RE: [NSE Script] SNMPv1 system information & uptime

["Thomas Buchanan" <TBuchanan () thecompassgrp net>]

> -----Original Message-----
> From: Brandon Enright [mailto:bmenrigh () ucsd edu] 
> Sent: Monday, June 11, 2007 3:03 PM
> To: Thomas Buchanan
> Cc: nmap-dev () insecure org; bmenrigh () ucsd edu
> Subject: Re: [NSE Script] SNMPv1 system information & uptime
>
> Thomas,
>
> The script looks great!  I'm glad someone has tackled an NSE script
> that uses SNMP.  I started to write a few NSE scripts that 
> were going to
> used NSE but gave up because of the difficulty of using ASN.1 
> encoding to
> build the packets.
>
> You wrote "-- copied from packet capture of snmpget exchange" and then
> defined the payload as a string of bytes.  This works well 
> for static OIDs
> like SNMPv2-MIB::sysDescr.0 but doesn't work for OIDs that need to be
> dynamically generated.
>
> The solution is probably to build SNMP library bindings into 
> NSE or offer
> ASN.1 bindings.  I spent several hours trying to get LuaSNMP
> (http://luasnmp.luaforge.net/) working with NSE but got in 
> over my head and
> put the project aside.
>
> I hope eventually SNMP bindings will be available *and* 
> Eddie's traceroute
> information will be exposed to NSE.  I'm picturing NSE 
> scripts that look up
> the last hope for a host (typically the router) and query the ARP/CAM
> tables for MAC address and other information.  This could be done
> efficiently and non-redundantly with creative use of the NSE Registry.
>
> Don't get me wrong, this script looks great.  I think it 
> highlights one
> current limitation of NSE though.
>
> Brandon

I totally agree with you.  This script is very static and limited in
what it can do, and would be difficult to extend.  Some other ideas I
had which would be very cumbersome to do without a binding to some kind
of SNMP library:
* trying other common community strings
* querying specific OID values based on analysis of the sysDescr
response
* detecting other IP addresses through SNMP

I was thinking of the cfgmaker script from MRTG, which walks the OID
tree of a device and generates a configuration with all the network
interfaces defined.  It would be fantastic to be able to dynamically
update the target list via a discovery script of this kind.

Here's hoping someone with more programming gumption than I've got will
take a look at this and get something going.

On a similar topic, another binding that I think would be well suited
for nmap would be some sort of interface to the OpenSSL library.  It
would be great to be able to do some inspection of SSL-wrapped ports
through the NSE system, but I'm unaware of any simple methods for doing
that at this point.

Thomas

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org