Onesixtyone 0.3.2 An Efficient SNMP Scanner
however, as noted above, much of this could be scripted. for example, we could use ping ( ping [our.target.ip.address] ) to check if the ip address exists (and if it does, check with a -n option to see if the ttl is less than our persistence time). if it doesnt, we abort the command. this won’t make much noise on modern systems, but if we must have noise, we would like to use a zzz command with a -n switch. of course, we could also use what we are taught in data link layer programming ( ).
theres always a problem. in writing this document, i realised that i forgot to mention what the default community string is for snmpv1. how did we even miss that? we will obviously need to find that out. lets do a quick check for the usernames that can be used to get a shell. if we have the default community string of public, we use nqp to connect to the snmp daemon.
to brute force the passwords, we will be using a bash script that provides a set of loops. in a loop, we will try out multiple hostnames and usernames at a time. we will try out not only the default community string, but also the private and admin ones as well.
we will open the database in libpurple using sqlite3 ( sqlite3 open database ). we then open the table logs using sqlite3.tables which will return a list of all the tables in the database. we then iterate through the table and compare the hostname to the username, checking for both the default community string, the admin string and the private one. we create a new variable called retry to keep track of whether or not we need to re-try an entry. a loop is used to keep re-trying entries until the community string is discovered.
The Network Configuration OID (RFC 2661), often referred to as the Domain MIB, usually contains configuration information for various network devices. At best, it provides a very limited subset of all device options, hence the “one’six” in the onesixtyone tool name. If you have access to a device’s configuration file, its contents can be found at . Other configuration files can be found at . However, not all device configuration files can be fetched from a Cisco device with the onesixtyone tool. This is because there is currently no hardcoded knowledge of which SNMP objects the Cisco device supports. In addition, although the Cisco device fully supports many OID values, there are some “reserved” OIDs that are used for functions such as SNMP trap generation (thus the need for the USM MIB) and SysUpTime. As a result, the OID values of some objects are only set to a fixed value, and the values are not referenced anywhere in the configuration files, as shown in Figure 6-3.
How does oneiesixtyone find these OIDs? First, the OIDs are printed out by the scanner tool during scan. During the course of the scan, the OIDs are put in a file along with their corresponding real values. The real values are then used in subsequent runs of the scanner.
When the token is received, the pipeline is assembled from the command line and sent to the filter. In this case, that filter is the list of OIDs. At this point, the scanner sends the token to the parser. Once the parser has been invoked, it will read the standard input file, which can be the output of the previous run of the scanner. The parser takes each line of the input file and places each token on a separate stack. Once the parser has finished processing the input file, the scanner is invoked again, starting with the first OID on the stack. The scanner first prints out all the OIDs on the stack in a table, then it sends the token to the router to do some magic.