printerxpl-forge 6.2.0__py3-none-any.whl

nse/scripts/snmp-device-mac.nse

@@ -0,0 +1,93 @@
+local snmp = require "snmp"
+local shortport = require "shortport"
+
+description = [[
+Get MAC address from printers
+]]
+
+---
+-- @usage
+-- nmap -sS -p 161 --script snmp-device-mac <target>
+--
+-- @output
+-- |_snmp-device-mac: 00:01:02:03:04:AB
+-- <snip>
+--
+
+
+author = "Esteban Dauksis"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"discovery", "safe"}
+dependecies = {"snmp-brute"}
+
+-- I prefer a portrule for common tcp ports than upd 161 for printer/scanner discovery
+
+-- portrule = shortport.portnumber(161, "udp", {"open", "open|filtered"})
+portrule = shortport.portnumber({515, 631, 9100, 1865}, "tcp", "open")
+
+action = function(host,port)
+
+	local socket = nmap.new_socket()
+
+	socket:set_timeout(5000)
+
+	local catch = function()
+		socket:close()
+	end
+
+	local try = nmap.new_try(catch)	
+
+	try(socket:connect(host, 161, "udp"))
+
+	local payload
+	local options = {}
+	options.reqId = 28428 -- pa que?
+	payload = snmp.encode(snmp.buildPacket(snmp.buildGetRequest(options,"1.3.6.1.2.1.2.2.1.6.1")))
+
+        try(socket:send(payload))
+        
+        local status
+        local response
+        
+        status, response = socket:receive_bytes(1)
+
+        if (not status) or (response == "TIMEOUT") then 
+                return
+        end
+	
+	nmap.set_port_state(host, port, "open")
+
+	local result
+
+        local r = snmp.fetchFirst(response)
+	if r ~= "" and r ~= nil then
+		res1 = string.format("%02x:%02x:%02x:%02x:%02x:%02x",string.byte(r),string.byte(r,2),string.byte(r,3),string.byte(r,4),string.byte(r,5),string.byte(r,6)) 
+		return res1
+	end
+
+
+	local payload
+	local options = {}
+	options.reqId = 28429 -- pa que?
+        payload = snmp.encode(snmp.buildPacket(snmp.buildGetRequest(options, "1.3.6.1.2.1.2.2.1.6.2")))
+        
+        try(socket:send(payload))
+        
+        status, response = socket:receive_bytes(1)
+
+        if (not status) or (response == "TIMEOUT") then
+                return
+        end
+        
+	local r2 = snmp.fetchFirst(response)
+	if r2 ~= "" and r2 ~= nil then
+		res2 = string.format("%02x:%02x:%02x:%02x:%02x:%02x",string.byte(r2),string.byte(r2,2),string.byte(r2,3),string.byte(r2,4),string.byte(r2,5),string.byte(r2,6))
+		return res2
+	end
+
+
+	try(socket:close())
+	
+	
+end
+

nse/scripts/snmp-info.nse

@@ -0,0 +1,146 @@
+local datetime = require "datetime"
+local datafiles = require "datafiles"
+local ipOps = require "ipOps"
+local nmap = require "nmap"
+local shortport = require "shortport"
+local snmp = require "snmp"
+local stdnse = require "stdnse"
+local string = require "string"
+local U = require "lpeg-utility"
+local comm = require "comm"
+
+description = [[
+Extracts basic information from an SNMPv3 GET request. The same probe is used
+here as in the service version detection scan.
+]]
+
+---
+--@output
+--161/udp open  snmp    udp-response ttl 244   ciscoSystems SNMPv3 server (public)
+--| snmp-info:
+--|   enterprise: ciscoSystems
+--|   engineIDFormat: mac
+--|   engineIDData: 00:d4:8c:00:11:22
+--|   snmpEngineBoots: 6
+--|_  snmpEngineTime: 358d01h13m46s
+--
+--@xmloutput
+-- <elem key="enterprise">ciscoSystems</elem>
+-- <elem key="engineIDFormat">mac</elem>
+-- <elem key="engineIDData">00:d4:8c:b5:32:bc</elem>
+-- <elem key="snmpEngineBoots">6</elem>
+-- <elem key="snmpEngineTime">358d01h26m34s</elem>
+
+author = "Daniel Miller"
+
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+
+categories = {"default", "version", "safe"}
+
+portrule = shortport.version_port_or_service(161, "snmp", "udp")
+
+-- Lifted from nmap-service-probes:
+local SNMPv3GetRequest = "\x30\x3a\x02\x01\x03\x30\x0f\x02\x02\x4a\x69\x02\x03\0\xff\xe3\x04\x01\x04\x02\x01\x03\x04\x10\x30\x0e\x04\0\x02\x01\0\x02\x01\0\x04\0\x04\0\x04\0\x30\x12\x04\0\x04\0\xa0\x0c\x02\x02\x37\xf0\x02\x01\0\x02\x01\0\x30\0"
+
+-- TODO: This should probably check for version 1 and version 2, since those
+-- can operate on the same port. Right now it's really just "snmp3-info"
+action = function (host, port)
+  local ENTERPRISE_NUMS = nmap.registry.enterprise_numbers
+  if not ENTERPRISE_NUMS then
+    local status
+    status, ENTERPRISE_NUMS = datafiles.parse_file("nselib/data/enterprise_numbers.txt",
+      {[function(l) return tonumber(l:match("^%d+")) end] = "\t(.*)$"})
+    if not status then
+      stdnse.debug1("Couldn't parse enterprise numbers datafile: %s", ENTERPRISE_NUMS)
+      ENTERPRISE_NUMS = {}
+      setmetatable(ENTERPRISE_NUMS, {__index = function(i) return "unknown" end})
+    end
+    nmap.registry.enterprise_numbers = ENTERPRISE_NUMS
+  end
+
+  local response
+  -- Did the service engine already do the hard work?
+  if port.version and port.version.service_fp then
+    -- Probes sent, replies received, but no match.
+    response = U.get_response(port.version.service_fp, "SNMPv3GetRequest")
+  end
+
+  if not response then
+    -- Have to send the probe ourselves
+    local status
+    status, response = comm.exchange(host, port, SNMPv3GetRequest)
+    if not status then
+      stdnse.debug1("Couldn't get a response: %s", response)
+      return nil
+    end
+  end
+
+  local decoded = snmp.decode(response)
+
+  -- Check for SNMP version 3 and msgid 0x4a69 (from the probe)
+  if ((not decoded) or
+      (decoded[1] or false) ~= 3 or
+      (not decoded[2]) or
+      (decoded[2][1] or false) ~= 0x4a69) then
+    stdnse.debug1("Service is not SNMPv3, or packet structure not recognized")
+    return nil
+  end
+
+  -- This really only works for User-based Security Model (USM)
+  if decoded[2][4] ~= 3 then
+    -- TODO: at least report the security model in use
+    stdnse.debug1("SNMP service not using User-based Security Model")
+    return nil
+  end
+
+  -- Decode the msgSecurityParameters octet-string
+  decoded = snmp.decode(decoded[3])
+
+  local output = stdnse.output_table()
+  -- Decode the msgAuthoritativeEngineID octet-string
+  local engineID = decoded[1]
+  local enterprise, pos = string.unpack(">I4", engineID)
+  if enterprise > 0x80000000 then
+    enterprise = enterprise - 0x80000000
+    output.enterprise = ENTERPRISE_NUMS[enterprise]
+    local format, data
+    format, pos = string.unpack("B", engineID, pos)
+    if format == 1 then
+      output.engineIDFormat = "ipv4"
+      output.engineIDData = ipOps.str_to_ip(engineID:sub(pos,pos+3))
+    elseif format == 2 then
+      output.engineIDFormat = "ipv6"
+      output.engineIDData = ipOps.str_to_ip(engineID:sub(pos,pos+15))
+    elseif format == 3 then
+      output.engineIDFormat = "mac"
+      output.engineIDData = stdnse.tohex(engineID:sub(pos,pos+5), {separator=':'})
+    elseif format == 4 then
+      output.engineIDFormat = "text"
+      output.engineIDData = engineID:sub(pos)
+    elseif format == 5 then
+      output.engineIDFormat = "octets"
+      output.engineIDData = stdnse.tohex(engineID:sub(pos))
+    else
+      output.engineIDFormat = "unknown"
+      output.engineIDData = stdnse.tohex(engineID:sub(pos))
+    end
+  else
+    output.enterprise = ENTERPRISE_NUMS[enterprise] or enterprise
+    output.engineIDFormat = "unknown"
+    output.engineIDData = stdnse.tohex(engineID:sub(5))
+  end
+  output.snmpEngineBoots = decoded[2]
+  output.snmpEngineTime = datetime.format_time(decoded[3])
+
+  port.version = port.version or {}
+  port.version.service = "snmp"
+  if port.version.product and port.version.product ~= "SNMPv3 server" then
+    port.version.product = ("%s; %s SNMPv3 server"):format(port.version.product, output.enterprise)
+  else
+    port.version.product = ("%s SNMPv3 server"):format(output.enterprise)
+  end
+  nmap.set_port_version(host, port, "hardmatched")
+
+  return output
+end
+

