Re: [SCRIPT] snmpenum.nse

[David Fifield <david () bamsoftware com>]

On Thu, Feb 25, 2010 at 09:53:18AM +0300, William wrote:
> Sorry for the delayed response. My idea was to use the script to reveal
> more info about network devices. Think about a scenario where other
> ports are filtered but snmp is not. The tcpports output would reveal
> open tcp ports, nexthop output would return the gateway for each network
> for multihomed devices.
>
> On Mon, 2010-01-18 at 12:20 -0700, David Fifield wrote:
> > On Wed, Dec 30, 2009 at 09:24:37PM +0300, William wrote:
> > > Here's a script that walks the selected subtree and prints out info
> > > discovered. If the 'subtree' argument is not specified, results from the
> > > system subtree are returned.
> > >
> > > Feedback will be appreciated.
> >
> > Can you tell us more about what the script does? I don't know much about
> > SNMP. What is this first example telling us?
> >
> > > nmap -P0 -n -sU -sC -p161 192.168.2.2 --script-args="subtree=ipaddr"
> > >
> > > PORT    STATE SERVICE
> > > 161/udp open  snmp
> > > | snmpenum:  
> > > |   1.3.6.1.2.1.4.20.1.1.10.35.60.10: 10.35.60.10
> > > |   1.3.6.1.2.1.4.20.1.1.192.168.180.9: 192.168.180.9
> > > |   1.3.6.1.2.1.4.20.1.1.192.168.2.2: 192.168.2.2
> > > |   1.3.6.1.2.1.4.20.1.1.192.168.185.246: 192.168.185.246
> > > |_  1.3.6.1.2.1.4.20.1.1.192.168.118.61: 192.168.118.61
> This is the output of walking the ip subtree (1.3.6.1.2.1.4.20.1.1) and
> reveals additional IPs configured on this particular device.
>  
> > In this example, is there any way to find out what the OID
> > 1.3.6.1.2.1.1.*.0 mean?
> >
> > > ---
> > > -- @output
> > > -- | snmpwalk:  
> > > -- |   1.3.6.1.2.1.1.1.0: D-link Corp. Access Point
> > > -- |   1.3.6.1.2.1.1.2.0: 1.3.6.1.4.1.129.43.10.37.15
> > > -- |   1.3.6.1.2.1.1.3.0: 452533
> > > -- |   1.3.6.1.2.1.1.4.0: 
> > > -- |   1.3.6.1.2.1.1.5.0: D-link Corp. Access Point
> > > -- |   1.3.6.1.2.1.1.6.0: 
> > > -- |_  1.3.6.1.2.1.1.7.0: 64
> >
> > What does the output for nexthop and tcpports look like? What do you see
> > the script being used for?
>
> I still haven't figured out the best way to print out symbolic notations
> instead of OIDs.
>
> Here the tcpports output shows that port 23 and 80 are open.
>
> nmap -n -p161 -sU -sC 192.168.2.2 --script-args="subtree=tcpports"
>
> Starting Nmap 5.10BETA1 ( http://nmap.org ) at 2010-02-21 23:01 EAT
> Nmap scan report for 192.168.1.50
> Host is up (0.0044s latency).
> PORT    STATE SERVICE
> 161/udp open  snmp
> | snmpenum:  
> |   1.3.6.1.2.1.6.13.1.3.0.0.0.0.23.0.0.0.0.0: 23
> |_  1.3.6.1.2.1.6.13.1.3.0.0.0.0.80.0.0.0.0.0: 80

I tried the script against the SNMP service on Mac OS X, and initially I
was having trouble because the script doesn't close its sockets:

NSE: Starting snmpenum against 192.168.0.190:161.
Socket troubles: Too many open files
NSE: snmpenum against 192.168.0.190:161 threw an error!
ERROR
stack traceback:
        [C]: in function 'try'
        ./scripts/snmpenum.nse:87: in function 'snmpwalk'
        ./scripts/snmpenum.nse:118: in function <./scripts/snmpenum.nse:95>
        (tail call): ?

You should either close the socket before doing another connect, or else
do only one connect followed by repeated sends.

If I change that, then the script goes into what appears to be an
infinite loop (but it might just be very long output; I didn't wait for
it to finish). I attached the log resulting from this command, which I
killed after a few seconds:

# ./nmap -p 161 -sU --script=snmpenum 192.168.0.190 --datadir .  -d --packet-trace

-- Sends out snmp getnext requests
local function snmpwalk(host, port, oids, result)
        local status, response, payload, request, options
        options = {}
        try(socket:connect(host.ip, port.number, "udp"))
        request = snmp.buildGetNextRequest(options, oids.subtree)
        payload = snmp.encode(snmp.buildPacket(request))
        try(socket:send(payload))
        status, response = socket:receive_bytes(1)
        parse_response(response, oids, result)
end

Here, you need to check the status code from receive_bytes.

Please add @args documentation for the script argument. I want you to
make the name of the script argument less generic, so it's clear it
applies only to this script, like

        oids.subtree = oids[nmap.registry.args["snmp-enum.subtree"]

How much does this script resemble the output of the snmpwalk command?
Are the arguments similar? I'm thinking of calling this script snmp-walk
and using where we don't have a specific script like snmp-processes or
snmp-netstat.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/