0 = TFTP Firmware server IP 1.3.6.1.2.1.10.1.3.2.0 = Firmware filename 1.3.6.1.2.1.10.1.3.3.0 = Firmware update status (1=update now, 2=update on boot,3=disable updates) 1.3.6.1.2.1.10.1.5.2.0 = SNMP Traps server IP (0.0.0.0 = disabled) 1.3.6.1.2.1.10.1.5.3.0 = SNMP Traps status (1=enabled, 4=disabled) 1.3.6.1.4.1.1166.1.19.3.1.14.0 = SNMP Port 1.3.6.1.4.1.1166.1.19.3.1.15.0 = SNMP Traps port 1.3.6.1.4.1.1166.1.19.3.1.17.0 = HTML Server status (1=enabled, 2=disabled)Other OIDs 1.3.6.1.2.1.1.5.0 = modem type 1.3.6.1.3.83.1.1.4.0 = Cable Modem Serial Number 1.3.6.1.3.83.1.4.5.0 = Alternate OID for Config File 1.3.6.1.3.83.1.4.3.0 = Provisional Server 1.3.6.1.2.1.1.6.0 = Area String 1.3.6.1.2.1.4.20.1.3+(hfc ip) = Subnet Example 1.3.6.1.2.4.20.1.3.10.110.53.2451.3.6.1.3.103.1.5.1.3.1.5 = CPE USB MAC 1.3.6.1.2.1.2.2.1.6.1 = Cable Modem USB MAC 1.3.1.6.1.2.1.10.127.1.2.1.1.1.2 = Default Gateway MAC Address 1.3.6.1.2.1.2.10.127.1.1.3.1.6.1 = Max Burst Up 1.3.6.1.2.1.2.2.1.6.5 = CPE MAC 1.3.6.1.4.1.1166.1.19.3.1.17.0Ii 1 or 0 enable or disable webif 1.3.6.1.4.1.4413.2.2.2.1.1.4.1 =”reflects the IP stack interfaces on which a ssh 1.3.6.1.4.1.4413.2.2.2.1.1.4.2 = "reflects the user name which will be allowed ssh access." 1.3.6.1.4.1.4413.2.2.2.1.1.4.3 = "reflects the password which will be allowed ssh access." 1.3.6.1.4.1.4413.2.2.2.1.1.4.4 = "start or stop the ssh server. 1.3.6.1.4.1.4413.2.2.2.1.1.4.7 =terminate ssh session

You can find a lot more online. Enjoy and happy hacking 🙂

July meeting sweetness

Posted on July 11, 2012 by AnarchyAngel

July’s meeting was hot in more then one way! First I would like to thank genero again for his genorous donation for the raffle, which put a solid $200 in the 3d printer fund!! Also congrats to faraday for winning both the raffle and the Photoshop and WIN contest!! I know it took forever to pick a winner but we did it damnit 😛

ngharo started the demos off with talking about how he set up dc414’s new astrisk server using google voice as the SIP trunk! Then showed us how he set it up to use NMAP to scan IPs from asterisk and speak the results to you over the phone! Klaiviel took over and made Ngharo a case for his raspberry pi and a penny launcher with his sweet 3d printer. Then I stepped in and showed everyone how to send spoofed emails from the dc414 server using the email spoofer web app, then how to send spoofed txt messages using the same app 🙂 Then Tony used a SIP provider that allowed for spoofing CID to spoof a call to Vlad. Then dw5304 wowed us all with a SNMP scanner he made, showed us some of the results like accessing a routers, modems, and windmills!!

Here are some pics from the meeting thanx to cmoney and congrats to Castor for winning the dc414 free junk giveaway!

Here is Faraday with his raffle winnings!

Here is Castor and his free junk from dc414

LAN Party This Weekend

Posted on July 9, 2012 by ngharo

Come party, video game style, at Bucketworks this Saturday, July 14th at 2PM.

BasementLAN only asks you bring $5 to donate to Bucketworks for electricity.

You can register at BasementLAN.org, or just show up 🙂

Get Your Raffle Tickets!

Posted on June 20, 2012 by AnarchyAngel

The super awesome genero donated a box of goodies to dc414 and we decided to raffle the entire box off at the next meeting. Tickets are $20 each, or three for $50. The more you buy the better your chances of winning are! You can secure your tickets now by clicking the donate link on the right (make sure to include your contact information) or get them at the next meeting.

