Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add additional timing options to snmp_login scanner #4722

Merged
merged 4 commits into from Apr 16, 2015
Merged

Add additional timing options to snmp_login scanner #4722

merged 4 commits into from Apr 16, 2015

Conversation

Meatballs1
Copy link
Contributor

#4718

Set the default retries to 0.
Reduce the timeout to 2s.
Still scan both v1 and v2c, but give the option to scan only one.

Meatballs1
Meatballs1 reviewed Feb 6, 2015
View reviewed changes
modules/auxiliary/scanner/snmp/snmp_login.rb
OptInt.new('BATCHSIZE', [true, 'The number of hosts to probe in each set', 256]),
OptEnum.new('VERSION', [true, 'The SNMP version to scan', 'all', ['1','2c','all']]),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note used 'all' incase v3 is supported in future etc ;)

@hdm
Copy link
Contributor

hdm commented Feb 6, 2015

1s timeout is too low for slow embedded devices over the internet fwiw

@hdm
Copy link
Contributor

hdm commented Feb 6, 2015

The fix for this is probably a rewrite of LoginScanner to format the SNMP by hand, as opposed to using the sluggish SNMP::Manager interface.

@hdm
Copy link
Contributor

hdm commented Feb 6, 2015

It takes almost no time to send 3 probes (v1/v2/v3/etc) to a single host and then listen for any reason at a scan level (via the UDPScanner mixin)

@hdm
Copy link
Contributor

hdm commented Feb 6, 2015

Another issue with the LoginScanner, its Rex::Socket create call doesn't pass in the framework context, which means pivoting is ignored.

@Meatballs1
Copy link
Contributor Author

I thought UDP pivoting wasn't implemented yet anyway?

Could add it, but framework doesn't exist within the metasploit/framework context, so would have to work out how to go about getting a reference :/

@Meatballs1
Copy link
Contributor Author

It doesn't look like any login scanner would be Rex proxy compatible:

lib/metasploit/./framework/tcp/client.rb

 84           nsock = Rex::Socket::Tcp.create(
 85               'PeerHost'   =>  opts['RHOST'] || rhost,
 86               'PeerPort'   => (opts['RPORT'] || rport).to_i,
 87               'LocalHost'  =>  opts['CHOST'] || chost || "0.0.0.0",
 88               'LocalPort'  => (opts['CPORT'] || cport || 0).to_i,
 89               'SSL'        =>  dossl,
 90               'SSLVersion' =>  opts['SSLVersion'] || ssl_version,
 91               'Proxies'    => proxies,
 92               'Timeout'    => (opts['ConnectTimeout'] || connection_timeout || 10).to_i
 93               )

@hdm
Copy link
Contributor

hdm commented Feb 6, 2015

Unbound sockets wouldn't be pivotable, but bound ones are and work fine through meterpreter. I filed a ticket for the issue above and will PR something over soon.

@bcook-r7 bcook-r7 self-assigned this Mar 16, 2015
limhoff-r7
limhoff-r7 reviewed Mar 16, 2015
View reviewed changes
lib/metasploit/framework/login_scanner/snmp.rb
@@ -17,6 +17,35 @@ class SNMP
PRIVATE_TYPES = [ :password ]
REALM_KEY = nil

# @!attribute retries
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

YARD has advised that @!attribute is not meant to be used on attr_*. Use comments directly instead:

# The number of retries
#
# @return [Fixnum]
attr_accessor :retries

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should separate your attributes from your validations, so that all attributes are first, then all validations as the patten shown here

@wvu
Copy link
Contributor

wvu commented Apr 1, 2015

Any movement on this?

@wvu wvu self-assigned this Apr 1, 2015
@todb-r7 todb-r7 added the jira Old label, generally associated with PRs that had pro support and a jira link label Apr 1, 2015
@todb-r7
Copy link

todb-r7 commented Apr 1, 2015

Tagging this as jira since the original issue was as well, in that we've had support calls about this module in particular.

@hdm
Copy link
Contributor

hdm commented Apr 1, 2015

This needs a rewrite to get to reasonable performance levels (single socket, multiple sends of community strings in quick succession, detection of valid ones based on replies within a poll period).

@wvu wvu assigned wvu and unassigned wvu Apr 10, 2015
@wvu wvu merged commit fcc21ff into rapid7:master Apr 16, 2015
wvu added a commit that referenced this pull request Apr 16, 2015
@wvu
Land #4722, timing options for snmp_login
42ff0de
wvu added a commit that referenced this pull request Apr 16, 2015
@wvu
Fix #4722, extraneous addition removed
97f1efb
@wvu
Copy link
Contributor

wvu commented Apr 16, 2015

88062a5 2bdcc17

@Meatballs1 Meatballs1 deleted the snmp_speed branch April 16, 2015 08:25
@wvu wvu mentioned this pull request May 6, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wvu wvu

Labels
bug jira Old label, generally associated with PRs that had pro support and a jira link module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@Meatballs1 @hdm @wvu @todb-r7 @limhoff-r7 @bcook-r7