I've recently been doing some research in SNMP which lead me to printer hacking. so I'll do a few posts about SNMP stuff and how a large number of printers seem to be on the net with default settings. I guess I'm trying to work out how a big a threat it is to have people see and maybe change some TCP/IP settings on a printer. So far about the worst I have heard about or seen is storing files on the vuln printer, not the end of the world, not the best thing to have going on on your network but not a shell either.
on the with the snmp enumeration...
SegFault:~ cg$ nmap -A n.y.o.b
Starting Nmap 4.20 ( http://insecure.org ) at 2007-05-21 19:50 MST
Interesting ports on PRINERNAME.host.com(n.y.o.b):
Not shown: 1686 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet RICOH maintenance telnetd
80/tcp open http Ricoh Afficio printer web image monitor (Web-Server httpd 3.0)
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
514/tcp open login Aficio/NRG printer logind
515/tcp open printer lpd (error: Illegal service request)
631/tcp open ipp NRG copier or Ricoh Afficio (Embedded Web-Server 3.0)
9100/tcp open j etdirect?
Service Info: Device: printer
SegFault:~ cg$ sudo nmap -sU n.y.o.b
Starting Nmap 4.20 ( http://insecure.org ) at 2007-05-21 19:24 MST
All 1488 scanned ports on PRINERNAME.host.com (n.y.o.b) are open|filtered
Nmap finished: 1 IP address (1 host up) scanned in 145.466 seconds
normal open ports are 21,23,25 (yeah spam relay), 80, 515, 631, 9100
nmap hasnt been giving me good results for UDP scans, there are some other tools to try out i just havent gotten around to it.
SegFault:~/Desktop/cisco-audit/ADMsnmp cg$ ./ADMsnmp
ADMsnmp v 0.1 (c) The ADM crew
./ADMsnmp: [-g,-wordf,-out , [-waitf,-sleep, -manysend,-inter <#>] ]
: host to scan
[-guessname] : guess password with hostname
[-wordfile] : wordlist of password to try
[-outputfile] : output file
[-waitfor] : time in milisecond in each send of snmprequest
[-sleep] : time in second of the scan process life
[-manysend] : how many paket to send by request
[-inter] : time to wait in milisecond after each request
SegFault:~/Desktop/cisco-audit/ADMsnmp
ADMsnmp is a good tool for bruteforcing community names on SNMP enabled boxes.
SegFault:~/Desktop/cisco-audit/ADMsnmp cg$ ./ADMsnmp n.y.o.b -w snmp.passwd
ADMsnmp vbeta 0.1 (c) The ADM crew
ftp://ADM.isp.at/ADM/
greets: !ADM, el8.org, ansia
>>>>>>>>>>> get req name=1234 id = 2 >>>>>>>>>>>
>>>>>>>>>>> get req name=2read id = 5 >>>>>>>>>>>
>>>>>>>>>>> get req name=4changes id = 8 >>>>>>>>>>>
>>>>>>>>>>> get req name=CISCO id = 11 >>>>>>>>>>>
>>>>>>>>>>> get req name=IBM id = 14 >>>>>>>>>>>
>>>>>>>>>>> get req name=OrigEquipMfr id = 17 >>>>>>>>>>>
>>>>>>>>>>> get req name=SNMP id = 20 >>>>>>>>>>>
>>>>>>>>>>> get req name=SUN id = 23 >>>>>>>>>>>
>>>>>>>>>>> get req name=access id = 26 >>>>>>>>>>>
>>>>>>>>>>> get req name=admin id = 29 >>>>>>>>>>>
>>>>>>>>>>> get req name=agent id = 32 >>>>>>>>>>>
>>>>>>>>>>> get req name=all id = 35 >>>>>>>>>>>
>>>>>>>>>>> get req name=cisco id = 38 >>>>>>>>>>>
>>>>>>>>>>> get req name=community id = 41 >>>>>>>>>>>
>>>>>>>>>>> get req name=default id = 44 >>>>>>>>>>>
