Re: [NSE] Script to enumerate network interfaces

[David Fifield <david () bamsoftware com>]

On Thu, Mar 04, 2010 at 06:45:41PM -0600, Thomas Buchanan wrote:
> Hello.  Using Patrik Karlsson's excellent SNMP scripts [1] as a starting  
> point, I've put together a script that attempts to enumerate network  
> interfaces.  It's working for me now against several SNMP  
> implementations, including net-snmp, OpenBSD's new snmpd engine,  
> Microsoft Windows, and Cisco IOS.  I'd love for other folks to try it  
> and let me know if it works, and what you think of the output.  It uses  
> information from standard SNMP Management Information Bases (IF-MIB and  
> IP-MIB) which should give it a good chance of working on most network  
> devices that support the protocol.
>
> When run as a default script (without the verbose flag), it only lists  
> devices that are marked as up and ignores any software loopback  
> interfaces.  It shows only the interface description and any IP address  
> that is associated with it.  For example:
>
> 161/udp open  snmp
> | snmp-sysdescr: Powered by OpenBSD
> |_  System uptime: 0 days, 0:27:21.32 (164132 timeticks)
> | snmp-interfaces:
> |   vic0
> |_    IP address: 192.168.221.126
>
> 161/udp open  snmp
> | snmp-interfaces:
> |   eth0
> |     IP address: 192.168.221.128
> |   tun0
> |_    IP address: 192.168.129.54
>
> When the script is run with the verbose flag (or called directly) it  
> prints out information about all network interfaces, active or not, and  
> provides additional details:
>
> 161/udp open  snmp
> | snmp-interfaces:
> |   lo
> |     IP address: 127.0.0.1/255.0.0.0
> |     Type: softwareLoopback (10 Mbps)
> |     Status: up
> |     Traffic stats: 2.79 Mb sent, 2.79 Mb received
> |   eth0
> |     IP address: 192.168.221.128/255.255.255.0
> |     MAC address: 00:0c:29:01:e2:74 (VMware)
> |     Type: ethernetCsmacd (1 Gbps)
> |     Status: up
> |     Traffic stats: 883.96 Kb sent, 2.26 Mb received
> |   sit0
> |     Type: tunnel (0 Kbps)
> |     Status: down
> |     Traffic stats: 0.00 Kb sent, 0.00 Kb received
> |   tun0
> |     IP address: 192.168.129.54/255.255.255.255
> |     Type: other (0 Kbps)
> |     Status: up
> |_    Traffic stats: 114.80 Kb sent, 1.41 Mb received
>
> Obviously this can get pretty lengthy, especially when run against a  
> managed switch (or a Windows 7 system).  I'd be open to ideas as to how  
> to manage the output better, if it seems like too much.
>
> Thanks to Patrik for a great starting point, and to the developers of  
> the SNMP library that make the encoding and decoding so transparent.
>
> As always, questions and comments are encouraged.

Here's the result running against Windows XP:

PORT    STATE SERVICE
161/udp open  snmp
| snmp-interfaces:
|   MS TCP Loopback interface
|     IP address: 127.0.0.1/255.0.0.0
|     Type: softwareLoopback (10 Mbps)
|     Status: up
|     Traffic stats: 56.32 Kb sent, 56.32 Kb received
|   Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller - Packet Scheduler Miniport
|     IP address: 192.168.0.190/255.255.255.0
|     MAC address: 00:16:cb:ae:d4:ac (Apple Computer)
|     Type: ethernetCsmacd (10 Mbps)
|     Status: up
|_    Traffic stats: 14.90 Mb sent, 7.64 Mb received

My suggestion on the output: I would have non-verbose show only the up
interfaces (including loopback, to reduce confusion), and have verbose
mode show all interfaces. Non-verbose would be like "ifconfig" and
verbose would be like "ifconfig -a". I think the extra information like
MAC address and traffic stats is of interest even without verbosity. The
Status line could be omitted in non-verbose mode.

The snmp scripts are really fantastic. They make me want to add
-sU -pU:161 --script='snmp-*' even to TCP scans, there's so much
information available.

I like the script so I've already committed it.

You might make the iana_types a static table at the script level, so
that it's not reconstructed every time get_iana_type is called.

Does it work with IPv6 addresses?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/