Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Attacking Cisco using SNMP
From: "Teicher, Mark" <mark.teicher () NETWORKICE COM>
Date: Tue, 28 Nov 2000 19:46:41 +0100

Never quite could get it to work correctly.. But anyways, here are some
code snippets and packet captures to help you out..
You have to remember some of us know very little about SNMP_set and how it
can be utilized to manage large enterprise networks.  (biting tongue -:)

sub snmp_raw_set
        local($nr,$request) = @_;
        $w1 = "wh10" . $nr;
        $r2 = "rh20" . $nr;
        print $w1 ">$request\n";
# The next line is unneeded, if uncommented will cause wrong error code to be
# generated.
#       $resp = <$r2>;
        print $w1 "?\n";
        $resp = <$r2>; # should give return code
        if (isError($resp)) { return 0; };
        return substr($resp,2);

*Mar  1 03:41:54.875 PST: TFTP: Sending  read request
*Mar  1 03:41:54.879 PST: UDP: sent src=,
(69), length=60
*Mar  1 03:41:54.879 PST: IP: s= (local), d=
et0), len 60, sending
*Mar  1 03:42:01.543 PST: IP ARP: rcvd req src
0800.20b6.07c5, dst Ethernet0
*Mar  1 03:42:01.567 PST: IP ARP: rcvd req src
0800.20b6.07c5, dst Ethernet0
*Mar  1 03:42:01.891 PST: SNMP: Response, reqid 2, errstat 5, erridx 1
 lsystem. = /cisco/ironlung-config
*Mar  1 03:42:01.919 PST: SNMP: Packet sent via UDP to
*Mar  1 03:42:01.923 PST: UDP: sent src=,
dst=, length=96
*Mar  1 03:42:01.927 PST: IP: s= (local), d=
(Ethernet0), len 96, sending
*Mar  1 03:42:01.935 PST: IP: s= (Ethernet0),
d= (Ethernet0), len 112, rcvd 3
*Mar  1 03:42:01.939 PST: ICMP: dst ( port unreachable rcv
*Mar  1 03:42:01.943 PST: SNMP: Packet received via UDP from
on Ethernet0
*Mar  1 03:42:01.951 PST: SNMP: Set request, reqid 2, errstat 0, erridx 0
 lsystem. = /cisco/ironlung-configg
*Mar  1 03:42:01.971 PST: %SYS-4-SNMP_HOSTCONFIGSET: SNMP hostConfigSet
  Loading configuration from
*Mar  1 03:42:01.999 PST: SNMP: Queuing packet to
*Mar  1 03:42:01.999 PST: SNMP: V1 Trap, ent ciscoConfigManMIB.2, addr, gentrap 6, spectrap 1
 ccmHistoryEventEntry.3.58 = 2
 ccmHistoryEventEntry.4.58 = 6
 ccmHistoryEventEntry.5.58 = 3

Cisco Internetwork Operating System Software IOS (tm) 2500 Software
(C2500-IS56-L), Version 11.2(8), RELEASE SOFTWARE (fc1) Copyright (c)
1986-1997 by cisco Systems, Inc. Compiled Tue 05-Aug-97 09:07 by ckralik
Image text-base: 0x00001448, data-base: 0x00561104

ROM: System Bootstrap, Version 4.14(9.1), SOFTWARE

ironlung uptime is 2 weeks, 13 hours, 19 minutes
System restarted by power-on
System image file is "c2500-is56-l.112-8.Z", booted via flash
Host configuration file is "/cisco/ironlung-confg", booted via tftp from

cisco 2500 (68030) processor (revision D) with 16384K/2048K bytes of memory.
Processor board ID 01560898, with hardware revision 00000000
Bridging software.

Snmpset  is  an SNMP application that uses the SET Request to set
information on a network entity.  One or more fully qualified object
identifiers must be given as arguments on the command line.  A type and a
value to set  must  accompany  each object identifier.  Each variable name
is given in the format specified in variables.

If  the network entity has an error processing the request packet, an error
packet will be  returned  and  a  message will be shown, helping to
pinpoint in what way the request was
malformed.  If  there  were  other  variables  in  the request,  the
request will be resent without the bad variable.
sub confActions
        my($tftpHost, $pathName, $initHost, $comm) = @_;
        postMessages("confActions($tftpHost, $pathName,
                                $initHost, $comm)", $LOGDBG);
        if ($tftpHost eq $initHost) {
                postMessages(">>>> tftpHost = router: $initHost


        if (!openSNMP($initHost, $comm)) {
                postMessages("$initHost\:", $LOGDBS);
                if ($ConfFlag == $ConfRead ||
                        $ConfFlag == $ConfLoad) {
                        $v = "hostConfigSet\[$tftpHost\]=\"$pathName\"";
                        $results = &snmp_set($COMMPORT, $v);
                        postMessages("\tsnmp_set($COMMPORT, $v)=$results",

                if ($ConfFlag == $ConfWrite ||
                $ConfFlag == $ConfLoad) {
                        $v = "writeMem=1";
                        $results = &snmp_set($COMMPORT, $v);
                        postMessages("\tsnmp_set($COMMPORT, $v)=$results",
        postMessages("confActions exits", $LOGDBG);

At 08:37 AM 11/29/00 +0800, David Taylor wrote:
On Tue, 28 Nov 2000, Fabio Pietrosanti (naif) wrote:

> [snip]
> Does someone ever used snmpset to upload and/or download configuration
> file from a cisco ios 12 with new system mib ?


I haven't had a need to do this (yet), but the Cisco v2 MIBS include quite
a bit of in-line documentation on how this would be done.  See the URL
below for the relevant MIB...

Dave Taylor

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]