Vulnerability Development mailing list archives

Re: Quick SNMP Payload Structure Question

From: rpc <h () ckz org>
Date: Wed, 27 Feb 2002 19:51:44 -0800

On Mon, 25 Feb 2002 12:56:28 -0800
Josha Bronson <dmuz () slartibartfast angrypacket com> wrote:

Heya,


Hey folks,

Trying to work on generating arbitrary SNMP request packets, but for the
life of me I can not figure out how the second byte of the payload data
is calculated. I *think* that it is some sort of length signifier...  I
think there are also other length based bytes that might need to be
calculated elsewhere in the payload.

What I am trying to do is figure out what bytes need to be modified in a
basic payload structure so that I can drop in different communities,
only altering the bytes necessary.


Here is what I've discovered about SNMP packets so far.
For example, a request header might look like this:
"\x30\x82\x01\x23\x02\x01\x00\x04\x82\x01\x00"community"morestuffmorestuffmorestuff

Where 'morestuff' is the actual encoded snmp request and, in this case, community is 256 bytes long.
A description of the header byte for byte:

0x30: ASN_SEQUENCE | ASN_CONSTRUCTOR
0x82: ASN_LONG_LEN  | 2 (2 bytes of data i think)
0x01,0x23 = 0x123 = packet size

0x02: ASN.1 integer
0x01: lenbyte (1 byte)
0x00: SNMPv1

0x04 ASN.1 octet string (primstring)
0x82: ASN_LONG_LEN | 2 (2 bytes)
0x01,0x00 = 0x100 = 256 bytes (my what a long community string ;)

Then the octets of the community string begin. 

The important bytes in the header are (starting with offset 0)
2, 3 = packet size
8,[9,10] = community string length

Note that ASN_LONG_LEN is only necessary if the community string is > 0xff bytes. If it's not, the sequence is 
"\x04",lenbyte,community. If this is the case, note the header will be 2 bytes shorter.

asn1.c, asn1.h, snmp_api.c and snmp_auth.c from snmplib are invaluable for hacking with ASN data.

Hope this helps,
--rpc


I've already used ethereal's excellent packet analysis, but it does not
say what the significance is of all the packets, including the second
byte.

Any quick answers or links are greatly appreciated.

-- 
Josha Bronson
dmuz () angrypacket com
AngryPacket Security

Attachment: _bin
Description:

Current thread:

Quick SNMP Payload Structure Question Josha Bronson (Feb 25)
- Re: Quick SNMP Payload Structure Question Jim Kovalchuk (Feb 27)
- Re: Quick SNMP Payload Structure Question rpc (Feb 27)