Re: [NSE] snmp-ios-config - Config grabber

[Vikas Singhal <vikas.programmer () gmail com>]

Thanks Patrik. Sorry for the late reply..

I have incorporated the patch you mentioned. You are right.. some IOS (may
be old ones) require the 1.3.6.1.4.1.9.9.96.1.1.1.1.*5* for Copy operation
but the newer ones can work with IP address as "string" for tftpserver on
mib .1.3.6.1.4.1.9.9.96.1.1.1.1.*16* .

I have also done some verbose error throwing e.g if the community string is
incorrect etc.

As Fred mentioned.. we need 2 more things.. 1) Spoofing your ip to bypass
the SNMP access list and 2) TFTP Server in-built (asked by David as well).

1) I tried using the nmap Spoof function using -S option, it sends the first
packet spoofed but subsequest packets are sent from the real address, any
thoughts?
2) Will leave it for future enhancement as of now!

Nonetheless, the patched and tested script is attached for more testing! :)

Regards,
Vikas Singhal


On Sat, Jan 15, 2011 at 2:46 AM, Patrik Karlsson <patrik () cqure net> wrote:

> Hi again,
>
> I followed the instructions at this page[1] and got it working using
> snmpset.
> When I analyzed the differences in packets it turned out that the
> ip-address was incorrectly specified as a string.
> According to the documentation from Cisco [2] it should be of the type
> IpAddress.
> Once I changed that I got it working. While the supplied patch is not very
> elegant it makes the changes needed.
>
> //Patrik
>
> [1]
> http://ccie20728.wordpress.com/2008/05/20/get-the-cisco-configuration-over-snmp/
> [2]
> http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.9.96.1.1.1.1.5&translate=Translate&submitValue=SUBMIT&submitClicked=true
>
>
>
>
> On 14 jan 2011, at 16.25, Vikas Singhal wrote:
>
> > Whats the output you are getting from the nmap? Did you create a file
> with name IP-config in the tftp directory?
> > On Fri, Jan 14, 2011 at 4:56 AM, Patrik Karlsson <patrik () cqure net>
> wrote:
> > On 13 jan 2011, at 19.59, Thomas Buchanan wrote:
> >
> > > > -----Original Message-----
> > > > From: nmap-dev-bounces () insecure org
> > > > [mailto:nmap-dev-bounces () insecure org] On Behalf Of David Fifield
> > > > Sent: Wednesday, January 12, 2011 10:21 PM
> > > > To: Vikas Singhal
> > > > Cc: nmap-dev () insecure org
> > > > Subject: Re: [NSE] snmp-ios-config - Config grabber
> > > >
> > > > On Mon, Jan 10, 2011 at 08:21:23PM -0600, Vikas Singhal wrote:
> > > > > Code cleaned up! Here you go!
> > > >
> > > > Is anyone able to test out this script? Vikas, can you post simple
> > > > instructions for starting a TFTP server and running the script to use
> > > > it? I'm attaching the script again.
> > > >
> > > > David Fifield
> > >
> > > I spent a little time this morning testing this, and here are the end
> > > results:
> > >
> > > Nmap scan report for 192.168.1.1
> > > Host is up, received arp-response (0.00045s latency).
> > > Scanned at 2011-01-13 11:26:41 CST for 5s
> > > PORT    STATE SERVICE REASON       VERSION
> > > 161/udp open  snmp    udp-response SNMPv1 server (public)
> > > |_snmp-ios-config: IOS configuration downloaded with filename
> > > 192.168.1.1-config to TFTP server 192.168.1.2
> > >
> > > As you can see, the script was ultimately successful, so here are the
> > > steps I took to get there, and a couple of comments along the way.
> > > Hopefully someone will find them useful.
> > >
> > > To start off, here are the systems that were in play.  The router
> > > (192.168.1.1) is a Cisco 1800 ISR series device, running IOS 12.4.  The
> > > TFTP server (192.168.1.2) is a CentOS 5.5 server, which is also where I
> > > ran the nmap commands shown.
> > >
> > > The Cisco box has an existing default Read-Only SNMP communnity string
> > > of 'public', so the first thing I did was run the script against it to
