Re: Huawei/H3C Local User enumeration script

[Kurt Grutzmacher <grutz () jingojango net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Fifield wrote:
> On Tue, Oct 23, 2012 at 11:43:52AM -0700, Kurt Grutzmacher wrote:
> > It's attached and latest revisions can be found at
https://github.com/grutz/h3c-pt-tools/blob/master/nmap/snmp-hh3c-logins.nse
> Thanks for this script. Is this related to a recently disclosed
> vulnerability? If so, can you expand the description with some links to
> it and a description of how the enumeration works?
It is related and I'm the researcher who discovered it. I'll add the
links to both the HP release and the blog post detailing the weakness.
It's purely misconfigured authentication for a specific, but very
critical, SNMP OID tree.
> I don't see where the script accepts a community string. You say the
> script needs a read-only or read-write community string; how does the
> user get one?
Like all the other SNMP NSEs the user would need to send it with
--script-args snmpcommunity=<community>. I have added a @usage section
to help for this. Based on http://nmap.org/nsedoc/lib/snmp.html this
argument is accepted by the library and does not need to be configured
in NSE scripts.
> It would probably be better to use structured output than
> stdnse.format_output for this script. Make your process_answer function
> return a nice semantic table with labeled fields; then just return it.
> http://nmap.org/book/nse-api.html#nse-structured-output
Sounds good except that how does one make columns in the structured
output? I see some discussion but not real resolution. For now I'm just
having to slap everything into an element output which makes:

<ports><port protocol="udp" portid="161"><state state="open"
reason="udp-response" reason_ttl="239"/><service name="snmp"
method="table" conf="3"/><script id="snmp-hh3c-logins" output="&#xa; 
users: &#xa;    admin - h3capadmin - level: 3"><table key="users">
<elem>admin - h3capadmin - level: 3</elem>
</table>
</script></port>
</ports>

What I'd like to see are multiple keyed elements/columns for each row.

New script attached and uploaded to github.


- -- 
- - grutz;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQiXxwAAoJEMtvcfrnZQTfUBkP/2OIVYpp2s2HAPehd/Mj+aoz
wXCzpj8qWq/UNkv7nyAti/pe+njtd564g2iLhJGB9RTEp9qbF3t+C0luKvtMqTt3
rRq6yjKxJd9O8ML8jHv6QnKY5yfgRXp/VlNfqS5FvurgSyBkoIT+YFCyGb3OgN+6
GPYmMHdwcJo3NIMjoGthHCAc4b4imdv6PHVvGyC5sZbLhakayq1+ffJPkJJSNjDb
bo9vjmgGEduE5jkE0MBNkYoBOTWWsFWYmnuFESasevuMaYYQxUnUDdZlk6SHWGeq
Cou9JyLpmr99wELr3ri4gdMO49uR+ilcttdpOxFbYFFKfPLZt27sRKRv1d6v/bxR
El2eUnrqL0I25bc0g4pcZC2n6KAi61Ck0fzSPZNy7hS7fhmei03y3twplKYQeZJe
CTVm1hw3mdWGlh5SrXyDuZ5AFDpSCtePk8q1TipId6D51MgzJGTfJxOz4qKDw+lw
9ovlSU248OXxXFKpM8QCdJA2sI6AwJVjKJgpEnaDCbughO5vsd+LRP8+fRllnYiG
mJezN0j330WpQfZY0X4jMlaBM+GVjOyxIoXR35to9ky3y9sZZyZcpKip0MGum88w
XQnxz+m4TX1S/Z5df6d8gNCbgwlhjhv6BdJQkuWsDOxY7bcXzI/R+DB1CWn9X7Ox
1zMX9916Q32LR380s8Mw
=DlKX
-----END PGP SIGNATURE-----

Attachment: snmp-hh3c-logins.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/