mirror of
https://github.com/nmap/nmap.git
synced 2025-12-15 12:19:02 +00:00
6fbc8868a9
make them look better in output. The full list of changes is anonFTP => ftp-anon ASN => asn-query brutePOP3 => pop3-brute bruteTelnet => telnet-brute daytimeTest => daytime dns-safe-recursion-port => dns-random-srcport dns-safe-recursion-txid => dns-random-txid dns-test-open-recursion => dns-recursion ftpbounce => ftp-bounce HTTPAuth => http-auth HTTP_open_proxy => http-open-proxy HTTPpasswd => http-passwd HTTPtrace => http-trace iax2Detect => iax2-version ircServerInfo => irc-info ircZombieTest => irc-zombie MSSQLm => ms-sql-info MySQLinfo => mysql-info popcapa => pop3-capabilities PPTPversion => pptp-version promiscuous => sniffer-detect RealVNC_auth_bypass => realvnc-auth-bypass robots => robots.txt showHTMLTitle => html-title showOwner => identd-owners skype_v2-version => skypev2-version smb-enumdomains => smb-enum-domains smb-enumsessions => smb-enum-sessions smb-enumshares => smb-enum-shares smb-enumusers => smb-enum-users smb-serverstats => smb-server-stats smb-systeminfo => smb-system-info SMTPcommands => smtp-commands SMTP_openrelay_test => smtp-open-relay SNMPcommunitybrute => snmp-brute SNMPsysdescr => snmp-sysdescr SQLInject => sql-injection SSH-hostkey => ssh-hostkey SSHv1-support => sshv1 SSLv2-support => sslv2 strangeSMTPport => smtp-strangeport UPnP-info => upnp-info xamppDefaultPass => xampp-default-auth zoneTrans => zone-transfer
105 lines
2.2 KiB
Lua
105 lines
2.2 KiB
Lua
description = [[
|
|
Attempts to find an SNMP community string by brute force.
|
|
]]
|
|
-- 2008-07-03
|
|
|
|
author = "Philip Pickering <pgpickering@gmail.com>"
|
|
|
|
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
|
|
|
|
categories = {"intrusive", "auth"}
|
|
|
|
require "shortport"
|
|
require "snmp"
|
|
|
|
-- runs before SNMPsysdesr.nse
|
|
runlevel = 1
|
|
|
|
portrule = shortport.portnumber(161, "udp", {"open", "open|filtered"})
|
|
|
|
action = function(host, port)
|
|
|
|
if nmap.registry.snmpcommunity or nmap.registry.args.snmpcommunity then return end
|
|
|
|
-- create the socket used for our connection
|
|
local socket = nmap.new_socket()
|
|
|
|
-- set a reasonable timeout value
|
|
socket:set_timeout(5000)
|
|
|
|
-- do some exception handling / cleanup
|
|
local catch = function()
|
|
socket:close()
|
|
end
|
|
|
|
local try = nmap.new_try(catch)
|
|
|
|
-- connect to the potential SNMP system
|
|
try(socket:connect(host.ip, port.number, "udp"))
|
|
|
|
|
|
local request = snmp.buildGetRequest({}, "1.3.6.1.2.1.1.3.0")
|
|
|
|
local commFile = nmap.fetchfile(nmap.registry.args.snmplist)
|
|
local commTable
|
|
|
|
-- fetch wordlist from file (from unpwdb-lib)
|
|
if commFile then
|
|
local file = io.open(commFile)
|
|
|
|
if file then
|
|
commTable = {}
|
|
while true do
|
|
local l = file:read()
|
|
|
|
if not l then
|
|
break
|
|
end
|
|
|
|
-- Comments takes up a whole line
|
|
if not l:match("#!comment:") then
|
|
table.insert(commTable, l)
|
|
end
|
|
end
|
|
|
|
file:close()
|
|
end
|
|
end
|
|
|
|
-- default wordlist
|
|
if (not commTable) then commTable = {'public', 'private', 'snmpd', 'snmp', 'mngt', 'cisco', 'admin'} end
|
|
|
|
-- send all possible words out before waiting for an answer
|
|
for _, commStr in ipairs(commTable) do
|
|
local payload = snmp.encode(snmp.buildPacket(request, 0, commStr))
|
|
try(socket:send(payload))
|
|
end
|
|
|
|
-- finally wait for a response
|
|
local status
|
|
local response
|
|
|
|
status, response = socket:receive_bytes(1)
|
|
|
|
if (not status) then
|
|
return
|
|
end
|
|
|
|
if (response == "TIMEOUT") then
|
|
return
|
|
end
|
|
nmap.set_port_state(host, port, "open")
|
|
|
|
local result
|
|
_, result = snmp.decode(response)
|
|
|
|
-- response contains valid community string
|
|
if type(result) == "table" then
|
|
nmap.registry.snmpcommunity = result[2]
|
|
return result[2]
|
|
end
|
|
|
|
return
|
|
end
|
|
|