> > > see what results came up.  That resulted in the following script error:
> > >
> > > NSE: snmp-ios-config against 192.168.1.1:161 threw an error!
> > > ./scripts/snmp-ios-config.nse:150: variable 'status' is not declared
> > > stack traceback:
> > >        [C]: in function 'error'
> > >        ./nselib/strict.lua:69: in function <./nselib/strict.lua:60>
> > >        ./scripts/snmp-ios-config.nse:150: in function
> > > <./scripts/snmp-ios-config.nse:52>
> > >        (tail call): ?
> > >
> > > After this, I enabled a Read-Write SNMP community string on the Cisco
> > > router, by adding the following configuration line:
> > > snmp-server community SomeString RW
> > >
> > > I then enabled the TFTP server on the CentOS box by editing the
> > > /etc/xinetd.d/tftp file.  These two lines are the ones of interest, the
> > > first specifying the location to store TFTP Files, the second enabling
> > > the service:
> > >        server_args             = -s /tftpboot
> > >        disable                 = no
> > >
> > > A restart of the xinetd service followed, and I verified that the port
> > > was open and the tftp service was listening.  At this point, I ran the
> > > script again with these results:
> > >
> > > # NMAPDIR=. ./nmap -sUV -p 161 -v -d --script-trace
> > > --script=snmp-ios-config
> > > --script-args=snmpcommunity=SomeString,tftpserver=192.168.1.2
> > > 192.168.1.1
> > > <snip>
> > > Nmap scan report for 192.168.1.1
> > > Host is up, received arp-response (0.00045s latency).
> > > Scanned at 2011-01-13 11:25:45 CST for 5s
> > > PORT    STATE SERVICE REASON       VERSION
> > > 161/udp open  snmp    udp-response SNMPv1 server (public)
> > > |_snmp-ios-config: Not successful! error code: 4 (1:waiting, 2:running,
> > > 3:successful, 4:failed)
> > >
> > > At this point I had to resort to Wireshark to see what was going on.  I
> > > determined that the TFTP server was returning a file not found error to
> > > the Cisco router when it tried to push the config file over.  A little
> > > research [1] showed that on most Linux TFTP systems, by default the
> > > server will not create files.  They must already exist, and have
> > > filesystem permissions appropriately set.  After checking the network
> > > capture to determine the filename the script was attempting to use, I
> > > created it on the TFTP server and ran the script again.  It was at this
> > > point that I got the final results shown above.
> > >
> > > The script definitely works as advertised when everything is set up
> > > correctly, but for me, some additional error reporting to help track
> > > down what has gone wrong would be helpful.  However, it appears that
> > > there is not a lot of detail in the messages that IOS sends back, so
> > > that might not be possible.
> > >
> > > Let me know if you have further questions.
> > >
> > > Thanks,
> > >
> > > Thomas
> > >
> > > [1] http://goo.gl/oSz1I  (Linux Home Networking wiki)
> > > _______________________________________________
> > > Sent through the nmap-dev mailing list
> > > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > > Archived at http://seclists.org/nmap-dev/
> >
> > I tried setting this up in GNS3 according to your instructions using a
> Cisco 2600 IOS 12.3.
> > While SNMP works, I couldn't get the config using the script.
> > The router does not seem to attempt to connect to the TFTP server, the
> script fails to read the error code and breaks.
> > Any pointers would be appreciated.
> > //Patrik
> > --
> > Patrik Karlsson
> > http://www.cqure.net
> > http://www.twitter.com/nevdull77
>
> --
> Patrik Karlsson
> http://www.cqure.net
> http://www.twitter.com/nevdull77

Attachment: snmp-ios-config.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/