Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] snmp-brute port to brute framework

From: Patrik Karlsson <patrik () cqure net>
Date: Thu, 7 Jul 2011 14:34:11 +0200
If you haven't already, I think you should try going with unconnected sockets using a higher thread count.
As far as I can tell, unconnected sockets are not restricted in simultaneous connections (--max-parallelism) the same 
way as TCP sockets are.
Good or bad, intensional or not, I don't know, but this would allow you to increase the thread count of the brute 
engine considerably which would most likely get you better performance.

I also made a hack when doing my earlier SNMP tests that basically sent all snmp queries "up front" and then simply 
listened for a response (that contains the correct community)
This is the way the current snmp-brute works. While this worked great for small lists of communities it would sometimes 
fail for bigger lists.
When dumping traffic on both sides I could see the query, with the correct community, getting all the way to the target 
Windows box, but no response was returned.

//Patrik

On Jul 7, 2011, at 2:01 PM, Gorjan Petrovski wrote:


Thanks for the reply Patrik, I'll heed your advice about the snmpcommunities. In fact I had read your post and I ran 
into the same issues myself. I'm currently experimenting a bit so we'll see what I come up with :-)

Cheers,
Gorjan

On Jul 7, 2011 12:08 PM, "Patrik Karlsson" <patrik () cqure net> wrote:


On Jul 6, 2011, at 9:39 PM, Gorjan Petrovski wrote:


Hi,

I'm porting the snmp-brute script to the brute framework and I found
that there are default passwords used to brute if no wordlist is
supplied. These passwords are: 'public', 'private', 'snmpd', 'snmp',
'mngt', 'cisco', 'admin'. S?ome of them are not present in the default
wordlist that the brute framework uses. I couldn't find posts about
the original script SNMPcommunitybrute.nse and I've no idea how the
author got hold of these passwords. Should I add them to the wordlist
or not? Maybe I should add them to be used in addition to the default
wordlist, only for the snmp-brute script when no other wordlist is
specified?

Input is appreciated :)

Thanks,
Gorjan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



I think it's probably best to keep a separate file with snmp communities.
The ones hard coded into the current script all seem to be good candidates.
I just committed some small updates to the brute library that fix a few minor issues.

I made a (not very big) effort to port the snmp-brute script to the brute framework a while back and ran into a few 
performance issues.
http://seclists.org/nmap-dev/2011/q2/56

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77



--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: