Support per-host snmp community strings #122

Closed
dmiller-nmap opened this Issue May 19, 2015 · 7 comments

Comments

Projects
None yet
2 participants

From http://seclists.org/nmap-dev/2014/q1/224:

It's been bugging me for a while how poorly the SNMP NSE library
handled community strings. Essentially, there is a single place in the
registry to store a community string, regardless of whether different
hosts have different communities. The snmp-brute script overwrites
this single place (nmap.registry.snmpcommunity) every time it finishes
a host, so the scripts that rely on it to set the community could be
using the wrong one.

The attached patch adds a Helper class to handle choosing the
community and all the socket communication. Now the discovered
communities are stored in host.registry.snmpcommunity, so each host
can be handled separately. Moving all the socket communication into
the library means this patch actually reduces the number of lines of
code in NSE.

This patch should probably be modified to use the creds library to store and retrieve these credentials. This would allow storing multiple per-service community strings (e.g. read and write both).

Contributor

G10h4ck commented Jun 6, 2015

Just finished rebasing the patch on top of current nmap
https://gitlab.com/g10h4ck/nmap-gsoc2015/commits/hotfix/122
:)

Contributor

G10h4ck commented Jun 10, 2015

I have ported snmp lib and snmp-brute to creds library but it seems creds are not persistent accross scripts in particular in snmp-brute, I do add discovered communities to credentials

https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/scripts/snmp-brute.nse#L202

but then if for example i use snmp-interfaces.nse it use "public" as fallback community like creds storage was empty

https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/nselib/snmp.lua#L465

Any hint ?

Two things are necessary:

  1. snmp-interfaces and the other snmp-* scripts will need to be modified to
    pull from the creds library.
  2. snmp-brute will be made a dependency for the snmp-* scripts so that they
    wait until it is finished before they run. Otherwise they will run
    concurrently and will finish before snmp-brute has populated the creds.

On Wed, Jun 10, 2015 at 6:48 AM, Gioacchino notifications@github.com
wrote:

I have ported snmp lib and snmp-brute to creds library but it seems creds
are not persistent accross scripts in particular in snmp-brute, I do add
discovered communities to credentials

https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/scripts/snmp-brute.nse#L202

but then if for example i use snmp-interfaces.nse it use "public" as
fallback community like creds storage was empty

https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/nselib/snmp.lua#L465

Any hint ?


Reply to this email directly or view it on GitHub
#122 (comment).

Contributor

G10h4ck commented Jun 10, 2015

snmp-interfaces already depends on snmp-brute
https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/scripts/snmp-interfaces.nse#L42

Isn't it ok to use creds library directly inside Helper class in snmp.lua ?
https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/nselib/snmp.lua#L465

Contributor

G10h4ck commented Jun 11, 2015

After further investigation I can see that the community is correctly stored inside nmap.registry.creds by dumping that table to stduot,


dumptable(nmap.registry.creds)


while


local c = creds.Credentials:new("snmp.lua", host, port)
for comm in c:getCredentials(creds.State.VALID) do
dumptable(comm)
end


prints nothing

Contributor

G10h4ck commented Jun 11, 2015

Finally I figured out what is the problem, seems the first argument to Credentials:new(...) is not just for debug but it's some kind of name for the credential storage, so it's not a good idea to use SCRIPT_NAME, or at least in our case break stuff, and definitely break credential sharing between scripts, documentation doesn't explain this clearly

Contributor

G10h4ck commented Jun 11, 2015

Now it is working and ready for comment, if it is ok for you I can commit it to SVN too
https://gitlab.com/g10h4ck/nmap-gsoc2015/commits/hotfix/122

nmap-bot closed this in f893f20 Jun 13, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment