Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix SNMP enumeration module network interface processing #12044

Merged

Conversation

Projects
None yet
2 participants
@mkienow-r7
Copy link
Contributor

commented Jul 2, 2019

The auxiliary/scanner/snmp/snmp_enum module uses an SNMP walk operation to enumerate the network interface and this can return an SNMP::NoSuchInstance class when a OID for an object, or variable binding (varbind), is missing. The module attempts to use the error class as a valid value resulting in the issues detailed below. Fixes #12034

Before fix

ifPhysAddress is not returned

msf5 > use auxiliary/scanner/snmp/snmp_enum
msf5 auxiliary(scanner/snmp/snmp_enum) > set rhosts 192.168.1.5
rhosts => 192.168.1.5
msf5 auxiliary(scanner/snmp/snmp_enum) > run

[+] 192.168.1.5, Connected.
[-] Unknown error: NoMethodError undefined method `unpack' for SNMP::NoSuchInstance:Class
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

~/.msf4/logs/framework.log:

[07/02/2019 14:28:15] [e(0)] core: Unknown error: NoMethodError undefined method `unpack' for SNMP::NoSuchInstance:Class
[07/02/2019 14:28:15] [e(0)] core: Call stack:
/home/msfdev/metasploit-framework/modules/auxiliary/scanner/snmp/snmp_enum.rb:175:in `block in run_host'
/home/msfdev/metasploit-framework/lib/snmp/manager.rb:449:in `block in walk'
/home/msfdev/metasploit-framework/lib/snmp/manager.rb:434:in `loop'
/home/msfdev/metasploit-framework/lib/snmp/manager.rb:434:in `walk'
/home/msfdev/metasploit-framework/modules/auxiliary/scanner/snmp/snmp_enum.rb:167:in `run_host'
/home/msfdev/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:111:in `block (2 levels) in run'
/home/msfdev/metasploit-framework/lib/msf/core/thread_manager.rb:106:in `block in spawn'

ifSpeed is not returned

msf5 > use auxiliary/scanner/snmp/snmp_enum
msf5 auxiliary(scanner/snmp/snmp_enum) > set rhosts 192.168.1.5
rhosts => 192.168.1.5
msf5 auxiliary(scanner/snmp/snmp_enum) > run

[+] 192.168.1.5, Connected.
[-] Unknown error: NoMethodError undefined method `to_i' for SNMP::NoSuchInstance:Class
Did you mean?  to_s
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

~/.msf4/logs/framework.log:

[07/02/2019 15:03:38] [e(0)] core: Unknown error: NoMethodError undefined method `to_i' for SNMP::NoSuchInstance:Class
Did you mean?  to_s
[07/02/2019 15:03:38] [e(0)] core: Call stack:
/home/msfdev/metasploit-framework/modules/auxiliary/scanner/snmp/snmp_enum.rb:178:in `block in run_host'
/home/msfdev/metasploit-framework/lib/snmp/manager.rb:449:in `block in walk'
/home/msfdev/metasploit-framework/lib/snmp/manager.rb:434:in `loop'
/home/msfdev/metasploit-framework/lib/snmp/manager.rb:434:in `walk'
/home/msfdev/metasploit-framework/modules/auxiliary/scanner/snmp/snmp_enum.rb:167:in `run_host'
/home/msfdev/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:111:in `block (2 levels) in run'
/home/msfdev/metasploit-framework/lib/msf/core/thread_manager.rb:106:in `block in spawn'

After fix

msf5 > use auxiliary/scanner/snmp/snmp_enum
msf5 auxiliary(scanner/snmp/snmp_enum) > set rhosts 192.168.1.5
rhosts => 192.168.1.5
msf5 auxiliary(scanner/snmp/snmp_enum) > run

[+] 192.168.1.5, Connected.

...

[*] Network information:

IP forwarding enabled         : no
Default TTL                   : 64
TCP segments received         : 214860
TCP segments sent             : 131618
TCP segments retrans          : 0
Input datagrams               : 256953
Delivered datagrams           : 256950
Output datagrams              : 173704

[*] Network interfaces:

Interface                     : [ up ] lo
Id                            : 1
Mac Address                   : unknown
Type                          : softwareLoopback
Speed                         : unknown Mbps
MTU                           : 65536
In octets                     : 566084
Out octets                    : 566084

Interface                     : [ up ] Intel Corporation 82540EM Gigabit Ethernet Controller
Id                            : 2
Mac Address                   : unknown
Type                          : ethernet-csmacd
Speed                         : unknown Mbps
MTU                           : 1500
In octets                     : 414606844
Out octets                    : 12252239
...

Verification

  • Configure the Net-SNMP package with the following /etc/snmp/snmpd.conf settings. This includes everything from the ISO root except ifPhysAddress and ifSpeed from the interfaces MIB object.
view   systemonly  included   .1
view   systemonly  excluded   .1.3.6.1.2.1.2.2.1.6
view   systemonly  excluded   .1.3.6.1.2.1.2.2.1.5
  • Restart snmpd: sudo service snmpd restart
  • Start msfconsole
  • use auxiliary/scanner/snmp/snmp_enum
  • set rhosts <host>
  • run
  • Verify there are no exceptions and the "Network information" section contains a "Mac Address" with the value "unknown" and "Speed" with the value "unknown Mbps".
Fix network interface processing
The SNMP walk operation can return an SNMP::NoSuchInstance class.
The error class must be handled rather than attempting to use it as a
valid value.

@wvu-r7 wvu-r7 self-assigned this Jul 2, 2019

@wvu-r7 wvu-r7 merged commit 260c369 into rapid7:master Jul 2, 2019

2 of 3 checks passed

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details

wvu-r7 added a commit that referenced this pull request Jul 2, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 2, 2019

Release Notes

This fixes an SNMP::NoSuchInstance bug in the auxiliary/scanner/snmp/snmp_enum module.

@mkienow-r7 mkienow-r7 deleted the mkienow-r7:bug/snmp-enum-interfaces-processing branch Jul 3, 2019

msjenkins-r7 added a commit that referenced this pull request Jul 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.