File: snmp-hh3c-logins.nse

package info (click to toggle)
nmap 7.94%2Bgit20230807.3be01efb1%2Bdfsg-4~bpo12%2B1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm-backports
  • size: 48,324 kB
  • sloc: xml: 66,340; cpp: 60,780; ansic: 31,032; python: 17,792; sh: 12,291; perl: 2,687; makefile: 1,017; objc: 45; java: 45
file content (148 lines) | stat: -rw-r--r-- 4,388 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
 
local nmap = require "nmap"
local shortport = require "shortport"
local snmp = require "snmp"
local stdnse = require "stdnse"

description = [[
Attempts to enumerate Huawei / HP/H3C Locally Defined Users through the
hh3c-user.mib OID

For devices running software released pre-Oct 2012 only an SNMP read-only
string is required to access the OID. Otherwise a read-write string is
required.

Output is 'username - password - level: {0|1|2|3}'

Password may be in cleartext, ciphertext or sha256
Levels are from 0 to 3 with 0 being the lowest security level

https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03515685
http://grutztopia.jingojango.net/2012/10/hph3c-and-huawei-snmp-weak-access-to.html
]]

---
-- @usage
-- nmap -sU -p 161 --script snmp-hh3c-logins --script-args creds.snmp=:<community> <target>
--
-- @output
-- | snmp-hh3c-logins:
-- |   users:
-- |     admin - admin - level: 3
-- |_    h3c - h3capadmin - level 0
--
-- @xmloutput
-- <table>
--   <elem key="password">admin<elem>
--   <elem key="username">admin</elem>
--   <elem key="level">3</elem>
-- </table>
-- <table>
--   <elem key="password">h3capadmin<elem>
--   <elem key="username">h3c</elem>
--   <elem key="level">0</elem>
-- </table>

author = "Kurt Grutzmacher"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}
dependencies = {"snmp-brute"}

-- Version 0.3
-- Created 10/01/2012 - v0.1 - created via modifying other walk scripts
-- Updated 10/25/2012 - v0.2 - bugfixes and better output per NSE standards
-- Updated 11/08/2012 - v0.3 - added xmloutput


portrule = shortport.port_or_service(161, "snmp", "udp", {"open", "open|filtered"})

--- Gets a value for the specified oid
--
-- @param tbl table containing <code>oid</code> and <code>value</code>
-- @param oid string containing the object id for which the value should be extracted
-- @return value of relevant type or nil if oid was not found
function get_value_from_table( tbl, oid )

  for _, v in ipairs( tbl ) do
    if v.oid == oid then
      return v.value
    end
  end

  return nil
end

--- Processes the table and creates the script output
--
-- @param tbl table containing <code>oid</code> and <code>value</code>
-- @return <code>stdnse.output_table</code> formatted table
function process_answer( tbl )

  -- h3c-user MIB OIDs (oldoid)
  local h3cUserName = "1.3.6.1.4.1.2011.10.2.12.1.1.1.1"
  local h3cUserPassword = "1.3.6.1.4.1.2011.10.2.12.1.1.1.2"
  local h3cUserLevel = "1.3.6.1.4.1.2011.10.2.12.1.1.1.4"
  local h3cUserState = "1.3.6.1.4.1.2011.10.2.12.1.1.1.5"

  -- hh3c-user MIB OIDs (newoid)
  local hh3cUserName = "1.3.6.1.4.1.25506.2.12.1.1.1.1"
  local hh3cUserPassword = "1.3.6.1.4.1.25506.2.12.1.1.1.2"
  local hh3cUserLevel = "1.3.6.1.4.1.25506.2.12.1.1.1.4"
  local hh3cUserState = "1.3.6.1.4.1.25506.2.12.1.1.1.5"

  local output = stdnse.output_table()
  output.users = {}

  for _, v in ipairs( tbl ) do

    if ( v.oid:match("^" .. h3cUserName) ) then
      local item = {}
      local oldobjid = v.oid:gsub( "^" .. h3cUserName, h3cUserPassword)
      local password = get_value_from_table( tbl, oldobjid )

      if ( password == nil ) or ( #password == 0 ) then
        local newobjid = v.oid:gsub( "^" .. hh3cUserName, hh3cUserPassword)
        password = get_value_from_table( tbl, newobjid )
      end

      oldobjid = v.oid:gsub( "^" .. h3cUserName, h3cUserLevel)
      local level = get_value_from_table( tbl, oldobjid )

      if ( level == nil ) then
        local newobjoid = v.oid:gsub( "^" .. hh3cUserName, hh3cUserLevel)
        level = get_value_from_table( tbl, oldobjid )
      end

      output.users[#output.users + 1] = {username=v.value, password=password, level=level}
    end

  end

  return output
end

action = function(host, port)

  local oldsnmpoid = "1.3.6.1.4.1.2011.10.2.12.1.1.1"
  local newsnmpoid = "1.3.6.1.4.1.25506.2.12.1.1.1"

  local snmpHelper = snmp.Helper:new(host, port)
  snmpHelper:connect()

  local status, users = snmpHelper:walk( oldsnmpoid )

  if (not(status)) or ( users == nil ) or ( #users == 0 ) then

    -- no status? try new snmp oid
    status, users = snmpHelper:walk( newsnmpoid )

    if (not(status)) or ( users == nil ) or ( #users == 0 ) then
      return nil
    end

  end

  nmap.set_port_state(host, port, "open")
  return process_answer(users)

end