Re: Determining UDP 161 port (SNMP) status using SNMPv3

[Fyodor <fyodor () insecure org>]

On Tue, Jun 17, 2008 at 06:07:42PM -0500, Tom Sellers wrote:
> If I understand correctly when it comes to UDP ports everything
> is pretty much considered open|filtered unless an ICMP response
> flags it as closed or a service response indicates that it is
> open.

Yeah, that is basically how it works.

> I believe that we can augment this port status detection by
> adding a SNMPv3 probe.  In my experience SNMPv3, when provided

That would be great!  Maybe it will help provide useful version
detection information as well.

> 1.  This is essentially a login attempt.  I know that the SNMPv1
>      probe tries to use"public" but I don't know if people will
>      consider this the same.

I think that is OK.  I've never heard any complaints about the current
SNMP query which, as you noted, tries the public community string.

> 2.  Would this be more appropriate as a NSE script as it could be
>      flagged as "auth" and only run when that is ok?

I think it would be better as version detection.  That is more
efficient (to write/maintain as well as to execute).  And this is a
version detection purpose.

> 3.  If using this probe is ok, what username should be used?  I
>      have been considering using either "public" or null.

Whichever one is most likely to work the best.  Unfortunately I'm not
sure what that would be.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org