[PEN-TEST] Fwd: Re: Attacking Cisco using SNMP

["Teicher, Mark" <mark.teicher () NETWORKICE COM>]

Oops..

Forgot this tidbit of information:

The SNMP_set command loads the MIB definitions contained in file. The MIB
file is usually located at the file system position defined by the file
argument.
There are five passes involved when processing a Set request:
1.      Each variable in the variable binding list of the received PDU is
checked to guarantee that each object is accessible and/or creatable, and
writable.
2.      The test method for each object is called to verify the object's
instance, size/range, and value.
3.      The variable binding list is parsed to construct a list of
simultaneous Set operations for groups of objects.
4.      This pass verifies that all required objects within a group have
specified or default values.
5.       It also insures that all required values meet the relational
constraints specified in the MIB.
6.      Sets are then performed on all of the individual objects that can
be reversed in case something goes wrong.
There is are limitations on what the values for 'pathName' would be. This
is the only required command line argument by the User.  The 'pathName' is
a file name with directory path. For instance, if the file contains
passwords, the read and write actions are will act as the file to update
the passwords for the routers. Likewise, if the file contains ACLs, the
router will update itself for security enforcement.

> Date: Tue, 28 Nov 2000 19:46:41 +0100
> To: Penetration Testers <PEN-TEST () securityfocus com>,
> PEN-TEST () securityfocus com
> From: mark.teicher () networkice com
> Subject: Re: Attacking Cisco using SNMP
> Cc: "Matthew.Brown () predictive com" <Matthew.Brown () predictive com>,
> joseph.knape () predictive com
>
> Never quite could get it to work correctly.. But anyways, here are some
> code snippets and packet captures to help you out..
> You have to remember some of us know very little about SNMP_set and how it
> can be utilized to manage large enterprise networks.  (biting tongue -:)
>
> sub snmp_raw_set
> {
>         local($nr,$request) = @_;
>         local($w1,$r2,$resp,@ret,@info);
>         $w1 = "wh10" . $nr;
>         $r2 = "rh20" . $nr;
>         print $w1 ">$request\n";
> # The next line is unneeded, if uncommented will cause wrong error code to be
> # generated.
> #       $resp = <$r2>;
>         print $w1 "?\n";
>         $resp = <$r2>; # should give return code
>         if (isError($resp)) { return 0; };
>         return substr($resp,2);
> }
> 1;
>
> *Mar  1 03:41:54.875 PST: TFTP: Sending  read request
> *Mar  1 03:41:54.879 PST: UDP: sent src=192.168.55.121(6608),
> dst=192.168.55.188
> (69), length=60
> *Mar  1 03:41:54.879 PST: IP: s=192.168.55.121 (local), d=192.168.55.188
> (Ethern
> et0), len 60, sending
> *Mar  1 03:42:01.543 PST: IP ARP: rcvd req src 192.168.55.188
> 0800.20b6.07c5, dst 192.168.55.120 Ethernet0
> *Mar  1 03:42:01.567 PST: IP ARP: rcvd req src 192.168.55.188
> 0800.20b6.07c5, dst 192.168.55.120 Ethernet0
> *Mar  1 03:42:01.891 PST: SNMP: Response, reqid 2, errstat 5, erridx 1
>  lsystem.53.192.168.55.188 = /cisco/ironlung-config
> *Mar  1 03:42:01.919 PST: SNMP: Packet sent via UDP to 192.168.55.188
> *Mar  1 03:42:01.923 PST: UDP: sent src=192.168.55.121(161),
> dst=192.168.55.188(33345), length=96
> *Mar  1 03:42:01.927 PST: IP: s=192.168.55.121 (local), d=192.168.55.188
> (Ethernet0), len 96, sending
> *Mar  1 03:42:01.935 PST: IP: s=192.168.55.188 (Ethernet0),
> d=192.168.55.121 (Ethernet0), len 112, rcvd 3
> *Mar  1 03:42:01.939 PST: ICMP: dst (192.168.55.121) port unreachable rcv
> from 192.168.55.188
> *Mar  1 03:42:01.943 PST: SNMP: Packet received via UDP from
> 192.168.55.188 on Ethernet0
