Vulnerability Development mailing list archives
Re: Quick SNMP Payload Structure Question
From: rpc <h () ckz org>
Date: Wed, 27 Feb 2002 19:51:44 -0800
On Mon, 25 Feb 2002 12:56:28 -0800 Josha Bronson <dmuz () slartibartfast angrypacket com> wrote: Heya,
Hey folks, Trying to work on generating arbitrary SNMP request packets, but for the life of me I can not figure out how the second byte of the payload data is calculated. I *think* that it is some sort of length signifier... I think there are also other length based bytes that might need to be calculated elsewhere in the payload. What I am trying to do is figure out what bytes need to be modified in a basic payload structure so that I can drop in different communities, only altering the bytes necessary.
Here is what I've discovered about SNMP packets so far. For example, a request header might look like this: "\x30\x82\x01\x23\x02\x01\x00\x04\x82\x01\x00"community"morestuffmorestuffmorestuff Where 'morestuff' is the actual encoded snmp request and, in this case, community is 256 bytes long. A description of the header byte for byte: 0x30: ASN_SEQUENCE | ASN_CONSTRUCTOR 0x82: ASN_LONG_LEN | 2 (2 bytes of data i think) 0x01,0x23 = 0x123 = packet size 0x02: ASN.1 integer 0x01: lenbyte (1 byte) 0x00: SNMPv1 0x04 ASN.1 octet string (primstring) 0x82: ASN_LONG_LEN | 2 (2 bytes) 0x01,0x00 = 0x100 = 256 bytes (my what a long community string ;) Then the octets of the community string begin. The important bytes in the header are (starting with offset 0) 2, 3 = packet size 8,[9,10] = community string length Note that ASN_LONG_LEN is only necessary if the community string is > 0xff bytes. If it's not, the sequence is "\x04",lenbyte,community. If this is the case, note the header will be 2 bytes shorter. asn1.c, asn1.h, snmp_api.c and snmp_auth.c from snmplib are invaluable for hacking with ASN data. Hope this helps, --rpc
I've already used ethereal's excellent packet analysis, but it does not say what the significance is of all the packets, including the second byte. Any quick answers or links are greatly appreciated. -- Josha Bronson dmuz () angrypacket com AngryPacket Security
Attachment:
_bin
Description:
Current thread:
- Quick SNMP Payload Structure Question Josha Bronson (Feb 25)
- Re: Quick SNMP Payload Structure Question Jim Kovalchuk (Feb 27)
- Re: Quick SNMP Payload Structure Question rpc (Feb 27)