Home page logo
/

nmap-dev logo Nmap Development mailing list archives

[NSE] tftp-enum.nse, tftp files enumeration scripts
From: Alexander Rudakov <freekoder () gmail com>
Date: Thu, 26 May 2011 22:24:57 +0400

Hi all.

I would like to introduce my next python utility reimplementation as nmap
script.
Some times ago I tried tftpthieft utility. TFTP Theft is a tool which allows
one to quickly scan/bruteforce a tftp server for files and download them
instantly.
You can find it at http://code.google.com/p/tftptheft/.
I thought it would be nice to have such functionality as nmap script (except
file downloading).

I extended search algorithm of tftpthieft. Some cisco administrators store
router config files at tftp.
Cisco config filename has pattern router_name-confg. Many administrators
name their routers by network address of router.
The idea is that tftp server can be on the same network as the cisco router.
So tftp-enum script iterates over network addresses and try to find files
with pattern network_address-confg.

Script usage is simple:

nmap -sU -p 69 --script tftp-enum.nse
--script-args="tftp-enum.filelist=customlist.txt" <host>

By default script takes filenames to enumerate from data file
nselib/data/tftplist.txt, but you can specify your own file with names by
tftp-enum.filelist arg.

Script tested on nmap 5.51. It does not work on 5.21 and prior versions.
I could find cisco ip phones by random network scaning, so script works.

Little about the plans:
1) Code cleanups
2) Bug fixing
3) Adding new filenames to list (based on popular cisco routers names)
4) Try to speed up script (it is too slow now).

I need help in compiling a list of popular default names of cisco routers
(have some ideas about patterns) and thougths about script perfomance
(speed) improvements.
Any other feedback is needed.

With best regards, Alexander Rudakov (insane code monkey).

Attachment: tftplist.txt
Description:

Attachment: tftp-enum.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault