def password_brutefore(options, communities, ips):
s = socket(AF_INET, SOCK_DGRAM)
s.settimeout(options.timeOut)
results=[]
#Start the listener
T = threading.Thread(name='listener', target=listener, args=(s,results,))
T.start()
# Craft SNMP's for both versions
p1 = SNMP(
version=SNMPVersion.iversion('v1'),
PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID('1.3.6.1.2.1.1.1.0'))])
)
p2c = SNMP(
version=SNMPVersion.iversion('v2c'),
PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID('1.3.6.1.2.1.1.1.0'))])
)
packets = [p1, p2c]
#We try each community string
for i,community in enumerate(communities):
#sys.stdout.write('\r{0}'.format('.' * i))
#sys.stdout.flush()
for ip in ips:
SNMPsend(s, packets, ip, options.port, community.rstrip(), options.rate)
#We read from STDIN if necessary
if options.stdin:
while True:
try:
try:
community=input().strip('\n')
for ip in ips:
SNMPsend(s, packets, ip, options.port, community, options.rate)
except EOFError:
break
except KeyboardInterrupt:
break
try:
print("Waiting for late packets (CTRL+C to stop)")
sleep(options.timeOut+options.delay) #Waiting in case of late response
except KeyboardInterrupt:
pass
T._Thread__stop()
s.close
#We remove any duplicates. This relies on the __equal__
newlist = []
for i in results:
if i not in newlist:
newlist.append(i)
return newlist
def SNMPRequest(result, OID, value='', TimeOut=defaults.timeOut):
s = socket(AF_INET, SOCK_DGRAM)
s.settimeout(TimeOut)
response = ''
r = result
version = SNMPVersion.iversion(r.version)
if value:
p = SNMP(
version=version,
PDU=SNMPset(
varbindlist=[SNMPvarbind(oid=ASN1_OID(OID), value=value)]))
else:
p = SNMP(version=version,
PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID(OID))]))
SNMPsend(s, p, r.addr[0], r.addr[1], r.community)
for x in range(0, 5):
try:
response, addr = SNMPrecv(s)
break
except timeout: # if request times out retry
sleep(0.5)
continue
s.close
if not response:
raise timeout
return response
def cmd_snmp_crack(ip, port, stop, verbose):
FILEDIR = os.path.dirname(os.path.abspath(__file__))
DATADIR = os.path.abspath(os.path.join(FILEDIR, '../data'))
COMMFILE = Path(os.path.abspath(os.path.join(DATADIR, 'dict_snmp.txt')))
with COMMFILE.open() as cf:
communities = cf.read().split('\n')
conf.verb = False
pkt = IP(dst=ip)/UDP(sport=port, dport=port)/SNMP(community="public", PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID("1.3.6.1"))]))
for community in communities:
if verbose:
print('.', end='')
sys.stdout.flush()
pkt[SNMP].community=community
ans = sr1(pkt, timeout=0.5, verbose=0)
if ans:
print('\nCommunity found:', community)
if stop:
break
return True
def perform_healthcheck(self, exsock):
'''
'''
healthy = False
if self.params.healthcheckport:
healthy = exsock.establish_tcp_connection(self.params.healthcheckport)
else:
oid = '1.3.6.1.2.1.1.3.0'
pkt = SNMP(community=self.params.community,PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID(oid))]))
exsock.send(pkt[SNMP])
try:
response = exsock.receive(2048)
healthy = True
except KeyboardInterrupt,e:
print "[-] keyboard interrupt before response received"
if self.terminateFlingOnException:
raise KeyboardInterrupt,e
except socket.timeout,e:
okay = False
print "[-] no response from health check - target may have crashed"
if not okay and self.terminateFlingOnException:
raise socket.timeout,e
def handle_connect(self):
snmp = SNMP(community=self.comm,
PDU=SNMPget(varbindlist=[SNMPvarbind(oid=self.oid)]))
buf = str(snmp)
while buf:
bytes = self.send(buf)
buf = buf[bytes:]
def _snmp_get(self, oid):
community, sock = self._snmp_connect()
pdu = SNMPget(varbindlist=[SNMPvarbind(oid=str(oid))])
p = SNMP(community=community, PDU=pdu)
sock.sendall(p.build())
r = SNMP(sock.recv(4096))
return r.PDU.varbindlist[0].value.val
def cmd_crack_snmp(ip, community, port, stop, verbose):
"""Launches snmp-get queries against an IP, and tells you when
finds a valid community string (is a simple SNMP cracker).
The dictionary used is the distributed with the onesixtyone tool
https://github.com/trailofbits/onesixtyone
Example:
\b
# habu.crack.snmp 179.125.234.210
Community found: private
Community found: public
Note: You can also receive messages like \<UNIVERSAL\> \<class
'scapy.asn1.asn1.ASN1\_Class\_metaclass'\>, I don't know how to supress
them for now.
"""
FILEDIR = os.path.dirname(os.path.abspath(__file__))
DATADIR = os.path.abspath(os.path.join(FILEDIR, '../data'))
COMMFILE = Path(os.path.abspath(os.path.join(DATADIR, 'dict_snmp.txt')))
if community:
communities = [community]
else:
with COMMFILE.open() as cf:
communities = cf.read().split('\n')
conf.verb = False
for pkt in IP(dst=ip) / UDP(sport=port, dport=port) / SNMP(
community="public",
PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID("1.3.6.1"))])):
if verbose:
print(pkt[IP].dst)
for community in communities:
if verbose:
print('.', end='')
sys.stdout.flush()
pkt[SNMP].community = community
ans = sr1(pkt, timeout=0.5, verbose=0)
if ans and UDP in ans:
print('\n{} - Community found: {}'.format(
pkt[IP].dst, community))
if stop:
break
return True
def guess(self, communities):
p = SNMP(
version=self.version,
PDU=SNMPget(
varbindlist=[SNMPvarbind(oid=ASN1_OID('1.3.6.1.2.1.1.1.0'))]))
r = []
for c in communities:
i = randint(0, 2147483647)
p.PDU.id = i
p.community = c
self.s.sendto(str(p), self.addr)
sleep(1 / self.rate)
while True:
try:
p = SNMP(self.s.recvfrom(65535)[0])
except timeout:
break
r.append(p.community.val)
return r
def main(self, *args):
"""
Main function
"""
if not self.ip:
try:
self.ip = gethostbyname(self.host)
except Exception:
raise InvalidTarget('Host not found.')
packet = IP(dst=self.ip, src=SANDBOX_IP) / UDP(
dport=self.SNMP_PORT, sport=self.SNMP_PORT) / SNMP(
community='public',
PDU=SNMPget(varbindlist=[
SNMPvarbind(oid=ASN1_OID(self.OID_SYSTEM_DESCRIPTION))
]))
self._write_result(
'Trying to read the system description through SNMP...')
try:
data = sr1(packet, timeout=self.SNMP_TIMEOUT)
if not data or ICMP in data:
self._write_result('No response received.')
return
value = data[SNMPvarbind].value.val
if not value:
value = 'no such object'
self._write_result('Received response: %s' % str(value))
except Exception as e:
self._write_result(str(e))
def get(self, oid):
p = SNMP(community=self.community,
version=self.version,
PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID(oid))]))
r = self._sr(p).PDU.varbindlist[0]
return {'oid': r.oid.val, 'type': type(r.value), 'value': r.value.val}