We will be raffling the goodies off next meeting.

Here is a list of what’s inside:
RadioShack scanner radio, needs 12v power supply – img
Fiber to Ethernet converter – img
Finger print reader – img
PC fan still in the box – img
Bluetooth Mouse – img
Cisco Wifi antenna – img
Cable box – img
belkin video switch – img
LAN cable tester – img
IP Camera with two way audio – img
cell jammer, broken power button – img
PS3 camera – img
Linksys switch, needs power supply – img
InFocus projector, MIGHT need bulb – img
Slingbox, needs to be reset – img
Intel Core 2 Duo 2.33Ghz 4M Cache 1333Mhz FSB – img
Veo PTZ IP Camera x2 – img
Ethernet card for desktop – img
Parallax Basic module – img
Wireless Ethernet Bridge, needs reset – img
Linksys WAP, needs power supply – img
VX-5 ham radio, needs new batteries, charger, and antenna – img
Dlink ip cam x2 – img

That is a lot of stuff for just 20 bucks, but you can’t win with out a ticket so be sure to get yours and have a chance to walk away with that treasure trove of electronics!

Arduino Windows Attack Tool

Posted on June 11, 2012 by AnarchyAngel

A few meetings back I demoed my Arduino Windows attack tool. The Arduino and shield emulate a keyboard when plugged into a PC. Once triggered it opens the DOS edit program, writes some vbscript to a file called go.vbs, then runs it using wscript. The script downloads a payload from a web server. In the case of the demo it was a reverse shell that connects back to a nc listener from msf. I got the idea from the Social-Engineering Toolkit Teensy USB HID Attack but I dont have/want a teensy so I looked and looked for an Arduino version but all I could find was a USB keyboard lib, so my value add was porting it to the Arduino.

Here is the USB lib I used.

Here is the schematic for the shield: *I added a button on pin 12

Here is the code for the Arduino:

And there you have it, my Arduino Windows attack tool. Its a little messy and hacked together, but it works. Enjoy 🙂

Many thanx to SilkyPantsDan, Rancid Bacon, and Practical Arduino

3D Printer Fund

Posted on June 6, 2012 by ngharo

There has been a lot of buzz about 3D printers over the last year. Prices are coming down and resolution has been increasing. Klaiviel, our resident lockpicking guru, is attempting to start a business around it. We feel that DC414 as a whole needs their hands on this technology. We’re starting a 3D printer fund starting now.

There are many options to go with but we want to get the ball rolling while research is happening in parallel. Price range we’re looking at is between $500 and $1,000 for quality printers.

This won’t happen without help from people like you. Once purchases / assembled / hacked, our goal is to make the printer accept jobs from online. We’d queue up jobs and have a webcam feed to view progress when printing remotely. Notifications would be sent out to the author upon start, completion, and possibly other metrics we can get out of the printer.

Donate $25+ gets you free stickers
Donate $50+ gets you a free shirt
Donate $100+ gets you free prints for 6 months
Donate $150+ gets you free prints and priority for 6 months

Any size donation gets you on the thank you list.

As of now we have $233 in the fund. Make your donation now (look to the right) and lets get this ball rolling.

June meeting recap

Posted on June 4, 2012 by AnarchyAngel

June’s meeting was great! More new faces, lots of beer, and plenty of pizza 🙂 Ngharo got things started by making a few announcements like our new VPN that is available for donating members, and asking everyone what they are hacking ATM and what they wanna hack next. I was up next and talked about the new server and some of the sections of the site. Then Ulic gave us all the 411 on the Flamer virus sweeping the middle east and some of its unique features. dw5304 took over and gave a sweet demo on how to hack/mod the xbox360, complete with code and points of solder. We got some great pictures this time thanx to cmoney which you can view here. Congrats to nikto, Tony, and Ulic for winning the dc414 free junk giveaway.

Here is nikto and his dc414 junk 🙂

Computer Hacker skillz badge is here!

Posted on June 2, 2012 by AnarchyAngel

The computer Hacker skillz badge is done! Get yours and start working on the achievements now!!

Meeting tonight

Posted on June 1, 2012 by Dw

we will be meeting in the boardroom of bucketwork.

The big move

Posted on May 30, 2012 by AnarchyAngel

We just moved to a new server over seas to a place that should be a little more friendly then the US to keep the fuzz off our backs 🙂 Now we can get wild and crazy!