snmp-ios-config --script-args not working

[rikosintie]

Hello, I am so sorry, I closed the issue earlier today before I tested. I reinstalled nmap 7.40 on a windows 7 machine. I verified that the snmp-ios-config.nse had:

-- @Usage
-- nmap -sU -p 161 --script snmp-ios-config --script-args creds.snmp=

and re-ran. I had the same issue where it is passing public when I put private in as the argument. I hope I'm not overlooking a simple step and wasting your time. Below is a debug.

C:\Users\mhubbard>nmap -ddd -sU -p 161 --script snmp-ios-config --script-args creds.snmp=YHSRW 10.140.128.233
Trying to initialize Windows pcap engine
npcap service is already running.
Winpcap present, dynamic linked to: Npcap version 0.10 r9, based on libpcap version 1.9.0-PRE-GIT

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-21 15:31 Pacific Daylight Time
Fetchfile found C:\Program Files (x86)\Nmap/nmap-services
Fetchfile found C:\Program Files (x86)\Nmap/nmap.xsl
The max # of sockets we are using is: 0
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0

NSE: Using Lua 5.3.
Fetchfile found C:\Program Files (x86)\Nmap/nse_main.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/lpeg-utility.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/stdnse.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/strict.lua
Fetchfile found C:\Program Files (x86)\Nmap/scripts\script.db
NSE: Arguments from CLI: creds.snmp=YHSRW
NSE: Arguments parsed: creds.snmp=YHSRW
NSE: {
["creds.snmp"] = "YHSRW",
}
Fetchfile found C:\Program Files (x86)\Nmap/scripts\snmp-ios-config.nse
NSE: Script snmp-ios-config.nse was selected by name.
Fetchfile found C:\Program Files (x86)\Nmap/nselib/shortport.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/snmp.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/asn1.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/bin.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/bit.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/creds.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/ipOps.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/unittest.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/nsedebug.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/listop.lua
Fetchfile found C:\Program Files (x86)\Nmap/nselib/tftp.lua
NSE: Loaded 1 scripts for scanning.
NSE: Loaded 'C:\Program Files (x86)\Nmap/scripts\snmp-ios-config.nse'.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 15:31
Completed NSE at 15:31, 0.00s elapsed
Fetchfile found C:\Program Files (x86)\Nmap/nmap-payloads
Initiating Ping Scan at 15:31
Scanning 10.140.128.233 [4 ports]
Packet capture filter (device eth3): dst host 10.140.129.153 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 10.140.128.233)))
SENT (2.5950s) ICMP [10.140.129.153 > 10.140.128.233 Echo request (type=8/code=0) id=61757 seq=0] IP [ver=4 ihl=5 tos=0x00 iplen=28 id=12669
foff=0 ttl=43 proto=1 csum=0x46ca]
TIMING STATS (2.5950s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/r
ttvar/
Groupstats (1/1 incomplete): 1/////* 10.00/75/* 1000000/-1/-1
Current sending rates: 0.97 packets / s, 27.18 bytes / s.
Overall sending rates: 0.97 packets / s, 27.18 bytes / s.
RCVD (2.5950s) ICMP [10.140.128.233 > 10.140.129.153 Echo reply (type=0/code=0) id=61757 seq=0] IP [ver=4 ihl=5 tos=0x00 iplen=28 id=12669 f
off=0 ttl=254 proto=1 csum=0x73c9]
Found 10.140.128.233 in incomplete hosts list.
We got a ping packet back from 10.140.128.233: id = 15857 seq = 0 checksum = 49678
ultrascan_host_probe_update called for machine 10.140.128.233 state UNKNOWN -> HOST_UP (trynum 0 time: 0)
Changing ping technique for 10.140.128.233 to icmp type 8 code 0
Moving 10.140.128.233 to completed hosts list with 0 outstanding probes.
Changing global ping host to 10.140.128.233.
Completed Ping Scan at 15:31, 1.03s elapsed (1 total hosts)
Overall sending rates: 0.97 packets / s, 27.18 bytes / s.
pcap stats: 2 packets received by filter, 0 dropped by kernel.
mass_rdns: Using DNS server 10.140.7.243
mass_rdns: Using DNS server 10.140.46.63
Interface {01FF2EBA-5E7E-4665-89D2-E17E9BC6FB3F} is not known; ignoring its nameservers.
Interface {07C02759-18EC-4720-9CBD-DCB1E8C75973} is not known; ignoring its nameservers.
Interface {0E251438-C08A-4964-81E0-D58B5C714F5B} is not known; ignoring its nameservers.
Interface {174AF541-18BC-4596-A0C3-C4F937C20CAB} is not known; ignoring its nameservers.
Interface {2BC82352-7490-4236-A6BA-98FD3788C977} is not known; ignoring its nameservers.
Interface {2DAD3394-378B-432F-AEB7-2FC8B8FF3A3C} is not known; ignoring its nameservers.
Interface {333FE060-3B67-4223-8051-FA70E9A7E9F9} is not known; ignoring its nameservers.
Interface {43876E09-EB2D-4904-A347-E07288904489} is not known; ignoring its nameservers.
Interface {47D4E091-13A5-460A-B90F-D6ADA603DEAE} is not known; ignoring its nameservers.
Interface {498344E7-A939-47EF-9FA5-699F688720DF} is not known; ignoring its nameservers.
Interface {5566A75F-36CE-4B42-9B14-5FDC61E57A75} is not known; ignoring its nameservers.
Interface {5656E129-E42E-4F9A-B6BC-E30A240762E1} is not known; ignoring its nameservers.
Interface {616B1B79-8D64-47CA-ADFB-9409A26DA647} is not known; ignoring its nameservers.
Interface {65DDB909-F1E8-449B-8794-C8F8CE0A32B9} is not known; ignoring its nameservers.
Interface {6D4F251F-23D6-4A3F-950D-C7CB32F546BA} is not known; ignoring its nameservers.
Interface {6E6174A5-B75C-411A-849A-386EFA5B90A7} is not known; ignoring its nameservers.
Interface {73CEBE99-DB24-4920-8A98-267E0318B5F8} is not known; ignoring its nameservers.
Interface {846ee342-7039-11de-9d20-806e6f6e6963} is not known; ignoring its nameservers.
Interface {90662669-CE8C-4AB2-9984-62CC3F2B3CDB} is not known; ignoring its nameservers.
Interface {93973878-C8B7-457F-A50E-C409B7B10B20} is not known; ignoring its nameservers.
Interface {981A5DA6-50C6-4614-BB37-C97F7F4553B4} is not known; ignoring its nameservers.
Interface {99346B60-C498-42CD-8BFB-9F78D1C291F6} is not known; ignoring its nameservers.
Interface {9ED42C74-FAE1-4F6B-9F10-6FBD62E3C2F9} is not known; ignoring its nameservers.
Interface {AF655E59-9D1C-4FF6-B0C1-05C429C14E9B} is not known; ignoring its nameservers.
mass_rdns: Using DNS server 10.140.7.243
mass_rdns: Using DNS server 10.140.46.63
Interface {BDBC760E-5D32-4A5B-9D6C-849F02DEABE2} is not known; ignoring its nameservers.
Interface {C644787D-B678-43ED-9364-CEF33909E850} is not known; ignoring its nameservers.
Interface {D8739B14-75B3-4E0A-9B01-A66359405182} is not known; ignoring its nameservers.
Interface {DDF5E6A9-5F8F-40DD-8294-1CE0296C9F5E} is not known; ignoring its nameservers.
Interface {E4AA53D5-612E-462F-9743-595DCA09C1B7} is not known; ignoring its nameservers.
Interface {E5C4A52C-3DB4-4FCD-B0FC-B45816CEE53B} is not known; ignoring its nameservers.
Interface {F480E405-9412-49CC-83A2-6EE25E4224B8} is not known; ignoring its nameservers.
Interface {FA189ECA-EADE-42A4-9177-AB5E3D91ABFB} is not known; ignoring its nameservers.
NSOCK INFO [7.1920s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [7.1920s] nsock_connect_udp(): UDP connection requested to 10.140.46.63:53 (IOD #1) EID 8
NSOCK INFO [7.1920s] nsock_read(): Read request from IOD #1 [10.140.46.63:53] (timeout: -1ms) EID 18
NSOCK INFO [7.1920s] nsock_iod_new2(): nsock_iod_new (IOD #2)
NSOCK INFO [7.1920s] nsock_connect_udp(): UDP connection requested to 10.140.7.243:53 (IOD #2) EID 24
NSOCK INFO [7.1920s] nsock_read(): Read request from IOD #2 [10.140.7.243:53] (timeout: -1ms) EID 34
NSOCK INFO [7.1920s] nsock_iod_new2(): nsock_iod_new (IOD #3)
NSOCK INFO [7.1920s] nsock_connect_udp(): UDP connection requested to 10.140.46.63:53 (IOD #3) EID 40
NSOCK INFO [7.1920s] nsock_read(): Read request from IOD #3 [10.140.46.63:53] (timeout: -1ms) EID 50
NSOCK INFO [7.1920s] nsock_iod_new2(): nsock_iod_new (IOD #4)
