New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding auxiliary/scanner/snmp modules docs #11438
Conversation
Release NotesDocumentation has been added for the snmp_enum, snmp_enumusers, and snmp_enumshares auxiliary scanner modules. |
Thanks for the contribution @Yashvendra |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, there are no options listed.
https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/snmp.rb#L29
I would suggest adding COMMUNITY
and VERSION
. In each module description I'd also call out that SNMPv3 is NOT supported.
Interface [ up ] Unit: 1 Slot: 0 Port: 1 Gigabit - Level | ||
|
||
Id : 1 | ||
Mac address : 00:0f:b5:fc:bd:24 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i would recommend sanitizing this value.
|
||
Destination Next hop Mask Metric | ||
|
||
0.0.0.0 5.1.168.192 0.0.0.0 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would recommend sanitizing the network address
3. Do: ```run``` | ||
|
||
## Scenarios | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
### Negear GSM7224
Even though there is only one example here, its good to have this so later others can add
@@ -0,0 +1,32 @@ | |||
## Description | |||
This module will simply scan a range of hosts and queries via SNMP to determine any available shares. | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally I like to document how you created the vulnerability here so that others (maybe making a lab, or verifying this module works) can replicate. Most likely: https://support.microsoft.com/en-us/help/324263/how-to-configure-the-simple-network-management-protocol-snmp-service-i
4. Do: ```run``` | ||
|
||
## Scenarios | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
### Windows ????
@@ -0,0 +1,32 @@ | |||
## Description | |||
This module will simply scan a range of hosts and queries via SNMP to determine any available shares. | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This module has 3 places where it checks: https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/snmp/snmp_enumshares.rb#L25
It would be good to put those in the docs and explain what they map to
@@ -0,0 +1,32 @@ | |||
## Description | |||
This module will simply scan a range of hosts and queries via SNMP to determine any available shares. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would mention it only works against Windows hosts.
@@ -0,0 +1,33 @@ | |||
## Description | |||
This module queries a range of hosts via SNMP and gathers a list of usernames on the remote system. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would mention this works on Windows and Sun (Solaris? @bcoles do you know if sysDescr.0
on modern solaris still says "Sun"? This module may need updating..)
@@ -0,0 +1,33 @@ | |||
## Description | |||
This module queries a range of hosts via SNMP and gathers a list of usernames on the remote system. | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are 2 values, I would call them out and what they map to: https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/snmp/snmp_enumusers.rb#L36
@@ -0,0 +1,78 @@ | |||
## Description | |||
This module performs a detailed enumeration of a host or a range through SNMP protocol. It supports hardware, software, and network information. | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would call out the items which are pulled by this module in a list. IE:
1.3.6.1.2.1.1.5.0
sysName
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was busy with something else, wiill do the necessary changes asap.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no worries! I haven't had time yet to look at the other submissions anyways.
I wondered why it just got merged without the review. Will do the necessary changes @h00die |
Metasploit is a very large project filled with r7 employees (like @jrobles-r7 ), and volunteers (like myself). We all have our specialties and areas we're most familiar with, but everyone likes to help out when and wherever possible. Sometimes I merge things @bcoles points out later were not done well (or more pythonic than ruby-ic), sometimes someone merges docs that I want a few edits to. It happens, and it's all good! One of the many reasons could be that often volunteers submit things, and don't ever come back to make edits and get things up to par. When the PR in question is exclusively new docs, which won't break the framework and didn't previously exist, it's arguably better to have something than nothing. I'm also a stickler when it comes to docs. Originally docs were just to show running the module, which you've done (and therefore this PR is ok to merge). I tend to prefer more involved docs which show setup of the vuln, ways to verify with other tools, and ways to go from vuln id to exploitation if possible. Mainly, I do this because I've set up vuln labs before and having all these docs in an easy to find place makes a HUGE difference. Also its a good place to store my own pentesting notes (when applicable) so others can benefit. For example, https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/scanner/x11/open_x11.md#social-engineering is from my personal pentesting notes, but I think adds a lot to the docs. Is it over the top and unnecessary? yes. Is it VERY time consuming to come up with docs this in depth? yes. But I argue it makes a better overall product, and when the price is right, I don't think r7 is going to argue. |
Adding
auxiliary/scanner/snmp/snmp_enum
,auxiliary/scanner/snmp/snmp_enumusers
andauxiliary/scanner/snmp/snmp_enumshares
documentation.