local coroutine = require "coroutine" local creds = require "creds" local io = require "io" local nmap = require "nmap" local packet = require "packet" local shortport = require "shortport" local snmp = require "snmp" local stdnse = require "stdnse" local string = require "string" local unpwdb = require "unpwdb" description = [[ Attempts to find an SNMP community string by brute force guessing. This script opens a sending socket and a sniffing pcap socket in parallel threads. The sending socket sends the SNMP probes with the community strings, while the pcap socket sniffs the network for an answer to the probes. If valid community strings are found, they are added to the creds database and reported in the output. The script takes the snmp-brute.communitiesdb argument that allows the user to define the file that contains the community strings to be used. If not defined, the default wordlist used to bruteforce the SNMP community strings is nselib/data/snmpcommunities.lst. In case this wordlist does not exist, the script falls back to nselib/data/passwords.lst No output is reported if no valid account is found. ]] -- 2008-07-03 Philip Pickering, basic version -- 2011-07-17 Gorjan Petrovski, Patrik Karlsson, optimization and creds -- accounts, rejected use of the brute library because of -- implementation using unconnected sockets. -- 2011-12-29 Patrik Karlsson - Added lport to sniff_snmp_responses to fix -- bug preventing multiple scripts from working -- properly. -- 2015-05-31 Gioacchino Mazzurco - Add IPv6 support by making the script IP -- version agnostic --- -- @usage -- nmap -sU --script snmp-brute [--script-args snmp-brute.communitiesdb= ] -- -- @args snmp-brute.communitiesdb The filename of a list of community strings to try. -- -- @output -- PORT STATE SERVICE -- 161/udp open snmp -- | snmp-brute: -- | dragon - Valid credentials -- |_ jordan - Valid credentials author = "Philip Pickering, Gorjan Petrovski, Patrik Karlsson, Gioacchino Mazzurco" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"intrusive", "brute"} portrule = shortport.portnumber(161, "udp", {"open", "open|filtered"}) local communitiestable = {} local filltable = function(filename, table) if #table ~= 0 then return true end local file = io.open(filename, "r") if not file then return false end for l in file:lines() do -- Comments takes up a whole line if not l:match("#!comment:") then table[#table + 1] = l end end file:close() return true end local closure = function(table) local i = 1 return function(cmd) if cmd == "reset" then i = 1 return end local elem = table[i] if elem then i = i + 1 end return elem end end local communities_raw = function(path) if not path then return false, "Cannot find communities list" end if not filltable(path, communitiestable) then return false, "Error parsing communities list" end return true, closure(communitiestable) end local communities = function() local communities_file = stdnse.get_script_args('snmp-brute.communitiesdb') or nmap.fetchfile("nselib/data/snmpcommunities.lst") if communities_file then stdnse.debug1("Using the %s as the communities file", communities_file) local status, iterator = communities_raw(communities_file) if not status then return false, iterator end local time_limit = unpwdb.timelimit() local count_limit = 0 if stdnse.get_script_args("unpwdb.passlimit") then count_limit = tonumber(stdnse.get_script_args("unpwdb.passlimit")) end return true, unpwdb.limited_iterator(iterator, time_limit, count_limit) else stdnse.debug1("Cannot read the communities file, using the nmap username/password database instead") return unpwdb.passwords() end end local send_snmp_queries = function(socket, result, nextcommunity) local condvar = nmap.condvar(result) local request = snmp.buildGetRequest({}, "1.3.6.1.2.1.1.3.0") local payload, status, response, err local community = nextcommunity() while community do if result.status == false then --in case the sniff_snmp_responses thread was shut down condvar("signal") return end payload = snmp.encode(snmp.buildPacket(request, 0, community)) status, err = socket:send(payload) if not status then result.status = false result.msg = "Could not send SNMP probe" condvar "signal" return end community = nextcommunity() end result.sent = true condvar("signal") end local sniff_snmp_responses = function(host, port, lport, result) local condvar = nmap.condvar(result) local pcap = nmap.new_socket() pcap:set_timeout(host.times.timeout * 1000 * 3) pcap:pcap_open(host.interface, 300, false, "src host ".. host.ip .." and udp and src port 161 and dst port "..lport) local communities = creds.Credentials:new(SCRIPT_NAME, host, port) -- last_run indicated whether there will be only one more receive local last_run = false -- receive even when status=false until all the probes are sent while true do local status, plen, l2, l3, _ = pcap:pcap_receive() if status then local p = packet.Packet:new(l3,#l3) if not p:udp_parse() then --shouldn't happen result.status = false result.msg = "Wrong type of packet received" condvar "signal" return end local response = p:raw(p.udp_offset + 8, #p.buf) local res _, res = snmp.decode(response) if type(res) == "table" then communities:add(nil, res[2], creds.State.VALID) else result.status = false result.msg = "Wrong type of SNMP response received" condvar "signal" return end else if last_run then condvar "signal" return else if result.sent then last_run = true end end end end pcap:close() condvar "signal" return end action = function(host, port) local status, nextcommunity = communities() if not status then return "\n ERROR: Failed to read the communities database" end local result = {} local threads = {} local condvar = nmap.condvar(result) result.sent = false --whether the probes are sent result.msg = "" -- Error/Status msg result.status = true -- Status (is everything ok) local socket = nmap.new_socket("udp") status = socket:connect(host, port) if ( not(status) ) then return "\n ERROR: Failed to connect to server" end local status, _, lport = socket:get_info() if( not(status) ) then return "\n ERROR: Failed to retrieve local port" end local recv_co = stdnse.new_thread(sniff_snmp_responses, host, port, lport, result) local send_co = stdnse.new_thread(send_snmp_queries, socket, result, nextcommunity) local recv_dead, send_dead while true do condvar "wait" recv_dead = (coroutine.status(recv_co) == "dead") send_dead = (coroutine.status(send_co) == "dead") if recv_dead then break end end socket:close() if result.status then return creds.Credentials:new(SCRIPT_NAME, host, port):getTable() else stdnse.debug1("An error occurred: "..result.msg) end end