Support per-host snmp community strings

[dmiller-nmap]

From http://seclists.org/nmap-dev/2014/q1/224:

It's been bugging me for a while how poorly the SNMP NSE library
handled community strings. Essentially, there is a single place in the
registry to store a community string, regardless of whether different
hosts have different communities. The snmp-brute script overwrites
this single place (nmap.registry.snmpcommunity) every time it finishes
a host, so the scripts that rely on it to set the community could be
using the wrong one.

The attached patch adds a Helper class to handle choosing the
community and all the socket communication. Now the discovered
communities are stored in host.registry.snmpcommunity, so each host
can be handled separately. Moving all the socket communication into
the library means this patch actually reduces the number of lines of
code in NSE.

This patch should probably be modified to use the creds library to store and retrieve these credentials. This would allow storing multiple per-service community strings (e.g. read and write both).

[G10h4ck]

Just finished rebasing the patch on top of current nmap
https://gitlab.com/g10h4ck/nmap-gsoc2015/commits/hotfix/122
:)

[G10h4ck]

I have ported snmp lib and snmp-brute to creds library but it seems creds are not persistent accross scripts in particular in snmp-brute, I do add discovered communities to credentials

https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/scripts/snmp-brute.nse#L202

but then if for example i use snmp-interfaces.nse it use "public" as fallback community like creds storage was empty

https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/nselib/snmp.lua#L465

Any hint ?

[dmiller-nmap]

Two things are necessary:

1. snmp-interfaces and the other snmp-* scripts will need to be modified to
   pull from the creds library.
2. snmp-brute will be made a dependency for the snmp-* scripts so that they
   wait until it is finished before they run. Otherwise they will run
   concurrently and will finish before snmp-brute has populated the creds.

On Wed, Jun 10, 2015 at 6:48 AM, Gioacchino notifications@github.com
wrote:

I have ported snmp lib and snmp-brute to creds library but it seems creds
are not persistent accross scripts in particular in snmp-brute, I do add
discovered communities to credentials

https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/scripts/snmp-brute.nse#L202

but then if for example i use snmp-interfaces.nse it use "public" as
fallback community like creds storage was empty

https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/nselib/snmp.lua#L465

Any hint ?

—
Reply to this email directly or view it on GitHub
#122 (comment).

[G10h4ck]

snmp-interfaces already depends on snmp-brute
https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/scripts/snmp-interfaces.nse#L42

Isn't it ok to use creds library directly inside Helper class in snmp.lua ?
https://gitlab.com/g10h4ck/nmap-gsoc2015/blob/hotfix/122/nselib/snmp.lua#L465

[G10h4ck]

After further investigation I can see that the community is correctly stored inside nmap.registry.creds by dumping that table to stduot,

---

dumptable(nmap.registry.creds)

---

while

---

local c = creds.Credentials:new("snmp.lua", host, port)
for comm in c:getCredentials(creds.State.VALID) do
dumptable(comm)
end

---

prints nothing

[G10h4ck]

Finally I figured out what is the problem, seems the first argument to Credentials:new(...) is not just for debug but it's some kind of name for the credential storage, so it's not a good idea to use SCRIPT_NAME, or at least in our case break stuff, and definitely break credential sharing between scripts, documentation doesn't explain this clearly

[G10h4ck]

Now it is working and ready for comment, if it is ok for you I can commit it to SVN too
https://gitlab.com/g10h4ck/nmap-gsoc2015/commits/hotfix/122