Scanning SNMPv3 with nmap vs unicornscan

imagensecforcepost.png

Many penetration testers rely on unicornscan’s speed to perform UDP portscans. Sometimes, a first pass is made with unicornscan to detect open UDP ports and then a second pass is made with nmap on those ports to find additional information about the service.

In a recent penetration test we came across an interesting situation where nmap could detect an SNMP service running on the target but unicornscan missed it.

To understand what was happening we wiresharked both scans and compared the packets sent by both scanners.

snmpv3-wireshark-fixed.png

On the left we see the packet sent by unicornscan and on the right the one sent by nmap.

What had happened was that the service running was SNMPv3 and while nmap was sending an SNMPv3 get-request, unicornscan was sending an SNMPv1 get-request which was’t understood/supported by the remote service.

Fortunately, unicornscan is a flexible tool which allows the creation of custom payloads. Creating a payload is as simple as adding the new payload to the configuration file (payloads.conf). By inspecting this file we saw that, as expected, there was an SNMPv1 payload which corresponded exactly to the bytes we saw in wireshark (see selected bytes).

Following this logic, all we had to do was create a payload from the bytes selected in the second capture file. Thus, the new payload looks like this:

/* SNMPv3 payload */
udp 161 161 1 {
"\x30\x3a\x02\x01\x03\x30\x0f\x02\x02\x4a\x69\x02\x03\x00\xff\xe3"
"\x04\x01\x04\x02\x01\x03\x04\x10\x30\x0e\x04\x00\x02\x01\x00\x02"
"\x01\x00\x04\x00\x04\x00\x04\x00\x30\x12\x04\x00\x04\x00\xa0\x0c"
"\x02\x02\x37\xf0\x02\x01\x00\x02\x01\x00\x30\x00"
};

Now, when you run unicornscan it will detect SNMPv3! 🙂

You may also be interested in...

imagensecforcepost.png
Jan. 7, 2013

Stacked based MSSQL blind injection bypass methodology

This post is part of a methodology used for obtaining output from a stacked based blind SQL injection.

See more
imagensecforcepost.png
Dec. 9, 2008

Why penetration test? Is firewall not enough?

A few days ago someone visited our website after searching in Google “why penetration test? firewall is not secure enough?”. We are going to dedicate this post just to that topic.

See more