>>>>>>>>>>> get req name=enable id = 47 >>>>>>>>>>>
>>>>>>>>>>> get req name=field id = 50 >>>>>>>>>>>
>>>>>>>>>>> get req name=guest id = 53 >>>>>>>>>>>
>>>>>>>>>>> get req name=hello id = 56 >>>>>>>>>>>
>>>>>>>>>>> get req name=ibm id = 59 >>>>>>>>>>>
>>>>>>>>>>> get req name=manager id = 62 >>>>>>>>>>>
>>>>>>>>>>> get req name=mngt id = 65 >>>>>>>>>>>
>>>>>>>>>>> get req name=monitor id = 68 >>>>>>>>>>>
>>>>>>>>>>> get req name=netman id = 71 >>>>>>>>>>>
>>>>>>>>>>> get req name=network id = 74 >>>>>>>>>>>
>>>>>>>>>>> get req name=none id = 77 >>>>>>>>>>>
>>>>>>>>>>> get req name=openview id = 80 >>>>>>>>>>>
>>>>>>>>>>> get req name=pass id = 83 >>>>>>>>>>>
>>>>>>>>>>> get req name=password id = 86 >>>>>>>>>>>
>>>>>>>>>>> get req name=private id = 89 >>>>>>>>>>>
>>>>>>>>>>> get req name=proxy id = 92 >>>>>>>>>>>
>>>>>>>>>>> get req name=public id = 95 >>>>>>>>>>>
<<<<<<<<<<< id =" 96" name =" public" ret ="0">
>>>>>>>>>>>> send setrequest id = 96 name = public >>>>>>>>
>>>>>>>>>>> get req name=read id = 98 >>>>>>>>>>>
<<<<<<<<<<< id =" 97" name =" public" ret ="0">
>>>>>>>>>>> get req name=read-only id = 101 >>>>>>>>>>>
>>>>>>>>>>> get req name=read-write id = 104 >>>>>>>>>>>
>>>>>>>>>>> get req name=root id = 107 >>>>>>>>>>>
>>>>>>>>>>> get req name=router id = 110 >>>>>>>>>>>
>>>>>>>>>>> get req name=secret id = 113 >>>>>>>>>>>
>>>>>>>>>>> get req name=security id = 116 >>>>>>>>>>>
>>>>>>>>>>> get req name=snmp id = 119 >>>>>>>>>>>
>>>>>>>>>>> get req name=snmpd id = 122 >>>>>>>>>>>
>>>>>>>>>>> get req name=solaris id = 125 >>>>>>>>>>>
>>>>>>>>>>> get req name=sun id = 128 >>>>>>>>>>>
>>>>>>>>>>> get req name=switch id = 2 >>>>>>>>>>>
>>>>>>>>>>> get req name=system id = 5 >>>>>>>>>>>
>>>>>>>>>>> get req name=tech id = 8 >>>>>>>>>>>
>>>>>>>>>>> get req name=test id = 11 >>>>>>>>>>>
>>>>>>>>>>> get req name=world id = 14 >>>>>>>>>>>
>>>>>>>>>>> get req name=write id = 17 >>>>>>>>>>>
snmp check on n.y.o.b
sys.sysName.0:Aficio 2022
name = public readonly access
This one had changed the write community string but let see what we can get for free.
SegFault:~/Desktop/cisco-audit/snmpenum cg$ perl snmpenum.pl n.y.o.b public linux.txt
----------------------------------------
HOSTNAME
----------------------------------------
Aficio 2022
----------------------------------------
LISTENING TCP PORTS
----------------------------------------
23
80
514
515
631
9100
----------------------------------------
MOUNTPOINTS
----------------------------------------
RAM
FLASH
----------------------------------------
LISTENING UDP PORTS
----------------------------------------
137
138
161
----------------------------------------
UPTIME
----------------------------------------
28 days, 08:06:40.00
----------------------------------------
SYSTEM INFO
----------------------------------------
RICOH Aficio 2022 1.04 / RICOH Network Printer C model / RICOH Network Scanner C model / RICOH Network Facsimile C model
----------------------------------------
RUNNING SOFTWARE PATHS
----------------------------------------
----------------------------------------
RUNNING PROCESSES
----------------------------------------
on the with the snmp enumeration...
