SNMP for SAINT

Overview

SAINT is a network security tool. I have added some stuff to it that will enable it to:
  1. Do some simply community string guessing , warning if guessed.
  2. If read string guessed (or given), use sysDescr info to aid in figuring out what the hosttype is.

Download the package

Here it is

SNMP Libraries/ licensing

Makes use of the Perl SNMP libraries created by Simon Leinen.

No explicit license given with SNMP code, so unsure what status is. Since Simon Leinen is currently distributing his stuff on the web, shouldn't be a major issue. A version of his SMNP Perl libraries in included with this module, but all licensing questions should go to his page

I, Tom Payerle, license all my original code in this package under standard SAINT/SATAN license.

Summary of Changes

New files

perllib/SNMP_Session-0.65.README
perllib/SNMP_Session.pm
perllib/SNMP_util.pm
perllib/BER.pm
Part of Simon Leinen's SNMP libraries for Perl

config/SNMP_communities.pl
New file. Contains list of read community strings for specific hosts. So that SAINT can pick up SNMP sysDescr for device even if community string cannot be guessed.

html/tutorials/vulnerabilities/Guessable_Write_Community
html/tutorials/vulnerabilities/Guessable_Read_Community
blurb on why probably don't want guessable community strings

bin/snmp.saint
Actual probe code.

README.SNMP
Basically, text version of this page

Modified files

perl/hosttype.pl
Modified so that it will look at snmp records as well as telnet, ftp, smtp in identifying host via rules/hosttype. Also added a line to require severities.pl when run outside saint, as this was hanging up.

rules/todo
Modified to call snmp.saint (with write community guessing enabled) if host offers SNMP
config/saint.cf
added a 120 second timeout for snmp.saint

Probe algorithm, etc

The probe reads in the SNMP_communities.pl file.

If it is given the read community for a host, it connects with that string and reads sysDescr. If can't connect, it continues as if wasn't given the read community string. If string given and not told to ignore guessable strings for that host, will complain if string is in the list of strings to guess.

If no read community string given, or it was wrong, it tries to guess it. This is currently done in a simple, brute force method, it tries everything on a list, currently short (public, private, and null). If it succeeds in connecting, it reads sysDescr for host-typing, and generates a warning.

If called with the "-w" flag, (current todo uses it), it will also try to guess the write community string. This is not only brutish but invasive (it tries to connect, then to prove is a write community, resets sysLocation. It will try to set back to original if succeeds). If it guesses a write community, warns about that as well.

Not elegant or efficient, but works (albeit requires somewhat large timeout value if needs to guess).