Adding auxiliary/scanner/snmp modules docs #11438
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| ## Description | ||
| This module performs a detailed enumeration of a host or a range through SNMP protocol. It supports hardware, software, and network information. | ||
|
|
||
| ## Verification Steps | ||
|
|
||
| 1. Do: ```use auxiliary/scanner/snmp/snmp_enum``` | ||
| 2. Do: ```set RHOSTS [IP]``` | ||
| 3. Do: ```run``` | ||
|
|
||
| ## Scenarios | ||
|
|
||
|
There was a problem hiding this comment.
Even though there is only one example here, its good to have this so later others can add |
||
| ``` | ||
| msf > use auxiliary/scanner/snmp/snmp_enum | ||
| msf auxiliary(auxiliary/scanner/snmp/snmp_enum) > set RHOSTS 1.1.1.2 | ||
| RHOSTS => 1.1.1.2 | ||
| msf auxiliary(auxiliary/scanner/snmp/snmp_enum) > run | ||
|
|
||
| [*] System information | ||
|
|
||
| Hostname : Netgear-GSM7224 | ||
| Description : GSM7224 L2 Managed Gigabit Switch | ||
| Contact : dookie | ||
| Location : Basement | ||
| Uptime snmp : 56 days, 00:36:28.00 | ||
| Uptime system : - | ||
| System date : - | ||
|
|
||
| [*] Network information | ||
|
|
||
| IP forwarding enabled : no | ||
| Default TTL : 64 | ||
| TCP segments received : 20782 | ||
| TCP segments sent : 9973 | ||
| TCP segments retrans. : 9973 | ||
| Input datagrams : 4052407 | ||
| Delivered datagrams : 1155615 | ||
| Output datagrams : 18261 | ||
|
|
||
| [*] Network interfaces | ||
|
|
||
| Interface [ up ] Unit: 1 Slot: 0 Port: 1 Gigabit - Level | ||
|
|
||
| Id : 1 | ||
| Mac address : 00:0f:b5:fc:bd:24 | ||
|
There was a problem hiding this comment. i would recommend sanitizing this value. |
||
| Type : ethernet-csmacd | ||
| Speed : 1000 Mbps | ||
| Mtu : 1500 | ||
| In octets : 3716564861 | ||
| Out octets : 675201778 | ||
| ...snip... | ||
| [*] Routing information | ||
|
|
||
| Destination Next hop Mask Metric | ||
|
|
||
| 0.0.0.0 5.1.168.192 0.0.0.0 1 | ||
|
There was a problem hiding this comment. I would recommend sanitizing the network address |
||
| 1.0.0.127 1.0.0.127 255.255.255.255 0 | ||
|
|
||
| [*] TCP connections and listening ports | ||
|
|
||
| Local address Local port Remote address Remote port State | ||
|
|
||
| 0.0.0.0 23 0.0.0.0 0 listen | ||
| 0.0.0.0 80 0.0.0.0 0 listen | ||
| 0.0.0.0 4242 0.0.0.0 0 listen | ||
| 1.0.0.127 2222 0.0.0.0 0 listen | ||
|
|
||
| [*] Listening UDP ports | ||
|
|
||
| Local address Local port | ||
|
|
||
| 0.0.0.0 0 | ||
| 0.0.0.0 161 | ||
| 0.0.0.0 514 | ||
|
|
||
| [*] Scanned 1 of 1 hosts (100% complete) | ||
| [*] Auxiliary module execution completed | ||
| msf auxiliary(auxiliary/scanner/snmp/snmp_enum) > | ||
| ``` | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| ## Description | ||
| This module will simply scan a range of hosts and queries via SNMP to determine any available shares. | ||
|
There was a problem hiding this comment. I would mention it only works against Windows hosts. |
||
|
|
||
|
There was a problem hiding this comment. Generally I like to document how you created the vulnerability here so that others (maybe making a lab, or verifying this module works) can replicate. Most likely: https://support.microsoft.com/en-us/help/324263/how-to-configure-the-simple-network-management-protocol-snmp-service-i There was a problem hiding this comment. This module has 3 places where it checks: https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/snmp/snmp_enumshares.rb#L25 |
