Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: RE: [NSE Script] SNMPv1 system information & uptime

RE: [NSE Script] SNMPv1 system information & uptime

From: Thomas Buchanan <TBuchanan_at_thecompassgrp.net>
Date: Mon, 11 Jun 2007 15:19:40 -0500

> -----Original Message-----
> From: Brandon Enright [mailto:bmenrigh_at_ucsd.edu]
> Sent: Monday, June 11, 2007 3:03 PM
> To: Thomas Buchanan
> Cc: nmap-dev_at_insecure.org; bmenrigh_at_ucsd.edu
> Subject: Re: [NSE Script] SNMPv1 system information & uptime
>
> Thomas,
>
> The script looks great! I'm glad someone has tackled an NSE script
> that uses SNMP. I started to write a few NSE scripts that
> were going to
> used NSE but gave up because of the difficulty of using ASN.1
> encoding to
> build the packets.
>
> You wrote "-- copied from packet capture of snmpget exchange" and then
> defined the payload as a string of bytes. This works well
> for static OIDs
> like SNMPv2-MIB::sysDescr.0 but doesn't work for OIDs that need to be
> dynamically generated.
>
> The solution is probably to build SNMP library bindings into
> NSE or offer
> ASN.1 bindings. I spent several hours trying to get LuaSNMP
> (http://luasnmp.luaforge.net/) working with NSE but got in
> over my head and
> put the project aside.
>
> I hope eventually SNMP bindings will be available *and*
> Eddie's traceroute
> information will be exposed to NSE. I'm picturing NSE
> scripts that look up
> the last hope for a host (typically the router) and query the ARP/CAM
> tables for MAC address and other information. This could be done
> efficiently and non-redundantly with creative use of the NSE Registry.
>
> Don't get me wrong, this script looks great. I think it
> highlights one
> current limitation of NSE though.
>
> Brandon
>

I totally agree with you. This script is very static and limited in
what it can do, and would be difficult to extend. Some other ideas I
had which would be very cumbersome to do without a binding to some kind
of SNMP library:
* trying other common community strings
* querying specific OID values based on analysis of the sysDescr
response
* detecting other IP addresses through SNMP

I was thinking of the cfgmaker script from MRTG, which walks the OID
tree of a device and generates a configuration with all the network
interfaces defined. It would be fantastic to be able to dynamically
update the target list via a discovery script of this kind.

Here's hoping someone with more programming gumption than I've got will
take a look at this and get something going.

On a similar topic, another binding that I think would be well suited
for nmap would be some sort of interface to the OpenSSL library. It
would be great to be able to do some inspection of SSL-wrapped ports
through the NSE system, but I'm unaware of any simple methods for doing
that at this point.

Thomas

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Jun 11 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos