File: snmp_detect.nasl

package info (click to toggle)
nessus-plugins 1.0.10-2
  • links: PTS
  • area: main
  • in suites: woody
  • size: 4,924 kB
  • ctags: 408
  • sloc: sh: 7,838; ansic: 3,415; makefile: 233
file content (89 lines) | stat: -rw-r--r-- 2,381 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
 
#
# This script was written by Noam Rathaus <noamr@securiteam.com>
#
# See the Nessus Scripts License for details
#
#
# Changes by rd : improved the SNMP detection (done using
# a null community name)
#

if(description)
{
 script_id(10265);
 
 name["english"] = "An SNMP Agent is running";
 script_name(english:name["english"]);
 
 desc["english"] = "Either (or both) of the ports UDP:161 and UDP:162 are open. This usually
indicates an SNMP agent is present. Having such an agent open to outside
access may be used to compromise sensitive information, and can be used to
cause a Denial of Service attack. Certain SNMP agents (such as BMC's Patrol
Agent) are vulnerable to root compromise attacks.

More Information:
http://www.securiteam.com/exploits/Patrol_s_SNMP_Agent_3_2_can_lead_to_root_compromise.html

Risk factor : High";

 script_description(english:desc["english"]);
 
 summary["english"] = "An SNMP Agent is running";
 script_summary(english:summary["english"]);
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 1999 SecuriTeam");
 family["english"] = "SNMP";
 script_family(english:family["english"]);
 
 exit(0);
}

#
# The script code starts here
#

 if(!(get_udp_port_state(161)))exit(0);
 
 socudp161 = open_sock_udp(161);
 socudp162 = open_sock_udp(162);
 

 if (socudp161)
 {
 
  req = raw_string(
  	      0x30, 0x82, 0x00, 0x26, 0x02, 0x01,
  0x00, 0x04, 0x00, 0xA1, 0x82, 0x00, 0x1D, 0x02,
  0x04, 0x1D, 0x99, 0x1E, 0xF4, 0x02, 0x01, 0x00,
  0x02, 0x01, 0x00, 0x30, 0x82, 0x00, 0x0D, 0x30,
  0x82, 0x00, 0x09, 0x06, 0x05, 0x2B, 0x06, 0x01,
  0x02, 0x01, 0x05, 0x00);
  send(socket:socudp161, data:req);
  result = recv(socket:socudp161, length:1000);
  if (result)
  {
   data = "SNMP Agent port open, it is possible to execute
SNMP GET and SET, (with the proper community names)";
   security_warning(port:161, data:data, protocol:"udp");
   set_kb_item(name:"SNMP/running", value:TRUE);
  }
 }
 if (socudp162)
 {
  send(socket:socudp162, data:string("\r\n"));
  result = recv(socket:socudp162, length:1000);
  if (strlen(result)>1)
  {
   data = "SNMP Trap Agent port open, it is possible to
overflow the SNMP Traps log with fake traps (if proper community
names are known), causing a Denial of Service";
   security_warning(port:162, data:data, protocol:"udp");
  }
 }

 close(socudp161);
 close(socudp162);