SegFault:~ cg$ nmap -A n.y.o.b
Starting Nmap 4.20 ( http://insecure.org ) at 2007-05-21 19:50 MST
Interesting ports on PRINERNAME.host.com(n.y.o.b):
Not shown: 1686 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet RICOH maintenance telnetd
80/tcp open http Ricoh Afficio printer web image monitor (Web-Server httpd 3.0)
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
514/tcp open login Aficio/NRG printer logind
515/tcp open printer lpd (error: Illegal service request)
631/tcp open ipp NRG copier or Ricoh Afficio (Embedded Web-Server 3.0)
9100/tcp open j etdirect?
Service Info: Device: printer
SegFault:~ cg$ sudo nmap -sU n.y.o.b
Starting Nmap 4.20 ( http://insecure.org ) at 2007-05-21 19:24 MST
All 1488 scanned ports on PRINERNAME.host.com (n.y.o.b) are open|filtered
Nmap finished: 1 IP address (1 host up) scanned in 145.466 seconds
normal open ports are 21,23,25 (yeah spam relay), 80, 515, 631, 9100
nmap hasnt been giving me good results for UDP scans, there are some other tools to try out i just havent gotten around to it.
SegFault:~/Desktop/cisco-audit/ADMsnmp cg$ ./ADMsnmp
ADMsnmp v 0.1 (c) The ADM crew
./ADMsnmp: [-g,-wordf,-out , [-waitf,-sleep, -manysend,-inter <#>] ]
: host to scan
[-guessname] : guess password with hostname
[-wordfile] : wordlist of password to try
[-outputfile] : output file
[-waitfor] : time in milisecond in each send of snmprequest
[-sleep] : time in second of the scan process life
[-manysend] : how many paket to send by request
[-inter] : time to wait in milisecond after each request
SegFault:~/Desktop/cisco-audit/ADMsnmp
ADMsnmp is a good tool for bruteforcing community names on SNMP enabled boxes.
SegFault:~/Desktop/cisco-audit/ADMsnmp cg$ ./ADMsnmp n.y.o.b -w snmp.passwd
ADMsnmp vbeta 0.1 (c) The ADM crew
ftp://ADM.isp.at/ADM/
greets: !ADM, el8.org, ansia
>>>>>>>>>>> get req name=1234 id = 2 >>>>>>>>>>>
>>>>>>>>>>> get req name=2read id = 5 >>>>>>>>>>>
>>>>>>>>>>> get req name=4changes id = 8 >>>>>>>>>>>
>>>>>>>>>>> get req name=CISCO id = 11 >>>>>>>>>>>
>>>>>>>>>>> get req name=IBM id = 14 >>>>>>>>>>>
>>>>>>>>>>> get req name=OrigEquipMfr id = 17 >>>>>>>>>>>
>>>>>>>>>>> get req name=SNMP id = 20 >>>>>>>>>>>
>>>>>>>>>>> get req name=SUN id = 23 >>>>>>>>>>>
>>>>>>>>>>> get req name=access id = 26 >>>>>>>>>>>
>>>>>>>>>>> get req name=admin id = 29 >>>>>>>>>>>
>>>>>>>>>>> get req name=agent id = 32 >>>>>>>>>>>
>>>>>>>>>>> get req name=all id = 35 >>>>>>>>>>>
>>>>>>>>>>> get req name=cisco id = 38 >>>>>>>>>>>
>>>>>>>>>>> get req name=community id = 41 >>>>>>>>>>>
>>>>>>>>>>> get req name=default id = 44 >>>>>>>>>>>
>>>>>>>>>>> get req name=enable id = 47 >>>>>>>>>>>
>>>>>>>>>>> get req name=field id = 50 >>>>>>>>>>>
>>>>>>>>>>> get req name=guest id = 53 >>>>>>>>>>>
>>>>>>>>>>> get req name=hello id = 56 >>>>>>>>>>>
>>>>>>>>>>> get req name=ibm id = 59 >>>>>>>>>>>
>>>>>>>>>>> get req name=manager id = 62 >>>>>>>>>>>