NSOCK INFO [7.1920s] nsock_connect_udp(): UDP connection requested to 10.140.7.243:53 (IOD #4) EID 56
NSOCK INFO [7.1920s] nsock_read(): Read request from IOD #4 [10.140.7.243:53] (timeout: -1ms) EID 66
Initiating Parallel DNS resolution of 1 host. at 15:31
NSOCK INFO [7.1920s] nsock_write(): Write request for 45 bytes to IOD #1 EID 75 [10.140.46.63:53]
NSOCK INFO [7.1920s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [10.140.46.63:53]
NSOCK INFO [7.1920s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 75 [10.140.46.63:53]
NSOCK INFO [7.1920s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 24 [10.140.7.243:53]
NSOCK INFO [7.1920s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 40 [10.140.46.63:53]
NSOCK INFO [7.1920s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 56 [10.140.7.243:53]
NSOCK INFO [7.2080s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [10.140.46.63:53] (104 bytes)
NSOCK INFO [7.2080s] nsock_read(): Read request from IOD #1 [10.140.46.63:53] (timeout: -1ms) EID 82
NSOCK INFO [7.2080s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
NSOCK INFO [7.2080s] nevent_delete(): nevent_delete on event #82 (type READ)
NSOCK INFO [7.2080s] nsock_iod_delete(): nsock_iod_delete (IOD #2)
NSOCK INFO [7.2080s] nevent_delete(): nevent_delete on event #34 (type READ)
NSOCK INFO [7.2080s] nsock_iod_delete(): nsock_iod_delete (IOD #3)
NSOCK INFO [7.2080s] nevent_delete(): nevent_delete on event #50 (type READ)
NSOCK INFO [7.2080s] nsock_iod_delete(): nsock_iod_delete (IOD #4)
NSOCK INFO [7.2080s] nevent_delete(): nevent_delete on event #66 (type READ)
mass_rdns: 4.60s 0/1 [#: 4, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 15:31, 0.02s elapsed
DNS resolution of 1 IPs took 4.60s. Mode: Async [#: 4, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating UDP Scan at 15:31
10.140.128.233 pingprobe type ICMP is inappropriate for this scan type; resetting.
Scanning 10.140.128.233 [1 port]
Packet capture filter (device eth3): dst host 10.140.129.153 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 10.140.128.233)))
SENT (7.2240s) UDP [10.140.129.153:52579 > 10.140.128.233:161 len=68 csum=0xD1ED] IP [ver=4 ihl=5 tos=0x00 iplen=88 id=9464 foff=0 ttl=55 pr
oto=17 csum=0x4703]
TIMING STATS (7.2240s): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/r
ttvar/
Groupstats (1/1 incomplete): 1/////* 10.00/75/* 1000000/-1/-1
Current sending rates: 62.50 packets / s, 5500.00 bytes / s.
Overall sending rates: 62.50 packets / s, 5500.00 bytes / s.
RCVD (7.2240s) UDP [10.140.128.233:161 > 10.140.129.153:52579 len=111 csum=0xADF3] IP [ver=4 ihl=5 tos=0x00 iplen=131 id=21 foff=0 ttl=254 p
roto=17 csum=0xa4ba]
Found 10.140.128.233 in incomplete hosts list.
Discovered open port 161/udp on 10.140.128.233
Changing ping technique for 10.140.128.233 to udp to port 161
Moving 10.140.128.233 to completed hosts list with 0 outstanding probes.
Changing global ping host to 10.140.128.233.
Completed UDP Scan at 15:31, 0.02s elapsed (1 total ports)
Overall sending rates: 62.50 packets / s, 5500.00 bytes / s.
pcap stats: 3 packets received by filter, 0 dropped by kernel.
NSE: Script scanning 10.140.128.233.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 15:31
NSE: Starting snmp-ios-config M:3684DF4 against 10.140.128.233:161.
NSOCK INFO [7.2080s] nsock_iod_new2(): nsock_iod_new (IOD #1)
NSOCK INFO [7.2390s] nsock_connect_udp(): UDP connection requested to 10.140.128.233:161 (IOD #1) EID 8
NSOCK INFO [7.2390s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [10.140.128.233:161]
NSE: UDP 10.140.129.153:65107 > 10.140.128.233:161 | CONNECT
NSE: UDP 10.140.129.153:65107 > 10.140.128.233:161 | 00000000: 30 30 02 01 00 04 06 70 75 62 6c 69 63 a3 23 02 00 public #
00000010: 03 00 81 43 02 01 00 02 01 00 30 16 30 14 06 0f C 0 0
00000020: 2b 06 01 04 01 09 09 60 01 01 01 01 02 ce 0f 02 + `
00000030: 01 01

NSOCK INFO [7.2390s] nsock_write(): Write request for 50 bytes to IOD #1 EID 19 [10.140.128.233:161]
NSOCK INFO [7.2390s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 19 [10.140.128.233:161]
NSE: UDP 10.140.129.153:65107 > 10.140.128.233:161 | SEND
NSOCK INFO [7.2390s] nsock_readbytes(): Read request for 1 bytes from IOD #1 [10.140.128.233:161] EID 26
NSOCK INFO [12.2520s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 26 [10.140.128.233:161]
NSE: Finished snmp-ios-config M:3684DF4 against 10.140.128.233:161.
NSE: UDP 10.140.129.153:65107 > 10.140.128.233:161 | CLOSE
NSOCK INFO [12.2520s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
Completed NSE at 15:31, 5.03s elapsed
Nmap scan report for 10.140.128.233
Host is up, received echo-reply ttl 254 (0.00s latency).
Scanned at 2017-04-21 15:31:22 Pacific Daylight Time for 11s
PORT STATE SERVICE REASON
161/udp open snmp udp-response ttl 254
Final times for host: srtt: 0 rttvar: 3750 to: 100000

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 15:31
Completed NSE at 15:31, 0.00s elapsed
Read from C:\Program Files (x86)\Nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 12.25 seconds
Raw packets sent: 2 (116B) | Rcvd: 2 (159B)

[dmiller-nmap]

Aha, I see. When we implemented this, it was intended to use creds.snmp=:private, since the colon (":") is the username:password separator. But I forgot this when I updated the documentation. I've changed snmp.lua to accept any of the following:

• creds.snmp=community
• creds.snmp=:community
• creds.snmp=ignored:community

And I updated the NSEdoc to use the :community syntax, since that will work with the already-released versions of these scripts.