nse/scripts/snmp-sysdescr.nse

@@ -0,0 +1,70 @@
+local datetime = require "datetime"
+local nmap = require "nmap"
+local shortport = require "shortport"
+local snmp = require "snmp"
+local string = require "string"
+
+description = [[
+Attempts to extract system information from an SNMP service.
+]]
+
+---
+-- @usage
+-- nmap -sU -p 161 --script snmp-sysdescr <target>
+--
+-- @output
+-- |  snmp-sysdescr: HP ETHERNET MULTI-ENVIRONMENT,ROM A.25.80,JETDIRECT,JD117,EEPROM V.28.22,CIDATE 08/09/2006
+-- |_   System uptime: 28 days, 17:18:59 (248153900 timeticks)
+
+author = "Thomas Buchanan"
+
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+
+categories = {"default", "discovery", "safe"}
+
+dependencies = {"snmp-brute"}
+
+
+portrule = shortport.port_or_service(161, "snmp", "udp", {"open", "open|filtered"})
+
+---
+-- Sends SNMP packets to host and reads responses
+action = function(host, port)
+
+  local snmpHelper = snmp.Helper:new(host, port)
+  snmpHelper:connect()
+
+  -- build a SNMP v1 packet
+  -- copied from packet capture of snmpget exchange
+  -- get value: 1.3.6.1.2.1.1.1.0 (SNMPv2-MIB::sysDescr.0)
+  local status, response = snmpHelper:get({reqId=28428}, "1.3.6.1.2.1.1.1.0")
+
+  if not status then
+    return
+  end
+
+  -- since we got something back, the port is definitely open
+  nmap.set_port_state(host, port, "open")
+
+  local result = response and response[1] and response[1][1]
+
+  -- build a SNMP v1 packet
+  -- copied from packet capture of snmpget exchange
+  -- get value: 1.3.6.1.2.1.1.3.0 (SNMPv2-MIB::sysUpTime.0)
+  status, response = snmpHelper:get({reqId=28428}, "1.3.6.1.2.1.1.3.0")
+
+  if not status then
+    return result
+  end
+
+  local uptime = response and response[1] and response[1][1]
+  if not uptime then
+    return
+  end
+
+  result = result .. "\n" .. string.format("  System uptime: %s (%s timeticks)", datetime.format_time(uptime, 100), tostring(uptime))
+
+  return result
+end
+
+