>>>>>>>>>>> get req name=mngt id = 65 >>>>>>>>>>>
>>>>>>>>>>> get req name=monitor id = 68 >>>>>>>>>>>
>>>>>>>>>>> get req name=netman id = 71 >>>>>>>>>>>
>>>>>>>>>>> get req name=network id = 74 >>>>>>>>>>>
>>>>>>>>>>> get req name=none id = 77 >>>>>>>>>>>
>>>>>>>>>>> get req name=openview id = 80 >>>>>>>>>>>
>>>>>>>>>>> get req name=pass id = 83 >>>>>>>>>>>
>>>>>>>>>>> get req name=password id = 86 >>>>>>>>>>>
>>>>>>>>>>> get req name=private id = 89 >>>>>>>>>>>
>>>>>>>>>>> get req name=proxy id = 92 >>>>>>>>>>>
>>>>>>>>>>> get req name=public id = 95 >>>>>>>>>>>
<<<<<<<<<<< id =" 96" name =" public" ret ="0">
>>>>>>>>>>>> send setrequest id = 96 name = public >>>>>>>>
>>>>>>>>>>> get req name=read id = 98 >>>>>>>>>>>
<<<<<<<<<<< id =" 97" name =" public" ret ="0">
>>>>>>>>>>> get req name=read-only id = 101 >>>>>>>>>>>
>>>>>>>>>>> get req name=read-write id = 104 >>>>>>>>>>>
>>>>>>>>>>> get req name=root id = 107 >>>>>>>>>>>
>>>>>>>>>>> get req name=router id = 110 >>>>>>>>>>>
>>>>>>>>>>> get req name=secret id = 113 >>>>>>>>>>>
>>>>>>>>>>> get req name=security id = 116 >>>>>>>>>>>
>>>>>>>>>>> get req name=snmp id = 119 >>>>>>>>>>>
>>>>>>>>>>> get req name=snmpd id = 122 >>>>>>>>>>>
>>>>>>>>>>> get req name=solaris id = 125 >>>>>>>>>>>
>>>>>>>>>>> get req name=sun id = 128 >>>>>>>>>>>
>>>>>>>>>>> get req name=switch id = 2 >>>>>>>>>>>
>>>>>>>>>>> get req name=system id = 5 >>>>>>>>>>>
>>>>>>>>>>> get req name=tech id = 8 >>>>>>>>>>>
>>>>>>>>>>> get req name=test id = 11 >>>>>>>>>>>
>>>>>>>>>>> get req name=world id = 14 >>>>>>>>>>>
>>>>>>>>>>> get req name=write id = 17 >>>>>>>>>>>
snmp check on n.y.o.b
sys.sysName.0:Aficio 2022
name = public readonly access
This one had changed the write community string but let see what we can get for free.
SegFault:~/Desktop/cisco-audit/snmpenum cg$ perl snmpenum.pl n.y.o.b public linux.txt
----------------------------------------
HOSTNAME
----------------------------------------
Aficio 2022
----------------------------------------
LISTENING TCP PORTS
----------------------------------------
23
80
514
515
631
9100
----------------------------------------
MOUNTPOINTS
----------------------------------------
RAM
FLASH
----------------------------------------
LISTENING UDP PORTS
----------------------------------------
137
138
161
----------------------------------------
UPTIME
----------------------------------------
28 days, 08:06:40.00
----------------------------------------
SYSTEM INFO
----------------------------------------
RICOH Aficio 2022 1.04 / RICOH Network Printer C model / RICOH Network Scanner C model / RICOH Network Facsimile C model
----------------------------------------
RUNNING SOFTWARE PATHS
----------------------------------------
----------------------------------------
RUNNING PROCESSES
----------------------------------------
No comments:
Post a Comment
Note: only a member of this blog may post a comment.