mirror of
https://github.com/nmap/nmap.git
synced 2025-12-07 21:21:31 +00:00
added SNMPcommunitybrute.nse
This commit is contained in:
pgpickering
106
scripts/SNMPcommunitybrute.nse
Normal file
106
scripts/SNMPcommunitybrute.nse
Normal file
@@ -0,0 +1,106 @@
|
|||||||
|
-- SNMP community string brute force script
|
||||||
|
-- 2008-07-03
|
||||||
|
|
||||||
|
id = "SNMPv1-communitybrute"
|
||||||
|
|
||||||
|
description = "Attempts to find SNMP community string by brute force"
|
||||||
|
|
||||||
|
author = "Philip Pickering <pgpickering@gmail.com>"
|
||||||
|
|
||||||
|
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
|
||||||
|
|
||||||
|
categories = {"intrusive", "auth"}
|
||||||
|
|
||||||
|
require "shortport"
|
||||||
|
require "snmp"
|
||||||
|
|
||||||
|
-- runs before SNMPsysdesr.nse
|
||||||
|
runlevel = 1
|
||||||
|
|
||||||
|
portrule = shortport.portnumber(161, "udp", {"open", "open|filtered"})
|
||||||
|
|
||||||
|
action = function(host, port)
|
||||||
|
|
||||||
|
if nmap.registry.snmpcommunity or nmap.registry.args.snmpcommunity then return end
|
||||||
|
|
||||||
|
-- create the socket used for our connection
|
||||||
|
local socket = nmap.new_socket()
|
||||||
|
|
||||||
|
-- set a reasonable timeout value
|
||||||
|
socket:set_timeout(5000)
|
||||||
|
|
||||||
|
-- do some exception handling / cleanup
|
||||||
|
local catch = function()
|
||||||
|
socket:close()
|
||||||
|
end
|
||||||
|
|
||||||
|
local try = nmap.new_try(catch)
|
||||||
|
|
||||||
|
-- connect to the potential SNMP system
|
||||||
|
try(socket:connect(host.ip, port.number, "udp"))
|
||||||
|
|
||||||
|
|
||||||
|
local request = snmp.buildGetRequest({}, "1.3.6.1.2.1.1.3.0")
|
||||||
|
|
||||||
|
local commFile = nmap.fetchfile(nmap.registry.args.snmplist)
|
||||||
|
local commTable
|
||||||
|
|
||||||
|
-- fetch wordlist from file (from unpwdb-lib)
|
||||||
|
if commFile then
|
||||||
|
local file = io.open(commFile)
|
||||||
|
|
||||||
|
if file then
|
||||||
|
commTable = {}
|
||||||
|
while true do
|
||||||
|
local l = file:read()
|
||||||
|
|
||||||
|
if not l then
|
||||||
|
break
|
||||||
|
end
|
||||||
|
|
||||||
|
-- Comments takes up a whole line
|
||||||
|
if not l:match("#!comment:") then
|
||||||
|
table.insert(commTable, l)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
file:close()
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
-- default wordlist
|
||||||
|
if (not commTable) then commTable = {'public', 'private', 'snmpd', 'snmp', 'mngt', 'cisco', 'admin'} end
|
||||||
|
|
||||||
|
-- send all possible words out before waiting for an answer
|
||||||
|
for _, commStr in ipairs(commTable) do
|
||||||
|
local payload = snmp.encode(snmp.buildPacket(request, 0, commStr))
|
||||||
|
try(socket:send(payload))
|
||||||
|
end
|
||||||
|
|
||||||
|
-- finally wait for a response
|
||||||
|
local status
|
||||||
|
local response
|
||||||
|
|
||||||
|
status, response = socket:receive_bytes(1)
|
||||||
|
|
||||||
|
if (not status) then
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
if (response == "TIMEOUT") then
|
||||||
|
return
|
||||||
|
end
|
||||||
|
nmap.set_port_state(host, port, "open")
|
||||||
|
|
||||||
|
local result
|
||||||
|
_, result = snmp.decode(response)
|
||||||
|
|
||||||
|
-- response contains valid community string
|
||||||
|
if type(result) == "table" then
|
||||||
|
nmap.registry.snmpcommunity = result[2]
|
||||||
|
return result[2]
|
||||||
|
end
|
||||||
|
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
Reference in New Issue
Block a user