Nmap Development mailing list archives
RE: [NSE] snmp-ios-config - Config grabber
From: "Thomas Buchanan" <TBuchanan () thecompassgrp net>
Date: Thu, 13 Jan 2011 12:59:23 -0600
-----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of David Fifield Sent: Wednesday, January 12, 2011 10:21 PM To: Vikas Singhal Cc: nmap-dev () insecure org Subject: Re: [NSE] snmp-ios-config - Config grabber On Mon, Jan 10, 2011 at 08:21:23PM -0600, Vikas Singhal wrote:Code cleaned up! Here you go!Is anyone able to test out this script? Vikas, can you post simple instructions for starting a TFTP server and running the script to use it? I'm attaching the script again. David Fifield
I spent a little time this morning testing this, and here are the end
results:
Nmap scan report for 192.168.1.1
Host is up, received arp-response (0.00045s latency).
Scanned at 2011-01-13 11:26:41 CST for 5s
PORT STATE SERVICE REASON VERSION
161/udp open snmp udp-response SNMPv1 server (public)
|_snmp-ios-config: IOS configuration downloaded with filename
192.168.1.1-config to TFTP server 192.168.1.2
As you can see, the script was ultimately successful, so here are the
steps I took to get there, and a couple of comments along the way.
Hopefully someone will find them useful.
To start off, here are the systems that were in play. The router
(192.168.1.1) is a Cisco 1800 ISR series device, running IOS 12.4. The
TFTP server (192.168.1.2) is a CentOS 5.5 server, which is also where I
ran the nmap commands shown.
The Cisco box has an existing default Read-Only SNMP communnity string
of 'public', so the first thing I did was run the script against it to
see what results came up. That resulted in the following script error:
NSE: snmp-ios-config against 192.168.1.1:161 threw an error!
./scripts/snmp-ios-config.nse:150: variable 'status' is not declared
stack traceback:
[C]: in function 'error'
./nselib/strict.lua:69: in function <./nselib/strict.lua:60>
./scripts/snmp-ios-config.nse:150: in function
<./scripts/snmp-ios-config.nse:52>
(tail call): ?
After this, I enabled a Read-Write SNMP community string on the Cisco
router, by adding the following configuration line:
snmp-server community SomeString RW
I then enabled the TFTP server on the CentOS box by editing the
/etc/xinetd.d/tftp file. These two lines are the ones of interest, the
first specifying the location to store TFTP Files, the second enabling
the service:
server_args = -s /tftpboot
disable = no
A restart of the xinetd service followed, and I verified that the port
was open and the tftp service was listening. At this point, I ran the
script again with these results:
# NMAPDIR=. ./nmap -sUV -p 161 -v -d --script-trace
--script=snmp-ios-config
--script-args=snmpcommunity=SomeString,tftpserver=192.168.1.2
192.168.1.1
<snip>
Nmap scan report for 192.168.1.1
Host is up, received arp-response (0.00045s latency).
Scanned at 2011-01-13 11:25:45 CST for 5s
PORT STATE SERVICE REASON VERSION
161/udp open snmp udp-response SNMPv1 server (public)
|_snmp-ios-config: Not successful! error code: 4 (1:waiting, 2:running,
3:successful, 4:failed)
At this point I had to resort to Wireshark to see what was going on. I
determined that the TFTP server was returning a file not found error to
the Cisco router when it tried to push the config file over. A little
research [1] showed that on most Linux TFTP systems, by default the
server will not create files. They must already exist, and have
filesystem permissions appropriately set. After checking the network
capture to determine the filename the script was attempting to use, I
created it on the TFTP server and ran the script again. It was at this
point that I got the final results shown above.
The script definitely works as advertised when everything is set up
correctly, but for me, some additional error reporting to help track
down what has gone wrong would be helpful. However, it appears that
there is not a lot of detail in the messages that IOS sends back, so
that might not be possible.
Let me know if you have further questions.
Thanks,
Thomas
[1] http://goo.gl/oSz1I (Linux Home Networking wiki)
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 02)
- Re: [NSE] snmp-ios-config - Config grabber David Fifield (Jan 09)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 09)
- Re: [NSE] snmp-ios-config - Config grabber David Fifield (Jan 10)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 10)
- Re: [NSE] snmp-ios-config - Config grabber David Fifield (Jan 12)
- RE: [NSE] snmp-ios-config - Config grabber Thomas Buchanan (Jan 13)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 13)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 14)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 14)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 14)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 14)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 17)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 17)
- RE: [NSE] snmp-ios-config - Config grabber Thomas Buchanan (Jan 20)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 20)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 21)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 09)
- Re: [NSE] snmp-ios-config - Config grabber David Fifield (Jan 09)