Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] snmp-ios-config - Config grabber
From: Vikas Singhal <vikas.programmer () gmail com>
Date: Thu, 13 Jan 2011 17:47:38 -0600

Thanks for testing this. I have fixed the status error (PFA).

You are right, tftp server by default does not accept the file, you need to
create the file with same name and give proper permission to it.

On Thu, Jan 13, 2011 at 12:59 PM, Thomas Buchanan <
TBuchanan () thecompassgrp net> wrote:

-----Original Message-----
From: nmap-dev-bounces () insecure org
[mailto:nmap-dev-bounces () insecure org] On Behalf Of David Fifield
Sent: Wednesday, January 12, 2011 10:21 PM
To: Vikas Singhal
Cc: nmap-dev () insecure org
Subject: Re: [NSE] snmp-ios-config - Config grabber

On Mon, Jan 10, 2011 at 08:21:23PM -0600, Vikas Singhal wrote:
Code cleaned up! Here you go!

Is anyone able to test out this script? Vikas, can you post simple
instructions for starting a TFTP server and running the script to use
it? I'm attaching the script again.

David Fifield

I spent a little time this morning testing this, and here are the end

Nmap scan report for
Host is up, received arp-response (0.00045s latency).
Scanned at 2011-01-13 11:26:41 CST for 5s
161/udp open  snmp    udp-response SNMPv1 server (public)
|_snmp-ios-config: IOS configuration downloaded with filename to TFTP server

As you can see, the script was ultimately successful, so here are the
steps I took to get there, and a couple of comments along the way.
Hopefully someone will find them useful.

To start off, here are the systems that were in play.  The router
( is a Cisco 1800 ISR series device, running IOS 12.4.  The
TFTP server ( is a CentOS 5.5 server, which is also where I
ran the nmap commands shown.

The Cisco box has an existing default Read-Only SNMP communnity string
of 'public', so the first thing I did was run the script against it to
see what results came up.  That resulted in the following script error:

NSE: snmp-ios-config against threw an error!
./scripts/snmp-ios-config.nse:150: variable 'status' is not declared
stack traceback:
       [C]: in function 'error'
       ./nselib/strict.lua:69: in function <./nselib/strict.lua:60>
       ./scripts/snmp-ios-config.nse:150: in function
       (tail call): ?

After this, I enabled a Read-Write SNMP community string on the Cisco
router, by adding the following configuration line:
snmp-server community SomeString RW

I then enabled the TFTP server on the CentOS box by editing the
/etc/xinetd.d/tftp file.  These two lines are the ones of interest, the
first specifying the location to store TFTP Files, the second enabling
the service:
       server_args             = -s /tftpboot
       disable                 = no

A restart of the xinetd service followed, and I verified that the port
was open and the tftp service was listening.  At this point, I ran the
script again with these results:

# NMAPDIR=. ./nmap -sUV -p 161 -v -d --script-trace
Nmap scan report for
Host is up, received arp-response (0.00045s latency).
Scanned at 2011-01-13 11:25:45 CST for 5s
161/udp open  snmp    udp-response SNMPv1 server (public)
|_snmp-ios-config: Not successful! error code: 4 (1:waiting, 2:running,
3:successful, 4:failed)

At this point I had to resort to Wireshark to see what was going on.  I
determined that the TFTP server was returning a file not found error to
the Cisco router when it tried to push the config file over.  A little
research [1] showed that on most Linux TFTP systems, by default the
server will not create files.  They must already exist, and have
filesystem permissions appropriately set.  After checking the network
capture to determine the filename the script was attempting to use, I
created it on the TFTP server and ran the script again.  It was at this
point that I got the final results shown above.

The script definitely works as advertised when everything is set up
correctly, but for me, some additional error reporting to help track
down what has gone wrong would be helpful.  However, it appears that
there is not a lot of detail in the messages that IOS sends back, so
that might not be possible.

Let me know if you have further questions.



[1] http://goo.gl/oSz1I  (Linux Home Networking wiki)

Attachment: snmp-ios-config.nse

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]