Nmap Development mailing list archives
Re: [NSE] snmp-ios-config - Config grabber
From: Vikas Singhal <vikas.programmer () gmail com>
Date: Tue, 18 Jan 2011 01:57:36 +0530
Thanks Patrik. Sorry for the late reply.. I have incorporated the patch you mentioned. You are right.. some IOS (may be old ones) require the 1.3.6.1.4.1.9.9.96.1.1.1.1.*5* for Copy operation but the newer ones can work with IP address as "string" for tftpserver on mib .1.3.6.1.4.1.9.9.96.1.1.1.1.*16* . I have also done some verbose error throwing e.g if the community string is incorrect etc. As Fred mentioned.. we need 2 more things.. 1) Spoofing your ip to bypass the SNMP access list and 2) TFTP Server in-built (asked by David as well). 1) I tried using the nmap Spoof function using -S option, it sends the first packet spoofed but subsequest packets are sent from the real address, any thoughts? 2) Will leave it for future enhancement as of now! Nonetheless, the patched and tested script is attached for more testing! :) Regards, Vikas Singhal On Sat, Jan 15, 2011 at 2:46 AM, Patrik Karlsson <patrik () cqure net> wrote:
Hi again, I followed the instructions at this page[1] and got it working using snmpset. When I analyzed the differences in packets it turned out that the ip-address was incorrectly specified as a string. According to the documentation from Cisco [2] it should be of the type IpAddress. Once I changed that I got it working. While the supplied patch is not very elegant it makes the changes needed. //Patrik [1] http://ccie20728.wordpress.com/2008/05/20/get-the-cisco-configuration-over-snmp/ [2] http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.9.96.1.1.1.1.5&translate=Translate&submitValue=SUBMIT&submitClicked=true On 14 jan 2011, at 16.25, Vikas Singhal wrote:Whats the output you are getting from the nmap? Did you create a filewith name IP-config in the tftp directory?On Fri, Jan 14, 2011 at 4:56 AM, Patrik Karlsson <patrik () cqure net>wrote:On 13 jan 2011, at 19.59, Thomas Buchanan wrote:-----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of David Fifield Sent: Wednesday, January 12, 2011 10:21 PM To: Vikas Singhal Cc: nmap-dev () insecure org Subject: Re: [NSE] snmp-ios-config - Config grabber On Mon, Jan 10, 2011 at 08:21:23PM -0600, Vikas Singhal wrote:Code cleaned up! Here you go!Is anyone able to test out this script? Vikas, can you post simple instructions for starting a TFTP server and running the script to use it? I'm attaching the script again. David FifieldI spent a little time this morning testing this, and here are the end results: Nmap scan report for 192.168.1.1 Host is up, received arp-response (0.00045s latency). Scanned at 2011-01-13 11:26:41 CST for 5s PORT STATE SERVICE REASON VERSION 161/udp open snmp udp-response SNMPv1 server (public) |_snmp-ios-config: IOS configuration downloaded with filename 192.168.1.1-config to TFTP server 192.168.1.2 As you can see, the script was ultimately successful, so here are the steps I took to get there, and a couple of comments along the way. Hopefully someone will find them useful. To start off, here are the systems that were in play. The router (192.168.1.1) is a Cisco 1800 ISR series device, running IOS 12.4. The TFTP server (192.168.1.2) is a CentOS 5.5 server, which is also where I ran the nmap commands shown. The Cisco box has an existing default Read-Only SNMP communnity string of 'public', so the first thing I did was run the script against it to see what results came up. That resulted in the following script error: NSE: snmp-ios-config against 192.168.1.1:161 threw an error! ./scripts/snmp-ios-config.nse:150: variable 'status' is not declared stack traceback: [C]: in function 'error' ./nselib/strict.lua:69: in function <./nselib/strict.lua:60> ./scripts/snmp-ios-config.nse:150: in function <./scripts/snmp-ios-config.nse:52> (tail call): ? After this, I enabled a Read-Write SNMP community string on the Cisco router, by adding the following configuration line: snmp-server community SomeString RW I then enabled the TFTP server on the CentOS box by editing the /etc/xinetd.d/tftp file. These two lines are the ones of interest, the first specifying the location to store TFTP Files, the second enabling the service: server_args = -s /tftpboot disable = no A restart of the xinetd service followed, and I verified that the port was open and the tftp service was listening. At this point, I ran the script again with these results: # NMAPDIR=. ./nmap -sUV -p 161 -v -d --script-trace --script=snmp-ios-config --script-args=snmpcommunity=SomeString,tftpserver=192.168.1.2 192.168.1.1 <snip> Nmap scan report for 192.168.1.1 Host is up, received arp-response (0.00045s latency). Scanned at 2011-01-13 11:25:45 CST for 5s PORT STATE SERVICE REASON VERSION 161/udp open snmp udp-response SNMPv1 server (public) |_snmp-ios-config: Not successful! error code: 4 (1:waiting, 2:running, 3:successful, 4:failed) At this point I had to resort to Wireshark to see what was going on. I determined that the TFTP server was returning a file not found error to the Cisco router when it tried to push the config file over. A little research [1] showed that on most Linux TFTP systems, by default the server will not create files. They must already exist, and have filesystem permissions appropriately set. After checking the network capture to determine the filename the script was attempting to use, I created it on the TFTP server and ran the script again. It was at this point that I got the final results shown above. The script definitely works as advertised when everything is set up correctly, but for me, some additional error reporting to help track down what has gone wrong would be helpful. However, it appears that there is not a lot of detail in the messages that IOS sends back, so that might not be possible. Let me know if you have further questions. Thanks, Thomas [1] http://goo.gl/oSz1I (Linux Home Networking wiki) _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/I tried setting this up in GNS3 according to your instructions using aCisco 2600 IOS 12.3.While SNMP works, I couldn't get the config using the script. The router does not seem to attempt to connect to the TFTP server, thescript fails to read the error code and breaks.Any pointers would be appreciated. //Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77-- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77
Attachment:
snmp-ios-config.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] snmp-ios-config - Config grabber, (continued)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 09)
- Re: [NSE] snmp-ios-config - Config grabber David Fifield (Jan 10)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 10)
- Re: [NSE] snmp-ios-config - Config grabber David Fifield (Jan 12)
- RE: [NSE] snmp-ios-config - Config grabber Thomas Buchanan (Jan 13)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 13)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 14)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 14)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 14)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 14)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 17)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 17)
- RE: [NSE] snmp-ios-config - Config grabber Thomas Buchanan (Jan 20)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 20)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 21)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 21)
- Re: [NSE] snmp-ios-config - Config grabber Fred (Jan 21)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 22)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 24)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Jan 24)
- Re: [NSE] snmp-ios-config - Config grabber Patrik Karlsson (Feb 02)
- Re: [NSE] snmp-ios-config - Config grabber Vikas Singhal (Jan 09)