-
Notifications
You must be signed in to change notification settings - Fork 1
/
snmp-hh3c-logins.nse
157 lines (121 loc) · 4.45 KB
/
snmp-hh3c-logins.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
local nmap = require "nmap"
local shortport = require "shortport"
local snmp = require "snmp"
local stdnse = require "stdnse"
description = [[
Attempts to enumerate Huawei / HP/H3C Locally Defined Users through the
hh3c-user.mib OID
For devices running software released pre-Oct 2012 only an SNMP read-only
string is required to access the OID. Otherwise a read-write string is
required.
Output is 'username - password - level: {0|1|2|3}'
Password may be in cleartext, ciphertext or sha256
Levels are from 0 to 3 with 0 being the lowest security level
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03515685
http://grutztopia.jingojango.net/2012/10/hph3c-and-huawei-snmp-weak-access-to.html
]]
---
-- @usage
-- nmap -sU -p 161 --script snmp-hh3c-logins --script-args --script-args snmpcommunity=<community> <target>
--
-- @output
-- | snmp-hh3c-logins:
-- | users:
-- | admin - admin - level: 3
-- |_ h3c - h3capadmin - level 0
--
-- @xmloutput
-- <table>
-- <elem key="password">admin<elem>
-- <elem key="username">admin</elem>
-- <elem key="level">3</elem>
-- </table>
-- <table>
-- <elem key="password">h3capadmin<elem>
-- <elem key="username">h3c</elem>
-- <elem key="level">0</elem>
-- </table>
author = "Kurt Grutzmacher"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}
dependencies = {"snmp-brute"}
-- Version 0.3
-- Created 10/01/2012 - v0.1 - created via modifying other walk scripts
-- Updated 10/25/2012 - v0.2 - bugfixes and better output per NSE standards
-- Updated 11/08/2012 - v0.3 - added xmloutput
portrule = shortport.portnumber(161, "udp", {"open", "open|filtered"})
--- Gets a value for the specified oid
--
-- @param tbl table containing <code>oid</code> and <code>value</code>
-- @param oid string containing the object id for which the value should be extracted
-- @return value of relevant type or nil if oid was not found
function get_value_from_table( tbl, oid )
for _, v in ipairs( tbl ) do
if v.oid == oid then
return v.value
end
end
return nil
end
--- Processes the table and creates the script output
--
-- @param tbl table containing <code>oid</code> and <code>value</code>
-- @return <code>stdnse.output_table</code> formatted table
function process_answer( tbl )
-- h3c-user MIB OIDs (oldoid)
local h3cUserName = "1.3.6.1.4.1.2011.10.2.12.1.1.1.1"
local h3cUserPassword = "1.3.6.1.4.1.2011.10.2.12.1.1.1.2"
local h3cUserLevel = "1.3.6.1.4.1.2011.10.2.12.1.1.1.4"
local h3cUserState = "1.3.6.1.4.1.2011.10.2.12.1.1.1.5"
-- hh3c-user MIB OIDs (newoid)
local hh3cUserName = "1.3.6.1.4.1.25506.2.12.1.1.1.1"
local hh3cUserPassword = "1.3.6.1.4.1.25506.2.12.1.1.1.2"
local hh3cUserLevel = "1.3.6.1.4.1.25506.2.12.1.1.1.4"
local hh3cUserState = "1.3.6.1.4.1.25506.2.12.1.1.1.5"
local output = stdnse.output_table()
output.users = {}
for _, v in ipairs( tbl ) do
if ( v.oid:match("^" .. h3cUserName) ) then
local item = {}
local oldobjid = v.oid:gsub( "^" .. h3cUserName, h3cUserPassword)
local password = get_value_from_table( tbl, oldobjid )
if ( password == nil ) or ( #password == 0 ) then
local newobjid = v.oid:gsub( "^" .. hh3cUserName, hh3cUserPassword)
password = get_value_from_table( tbl, newobjid )
end
oldobjid = v.oid:gsub( "^" .. h3cUserName, h3cUserLevel)
local level = get_value_from_table( tbl, oldobjid )
if ( level == nil ) then
local newobjoid = v.oid:gsub( "^" .. hh3cUserName, hh3cUserLevel)
level = get_value_from_table( tbl, oldobjid )
end
output.users[#output.users + 1] = {username=v.value, password=password, level=level}
end
end
return output
end
action = function(host, port)
local socket = nmap.new_socket()
local catch = function() socket:close() end
local try = nmap.new_try(catch)
local data, oldsnmpoid = nil, "1.3.6.1.4.1.2011.10.2.12.1.1.1"
local data, newsnmpoid = nil, "1.3.6.1.4.1.25506.2.12.1.1.1"
local users = {}
local status
socket:set_timeout(5000)
try(socket:connect(host, port))
status, users = snmp.snmpWalk( socket, oldsnmpoid )
socket:close()
if (not(status)) or ( users == nil ) or ( #users == 0 ) then
-- no status? try new snmp oid
socket:set_timeout(5000)
try(socket:connect(host, port))
status, users = snmp.snmpWalk( socket, newsnmpoid )
socket:close()
if (not(status)) or ( users == nil ) or ( #users == 0 ) then
return users
end
end
nmap.set_port_state(host, port, "open")
return process_answer(users)
end