> *Mar  1 03:42:01.951 PST: SNMP: Set request, reqid 2, errstat 0, erridx 0
>  lsystem.53.192.168.55.188 = /cisco/ironlung-configg
> *Mar  1 03:42:01.971 PST: %SYS-4-SNMP_HOSTCONFIGSET: SNMP hostConfigSet
> request.
>   Loading configuration from 192.168.55.188.
> *Mar  1 03:42:01.999 PST: SNMP: Queuing packet to 192.168.55.188
> *Mar  1 03:42:01.999 PST: SNMP: V1 Trap, ent ciscoConfigManMIB.2, addr
> 192.168.55.121, gentrap 6, spectrap 1
>  ccmHistoryEventEntry.3.58 = 2
>  ccmHistoryEventEntry.4.58 = 6
>  ccmHistoryEventEntry.5.58 = 3
>
> Cisco Internetwork Operating System Software IOS (tm) 2500 Software
> (C2500-IS56-L), Version 11.2(8), RELEASE SOFTWARE (fc1) Copyright (c)
> 1986-1997 by cisco Systems, Inc. Compiled Tue 05-Aug-97 09:07 by ckralik
> Image text-base: 0x00001448, data-base: 0x00561104
>
> ROM: System Bootstrap, Version 4.14(9.1), SOFTWARE
>
> ironlung uptime is 2 weeks, 13 hours, 19 minutes
> System restarted by power-on
> System image file is "c2500-is56-l.112-8.Z", booted via flash
> Host configuration file is "/cisco/ironlung-confg", booted via tftp from
> 192.168.55.188
>
> cisco 2500 (68030) processor (revision D) with 16384K/2048K bytes of memory.
> Processor board ID 01560898, with hardware revision 00000000
> Bridging software.
>
> Snmpset  is  an SNMP application that uses the SET Request to set
> information on a network entity.  One or more fully qualified object
> identifiers must be given as arguments on the command line.  A type and a
> value to set  must  accompany  each object identifier.  Each variable name
> is given in the format specified in variables.
>
> If  the network entity has an error processing the request packet, an
> error packet will be  returned  and  a  message will be shown, helping to
> pinpoint in what way the request was
> malformed.  If  there  were  other  variables  in  the request,  the
> request will be resent without the bad variable.
> sub confActions
> {
>         my($tftpHost, $pathName, $initHost, $comm) = @_;
>         postMessages("confActions($tftpHost, $pathName,
>                                 $initHost, $comm)", $LOGDBG);
>         if ($tftpHost eq $initHost) {
>                 postMessages(">>>> tftpHost = router: $initHost
> <<<<",$LOGERR);
>                 return;
>
>         }
>
>         if (!openSNMP($initHost, $comm)) {
>                 postMessages("$initHost\:", $LOGDBS);
>                 if ($ConfFlag == $ConfRead ||
>                         $ConfFlag == $ConfLoad) {
>                         $v = "hostConfigSet\[$tftpHost\]=\"$pathName\"";
>                         $results = &snmp_set($COMMPORT, $v);
>                         postMessages("\tsnmp_set($COMMPORT, $v)=$results",
>                                         $LOGDBS);
>                 }
>
>                 if ($ConfFlag == $ConfWrite ||
>                 $ConfFlag == $ConfLoad) {
>                         $v = "writeMem=1";
>                         $results = &snmp_set($COMMPORT, $v);
>                         postMessages("\tsnmp_set($COMMPORT,
> $v)=$results", $LOGDBS);
>                 }
>                 closeSNMP();
>         }
>         postMessages("confActions exits", $LOGDBG);
>
> }
>
>
> At 08:37 AM 11/29/00 +0800, David Taylor wrote:
> > On Tue, 28 Nov 2000, Fabio Pietrosanti (naif) wrote:
> >
> > > [snip]
> > > Does someone ever used snmpset to upload and/or download configuration
> > > file from a cisco ios 12 with new system mib ?
> >
> > Fabio,
> >
> > I haven't had a need to do this (yet), but the Cisco v2 MIBS include quite
> > a bit of in-line documentation on how this would be done.  See the URL
> > below for the relevant MIB...
> > ftp://ftp.cisco.com/pub/mibs/v2/CISCO-CONFIG-COPY-MIB.my
> >
> > Regards,
> > Dave Taylor