Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support per-host snmp community strings #122

Closed
dmiller-nmap opened this issue May 19, 2015 · 7 comments
Closed

Support per-host snmp community strings #122

dmiller-nmap opened this issue May 19, 2015 · 7 comments

Comments

@dmiller-nmap
Copy link

From http://seclists.org/nmap-dev/2014/q1/224:

It's been bugging me for a while how poorly the SNMP NSE library
handled community strings. Essentially, there is a single place in the
registry to store a community string, regardless of whether different
hosts have different communities. The snmp-brute script overwrites
this single place (nmap.registry.snmpcommunity) every time it finishes
a host, so the scripts that rely on it to set the community could be
using the wrong one.

The attached patch adds a Helper class to handle choosing the
community and all the socket communication. Now the discovered
communities are stored in host.registry.snmpcommunity, so each host
can be handled separately. Moving all the socket communication into
the library means this patch actually reduces the number of lines of
code in NSE.

This patch should probably be modified to use the creds library to store and retrieve these credentials. This would allow storing multiple per-service community strings (e.g. read and write both).

@G10h4ck
Copy link
Contributor

G10h4ck commented Jun 6, 2015

Just finished rebasing the patch on top of current nmap
https://gitlab.com/g10h4ck/nmap-gsoc2015/commits/hotfix/122
:)

@G10h4ck
Copy link
Contributor

G10h4ck commented Jun 10, 2015

I have ported snmp lib and snmp-brute to creds library but it seems creds are not persistent accross scripts in particular in snmp-brute, I do add discovered communities to credentials

https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/scripts/snmp-brute.nse#L202

but then if for example i use snmp-interfaces.nse it use "public" as fallback community like creds storage was empty

https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/nselib/snmp.lua#L465

Any hint ?

@dmiller-nmap
Copy link
Author

Two things are necessary:

  1. snmp-interfaces and the other snmp-* scripts will need to be modified to
    pull from the creds library.
  2. snmp-brute will be made a dependency for the snmp-* scripts so that they
    wait until it is finished before they run. Otherwise they will run
    concurrently and will finish before snmp-brute has populated the creds.

On Wed, Jun 10, 2015 at 6:48 AM, Gioacchino notifications@github.com
wrote:

I have ported snmp lib and snmp-brute to creds library but it seems creds
are not persistent accross scripts in particular in snmp-brute, I do add
discovered communities to credentials

https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/scripts/snmp-brute.nse#L202

but then if for example i use snmp-interfaces.nse it use "public" as
fallback community like creds storage was empty

https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/nselib/snmp.lua#L465

Any hint ?


Reply to this email directly or view it on GitHub
#122 (comment).

@G10h4ck
Copy link
Contributor

G10h4ck commented Jun 10, 2015

snmp-interfaces already depends on snmp-brute
https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/scripts/snmp-interfaces.nse#L42

Isn't it ok to use creds library directly inside Helper class in snmp.lua ?
https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/nselib/snmp.lua#L465

@G10h4ck
Copy link
Contributor

G10h4ck commented Jun 11, 2015

After further investigation I can see that the community is correctly stored inside nmap.registry.creds by dumping that table to stduot,


dumptable(nmap.registry.creds)


while


local c = creds.Credentials:new("snmp.lua", host, port)
for comm in c:getCredentials(creds.State.VALID) do
dumptable(comm)
end


prints nothing

@G10h4ck
Copy link
Contributor

G10h4ck commented Jun 11, 2015

Finally I figured out what is the problem, seems the first argument to Credentials:new(...) is not just for debug but it's some kind of name for the credential storage, so it's not a good idea to use SCRIPT_NAME, or at least in our case break stuff, and definitely break credential sharing between scripts, documentation doesn't explain this clearly

@G10h4ck
Copy link
Contributor

G10h4ck commented Jun 11, 2015

Now it is working and ready for comment, if it is ok for you I can commit it to SVN too
https://gitlab.com/g10h4ck/nmap-gsoc2015/commits/hotfix/122

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants