Nmap Development mailing list archives
Re: Huawei/H3C Local User enumeration script
From: Kurt Grutzmacher <grutz () jingojango net>
Date: Thu, 25 Oct 2012 10:52:51 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Fifield wrote:
On Tue, Oct 23, 2012 at 11:43:52AM -0700, Kurt Grutzmacher wrote:It's attached and latest revisions can be found at
https://github.com/grutz/h3c-pt-tools/blob/master/nmap/snmp-hh3c-logins.nse
Thanks for this script. Is this related to a recently disclosed vulnerability? If so, can you expand the description with some links to it and a description of how the enumeration works?
It is related and I'm the researcher who discovered it. I'll add the links to both the HP release and the blog post detailing the weakness. It's purely misconfigured authentication for a specific, but very critical, SNMP OID tree.
I don't see where the script accepts a community string. You say the script needs a read-only or read-write community string; how does the user get one?
Like all the other SNMP NSEs the user would need to send it with --script-args snmpcommunity=<community>. I have added a @usage section to help for this. Based on http://nmap.org/nsedoc/lib/snmp.html this argument is accepted by the library and does not need to be configured in NSE scripts.
It would probably be better to use structured output than stdnse.format_output for this script. Make your process_answer function return a nice semantic table with labeled fields; then just return it. http://nmap.org/book/nse-api.html#nse-structured-output
Sounds good except that how does one make columns in the structured output? I see some discussion but not real resolution. For now I'm just having to slap everything into an element output which makes: <ports><port protocol="udp" portid="161"><state state="open" reason="udp-response" reason_ttl="239"/><service name="snmp" method="table" conf="3"/><script id="snmp-hh3c-logins" output="
 users: 
 admin - h3capadmin - level: 3"><table key="users"> <elem>admin - h3capadmin - level: 3</elem> </table> </script></port> </ports> What I'd like to see are multiple keyed elements/columns for each row. New script attached and uploaded to github. - -- - - grutz; -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQiXxwAAoJEMtvcfrnZQTfUBkP/2OIVYpp2s2HAPehd/Mj+aoz wXCzpj8qWq/UNkv7nyAti/pe+njtd564g2iLhJGB9RTEp9qbF3t+C0luKvtMqTt3 rRq6yjKxJd9O8ML8jHv6QnKY5yfgRXp/VlNfqS5FvurgSyBkoIT+YFCyGb3OgN+6 GPYmMHdwcJo3NIMjoGthHCAc4b4imdv6PHVvGyC5sZbLhakayq1+ffJPkJJSNjDb bo9vjmgGEduE5jkE0MBNkYoBOTWWsFWYmnuFESasevuMaYYQxUnUDdZlk6SHWGeq Cou9JyLpmr99wELr3ri4gdMO49uR+ilcttdpOxFbYFFKfPLZt27sRKRv1d6v/bxR El2eUnrqL0I25bc0g4pcZC2n6KAi61Ck0fzSPZNy7hS7fhmei03y3twplKYQeZJe CTVm1hw3mdWGlh5SrXyDuZ5AFDpSCtePk8q1TipId6D51MgzJGTfJxOz4qKDw+lw 9ovlSU248OXxXFKpM8QCdJA2sI6AwJVjKJgpEnaDCbughO5vsd+LRP8+fRllnYiG mJezN0j330WpQfZY0X4jMlaBM+GVjOyxIoXR35to9ky3y9sZZyZcpKip0MGum88w XQnxz+m4TX1S/Z5df6d8gNCbgwlhjhv6BdJQkuWsDOxY7bcXzI/R+DB1CWn9X7Ox 1zMX9916Q32LR380s8Mw =DlKX -----END PGP SIGNATURE-----
Attachment:
snmp-hh3c-logins.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Huawei/H3C Local User enumeration script Kurt Grutzmacher (Oct 23)
- Re: Huawei/H3C Local User enumeration script David Fifield (Oct 24)
- Re: Huawei/H3C Local User enumeration script Kurt Grutzmacher (Oct 25)
- Re: Huawei/H3C Local User enumeration script David Fifield (Oct 25)
- Re: Huawei/H3C Local User enumeration script Kurt Grutzmacher (Oct 25)
- Re: Huawei/H3C Local User enumeration script David Fifield (Nov 07)
- Re: Huawei/H3C Local User enumeration script Kurt Grutzmacher (Oct 25)
- Re: Huawei/H3C Local User enumeration script David Fifield (Oct 24)