Nmap Development mailing list archives
RE: [NSE] snmp-ios-config - Config grabber
From: "Thomas Buchanan" <TBuchanan () thecompassgrp net>
Date: Thu, 13 Jan 2011 12:59:23 -0600
-----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of David Fifield Sent: Wednesday, January 12, 2011 10:21 PM To: Vikas Singhal Cc: nmap-dev () insecure org Subject: Re: [NSE] snmp-ios-config - Config grabber On Mon, Jan 10, 2011 at 08:21:23PM -0600, Vikas Singhal wrote:Code cleaned up! Here you go!Is anyone able to test out this script? Vikas, can you post simple instructions for starting a TFTP server and running the script to use it? I'm attaching the script again. David Fifield
I spent a little time this morning testing this, and here are the end results: Nmap scan report for 192.168.1.1 Host is up, received arp-response (0.00045s latency). Scanned at 2011-01-13 11:26:41 CST for 5s PORT STATE SERVICE REASON VERSION 161/udp open snmp udp-response SNMPv1 server (public) |_snmp-ios-config: IOS configuration downloaded with filename 192.168.1.1-config to TFTP server 192.168.1.2 As you can see, the script was ultimately successful, so here are the steps I took to get there, and a couple of comments along the way. Hopefully someone will find them useful. To start off, here are the systems that were in play. The router (192.168.1.1) is a Cisco 1800 ISR series device, running IOS 12.4. The TFTP server (192.168.1.2) is a CentOS 5.5 server, which is also where I ran the nmap commands shown. The Cisco box has an existing default Read-Only SNMP communnity string of 'public', so the first thing I did was run the script against it to see what results came up. That resulted in the following script error: NSE: snmp-ios-config against 192.168.1.1:161 threw an error! ./scripts/snmp-ios-config.nse:150: variable 'status' is not declared stack traceback: [C]: in function 'error' ./nselib/strict.lua:69: in function <./nselib/strict.lua:60> ./scripts/snmp-ios-config.nse:150: in function <./scripts/snmp-ios-config.nse:52> (tail call): ? After this, I enabled a Read-Write SNMP community string on the Cisco router, by adding the following configuration line: snmp-server community SomeString RW I then enabled the TFTP server on the CentOS box by editing the /etc/xinetd.d/tftp file. These two lines are the ones of interest, the first specifying the location to store TFTP Files, the second enabling the service: server_args = -s /tftpboot disable = no A restart of the xinetd service followed, and I verified that the port was open and the tftp service was listening. At this point, I ran the script again with these results: # NMAPDIR=. ./nmap -sUV -p 161 -v -d --script-trace --script=snmp-ios-config --script-args=snmpcommunity=SomeString,tftpserver=192.168.1.2 192.168.1.1 <snip> Nmap scan report for 192.168.1.1 Host is up, received arp-response (0.00045s latency). Scanned at 2011-01-13 11:25:45 CST for 5s PORT STATE SERVICE REASON VERSION 161/udp open snmp udp-response SNMPv1 server (public) |_snmp-ios-config: Not successful! error code: 4 (1:waiting, 2:running, 3:successful, 4:failed) At this point I had to resort to Wireshark to see what was going on. I determined that the TFTP server was returning a file not found error to the Cisco router when it tried to push the config file over. A little research [1] showed that on most Linux TFTP systems, by default the server will not create files. They must already exist, and have filesystem permissions appropriately set. After checking the network capture to determine the filename the script was attempting to use, I created it on the TFTP server and ran the script again. It was at this point that I got the final results shown above. The script definitely works as advertised when everything is set up correctly, but for me, some additional error reporting to help track down what has gone wrong would be helpful. However, it appears that there is not a lot of detail in the messages that IOS sends back, so that might not be possible. Let me know if you have further questions. Thanks, Thomas [1] http://goo.gl/oSz1I (Linux Home Networking wiki) _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 02)
- Re: [NSE] snmp-ios-config - Config grabber David Fifield (Jan 09)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 09)
- Re: [NSE] snmp-ios-config - Config grabber David Fifield (Jan 10)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 10)
- Re: [NSE] snmp-ios-config - Config grabber David Fifield (Jan 12)
- RE: [NSE] snmp-ios-config - Config grabber Thomas Buchanan (Jan 13)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 13)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 14)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 14)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 14)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 14)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 17)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 17)
- RE: [NSE] snmp-ios-config - Config grabber Thomas Buchanan (Jan 20)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 20)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 21)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 09)
- Re: [NSE] snmp-ios-config - Config grabber David Fifield (Jan 09)