Nmap Development mailing list archives
Re: [SCRIPT] snmpenum.nse
From: David Fifield <david () bamsoftware com>
Date: Wed, 3 Mar 2010 22:24:20 -0700
On Thu, Feb 25, 2010 at 09:53:18AM +0300, William wrote:
Sorry for the delayed response. My idea was to use the script to reveal more info about network devices. Think about a scenario where other ports are filtered but snmp is not. The tcpports output would reveal open tcp ports, nexthop output would return the gateway for each network for multihomed devices. On Mon, 2010-01-18 at 12:20 -0700, David Fifield wrote:On Wed, Dec 30, 2009 at 09:24:37PM +0300, William wrote:Here's a script that walks the selected subtree and prints out info discovered. If the 'subtree' argument is not specified, results from the system subtree are returned. Feedback will be appreciated.Can you tell us more about what the script does? I don't know much about SNMP. What is this first example telling us?nmap -P0 -n -sU -sC -p161 192.168.2.2 --script-args="subtree=ipaddr" PORT STATE SERVICE 161/udp open snmp | snmpenum: | 1.3.6.1.2.1.4.20.1.1.10.35.60.10: 10.35.60.10 | 1.3.6.1.2.1.4.20.1.1.192.168.180.9: 192.168.180.9 | 1.3.6.1.2.1.4.20.1.1.192.168.2.2: 192.168.2.2 | 1.3.6.1.2.1.4.20.1.1.192.168.185.246: 192.168.185.246 |_ 1.3.6.1.2.1.4.20.1.1.192.168.118.61: 192.168.118.61This is the output of walking the ip subtree (1.3.6.1.2.1.4.20.1.1) and reveals additional IPs configured on this particular device.In this example, is there any way to find out what the OID 1.3.6.1.2.1.1.*.0 mean?--- -- @output -- | snmpwalk: -- | 1.3.6.1.2.1.1.1.0: D-link Corp. Access Point -- | 1.3.6.1.2.1.1.2.0: 1.3.6.1.4.1.129.43.10.37.15 -- | 1.3.6.1.2.1.1.3.0: 452533 -- | 1.3.6.1.2.1.1.4.0: -- | 1.3.6.1.2.1.1.5.0: D-link Corp. Access Point -- | 1.3.6.1.2.1.1.6.0: -- |_ 1.3.6.1.2.1.1.7.0: 64What does the output for nexthop and tcpports look like? What do you see the script being used for?I still haven't figured out the best way to print out symbolic notations instead of OIDs. Here the tcpports output shows that port 23 and 80 are open. nmap -n -p161 -sU -sC 192.168.2.2 --script-args="subtree=tcpports" Starting Nmap 5.10BETA1 ( http://nmap.org ) at 2010-02-21 23:01 EAT Nmap scan report for 192.168.1.50 Host is up (0.0044s latency). PORT STATE SERVICE 161/udp open snmp | snmpenum: | 1.3.6.1.2.1.6.13.1.3.0.0.0.0.23.0.0.0.0.0: 23 |_ 1.3.6.1.2.1.6.13.1.3.0.0.0.0.80.0.0.0.0.0: 80
I tried the script against the SNMP service on Mac OS X, and initially I was having trouble because the script doesn't close its sockets: NSE: Starting snmpenum against 192.168.0.190:161. Socket troubles: Too many open files NSE: snmpenum against 192.168.0.190:161 threw an error! ERROR stack traceback: [C]: in function 'try' ./scripts/snmpenum.nse:87: in function 'snmpwalk' ./scripts/snmpenum.nse:118: in function <./scripts/snmpenum.nse:95> (tail call): ? You should either close the socket before doing another connect, or else do only one connect followed by repeated sends. If I change that, then the script goes into what appears to be an infinite loop (but it might just be very long output; I didn't wait for it to finish). I attached the log resulting from this command, which I killed after a few seconds: # ./nmap -p 161 -sU --script=snmpenum 192.168.0.190 --datadir . -d --packet-trace -- Sends out snmp getnext requests local function snmpwalk(host, port, oids, result) local status, response, payload, request, options options = {} try(socket:connect(host.ip, port.number, "udp")) request = snmp.buildGetNextRequest(options, oids.subtree) payload = snmp.encode(snmp.buildPacket(request)) try(socket:send(payload)) status, response = socket:receive_bytes(1) parse_response(response, oids, result) end Here, you need to check the status code from receive_bytes. Please add @args documentation for the script argument. I want you to make the name of the script argument less generic, so it's clear it applies only to this script, like oids.subtree = oids[nmap.registry.args["snmp-enum.subtree"] How much does this script resemble the output of the snmpwalk command? Are the arguments similar? I'm thinking of calling this script snmp-walk and using where we don't have a specific script like snmp-processes or snmp-netstat. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [SCRIPT] snmpenum.nse David Fifield (Jan 18)
- Re: [SCRIPT] snmpenum.nse William (Feb 24)
- Re: [SCRIPT] snmpenum.nse David Fifield (Mar 03)
- Re: [SCRIPT] snmpenum.nse William (Feb 24)