||
| ## Verification Steps | ||
|
|
||
| 1. Do: ```use auxiliary/scanner/snmp/snmp_enumshares``` | ||
| 2. Do: ```set RHOSTS [IP]``` | ||
| 3. Do: ```set THREADS [number of threads]``` | ||
| 4. Do: ```run``` | ||
|
|
||
| ## Scenarios | ||
|
|
||
|
|
||
| ``` | ||
| msf > use auxiliary/scanner/snmp/snmp_enumshares | ||
| msf auxiliary(scanner/snmp/snmp_enumshares) > set RHOSTS 1.1.1.200-211 | ||
| RHOSTS => 1.1.1.200-211 | ||
| msf auxiliary(scanner/snmp/snmp_enumshares) > set THREADS 11 | ||
| THREADS => 11 | ||
| msf auxiliary(scanner/snmp/snmp_enumshares) > run | ||
|
|
||
| [+] 1.1.1.201 | ||
| shared_docs - (C:\Documents and Settings\Administrator\Desktop\shared_docs) | ||
| [*] Scanned 02 of 11 hosts (018% complete) | ||
| [*] Scanned 03 of 11 hosts (027% complete) | ||
| [*] Scanned 05 of 11 hosts (045% complete) | ||
| [*] Scanned 07 of 11 hosts (063% complete) | ||
| [*] Scanned 09 of 11 hosts (081% complete) | ||
| [*] Scanned 11 of 11 hosts (100% complete) | ||
| [*] Auxiliary module execution completed | ||
| msf auxiliary(scanner/snmp/snmp_enumshares) > | ||
| ``` | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| ## Description | ||
| This module queries a range of hosts via SNMP and gathers a list of usernames on the remote system. | ||
|
There was a problem hiding this comment. I would mention this works on Windows and Sun (Solaris? @bcoles do you know if |
||
|
|
||
|
There was a problem hiding this comment. Same as above, did you just install the default snmp on windows, was there other things needed to get this to be vulnerable? There was a problem hiding this comment. There are 2 values, I would call them out and what they map to: https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/snmp/snmp_enumusers.rb#L36 |
||
| ## Verification Steps | ||
|
|
||
| 1. Do: ```use auxiliary/scanner/snmp/snmp_enumusers``` | ||
| 2. Do: ```set RHOSTS [IP]``` | ||
| 3. Do: ```set THREADS [NUMBER OF THREADS]``` | ||
| 4. Do: ```run``` | ||
|
|
||
| ## Scenarios | ||
|
|
||
|
|
||
| ``` | ||
| msf > use auxiliary/scanner/snmp/snmp_enumusers | ||
| msf auxiliary(scanner/snmp/snmp_enumusers) > set RHOSTS 1.1.1.200-211 | ||
| RHOSTS => 1.1.1.200-211 | ||
| msf auxiliary(scanner/snmp/snmp_enumusers) > set THREADS 11 | ||
| THREADS => 11 | ||
| msf auxiliary(scanner/snmp/snmp_enumusers) > run | ||
|
|
||
| [+] 1.1.1.201 Found Users: ASPNET, Administrator, Guest, HelpAssistant, SUPPORT_388945a0, victim | ||
| [*] Scanned 02 of 12 hosts (016% complete) | ||
| [*] Scanned 05 of 12 hosts (041% complete) | ||
| [*] Scanned 06 of 12 hosts (050% complete) | ||
| [*] Scanned 07 of 12 hosts (058% complete) | ||
| [*] Scanned 08 of 12 hosts (066% complete) | ||
| [*] Scanned 09 of 12 hosts (075% complete) | ||
| [*] Scanned 11 of 12 hosts (091% complete) | ||
| [*] Scanned 12 of 12 hosts (100% complete) | ||
| [*] Auxiliary module execution completed | ||
| msf auxiliary(scanner/snmp/snmp_enumusers) > | ||
| ``` | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would call out the items which are pulled by this module in a list. IE:
1.3.6.1.2.1.1.5.0sysNameThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was busy with something else, wiill do the necessary changes asap.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no worries! I haven't had time yet to look at the other submissions anyways.