Penetration Testing mailing list archives
Re: [PEN-TEST] Attacking Cisco using SNMP
From: "Teicher, Mark" <mark.teicher () NETWORKICE COM>
Date: Tue, 28 Nov 2000 19:46:41 +0100
Never quite could get it to work correctly.. But anyways, here are some code snippets and packet captures to help you out.. You have to remember some of us know very little about SNMP_set and how it can be utilized to manage large enterprise networks. (biting tongue -:) sub snmp_raw_set { local($nr,$request) = @_; local($w1,$r2,$resp,@ret,@info); $w1 = "wh10" . $nr; $r2 = "rh20" . $nr; print $w1 ">$request\n"; # The next line is unneeded, if uncommented will cause wrong error code to be # generated. # $resp = <$r2>; print $w1 "?\n"; $resp = <$r2>; # should give return code if (isError($resp)) { return 0; }; return substr($resp,2); } 1; *Mar 1 03:41:54.875 PST: TFTP: Sending read request *Mar 1 03:41:54.879 PST: UDP: sent src=192.168.55.121(6608), dst=192.168.55.188 (69), length=60 *Mar 1 03:41:54.879 PST: IP: s=192.168.55.121 (local), d=192.168.55.188 (Ethern et0), len 60, sending *Mar 1 03:42:01.543 PST: IP ARP: rcvd req src 192.168.55.188 0800.20b6.07c5, dst 192.168.55.120 Ethernet0 *Mar 1 03:42:01.567 PST: IP ARP: rcvd req src 192.168.55.188 0800.20b6.07c5, dst 192.168.55.120 Ethernet0 *Mar 1 03:42:01.891 PST: SNMP: Response, reqid 2, errstat 5, erridx 1 lsystem.53.192.168.55.188 = /cisco/ironlung-config *Mar 1 03:42:01.919 PST: SNMP: Packet sent via UDP to 192.168.55.188 *Mar 1 03:42:01.923 PST: UDP: sent src=192.168.55.121(161), dst=192.168.55.188(33345), length=96 *Mar 1 03:42:01.927 PST: IP: s=192.168.55.121 (local), d=192.168.55.188 (Ethernet0), len 96, sending *Mar 1 03:42:01.935 PST: IP: s=192.168.55.188 (Ethernet0), d=192.168.55.121 (Ethernet0), len 112, rcvd 3 *Mar 1 03:42:01.939 PST: ICMP: dst (192.168.55.121) port unreachable rcv from 192.168.55.188 *Mar 1 03:42:01.943 PST: SNMP: Packet received via UDP from 192.168.55.188 on Ethernet0 *Mar 1 03:42:01.951 PST: SNMP: Set request, reqid 2, errstat 0, erridx 0 lsystem.53.192.168.55.188 = /cisco/ironlung-configg *Mar 1 03:42:01.971 PST: %SYS-4-SNMP_HOSTCONFIGSET: SNMP hostConfigSet request. Loading configuration from 192.168.55.188. *Mar 1 03:42:01.999 PST: SNMP: Queuing packet to 192.168.55.188 *Mar 1 03:42:01.999 PST: SNMP: V1 Trap, ent ciscoConfigManMIB.2, addr 192.168.55.121, gentrap 6, spectrap 1 ccmHistoryEventEntry.3.58 = 2 ccmHistoryEventEntry.4.58 = 6 ccmHistoryEventEntry.5.58 = 3 Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS56-L), Version 11.2(8), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1997 by cisco Systems, Inc. Compiled Tue 05-Aug-97 09:07 by ckralik Image text-base: 0x00001448, data-base: 0x00561104 ROM: System Bootstrap, Version 4.14(9.1), SOFTWARE ironlung uptime is 2 weeks, 13 hours, 19 minutes System restarted by power-on System image file is "c2500-is56-l.112-8.Z", booted via flash Host configuration file is "/cisco/ironlung-confg", booted via tftp from 192.168.55.188 cisco 2500 (68030) processor (revision D) with 16384K/2048K bytes of memory. Processor board ID 01560898, with hardware revision 00000000 Bridging software. Snmpset is an SNMP application that uses the SET Request to set information on a network entity. One or more fully qualified object identifiers must be given as arguments on the command line. A type and a value to set must accompany each object identifier. Each variable name is given in the format specified in variables. If the network entity has an error processing the request packet, an error packet will be returned and a message will be shown, helping to pinpoint in what way the request was malformed. If there were other variables in the request, the request will be resent without the bad variable. sub confActions { my($tftpHost, $pathName, $initHost, $comm) = @_; postMessages("confActions($tftpHost, $pathName, $initHost, $comm)", $LOGDBG); if ($tftpHost eq $initHost) { postMessages(">>>> tftpHost = router: $initHost <<<<",$LOGERR); return; } if (!openSNMP($initHost, $comm)) { postMessages("$initHost\:", $LOGDBS); if ($ConfFlag == $ConfRead || $ConfFlag == $ConfLoad) { $v = "hostConfigSet\[$tftpHost\]=\"$pathName\""; $results = &snmp_set($COMMPORT, $v); postMessages("\tsnmp_set($COMMPORT, $v)=$results", $LOGDBS); } if ($ConfFlag == $ConfWrite || $ConfFlag == $ConfLoad) { $v = "writeMem=1"; $results = &snmp_set($COMMPORT, $v); postMessages("\tsnmp_set($COMMPORT, $v)=$results", $LOGDBS); } closeSNMP(); } postMessages("confActions exits", $LOGDBG); } At 08:37 AM 11/29/00 +0800, David Taylor wrote:
On Tue, 28 Nov 2000, Fabio Pietrosanti (naif) wrote: > [snip] > Does someone ever used snmpset to upload and/or download configuration > file from a cisco ios 12 with new system mib ? Fabio, I haven't had a need to do this (yet), but the Cisco v2 MIBS include quite a bit of in-line documentation on how this would be done. See the URL below for the relevant MIB... ftp://ftp.cisco.com/pub/mibs/v2/CISCO-CONFIG-COPY-MIB.my Regards, Dave Taylor
Current thread:
- [PEN-TEST] Attacking Cisco using SNMP Fabio Pietrosanti (naif) (Nov 29)
- [PEN-TEST] ftp etc/passwd Seth Georgion (Nov 29)
- Re: [PEN-TEST] ftp etc/passwd cdowns (Nov 29)
- Re: [PEN-TEST] ftp etc/passwd Bill Weiss (Nov 29)
- Re: [PEN-TEST] ftp etc/passwd Alan Olsen (Nov 29)
- Re: [PEN-TEST] Attacking Cisco using SNMP David Taylor (Nov 29)
- Message not available
- Re: [PEN-TEST] Attacking Cisco using SNMP Teicher, Mark (Nov 29)
- [PEN-TEST] ftp etc/passwd Seth Georgion (Nov 29)
- <Possible follow-ups>
- Re: [PEN-TEST] Attacking Cisco using SNMP Todd Garrison (Nov 30)