#!/usr/bin/perl -w ####################################################################### # snoopy.pl - a simple snmp scanner # (C) 2001 jshaw[at]sps.lane.edu # version: 2001APR16 (yes, it's feature incomplete) # url: http://www.sps.lane.edu/~jshaw # # I more than welcome ideas, contributions, and constructive criticism # # Synopsis: # This simple program takes a list of hosts/IP addresses from STDIN # and attempts to grab the system type from the sysDescr SNMP MIB, # using community strings ala variables (see below). I plan to add more # functionality in the future. # # Unfortunately, my personal research has shown that many network # administrators incorrectly configure their device's SNMP settings, nor # do many block SNMP at their firewall. A system with open SNMP can be # catastrophic, especially on an NT-based machine, where one could learn: # - List of all user accounts on system # - List of all open ports (even if those ports are firewalled) # - List of all running services and applications # - List of all installed applications # - List of all shares plus physical directory (eg. d:\users\joebob) # # # Instructions: # I wrote this under FreeBSD, but it should work on all the other # UNIX type OS's, and probably even under NT w/ ActivePerl # # This program requires the Net::SNMP module. Install it. # # Create a text file with list of hosts to scan. A single host on each # line, program will strip off \n's. Then, do something like a : # cat hosts.txt | snoopy.pl # # If you don't have a clue about this, you probably shouldn't be using # this script. # # If you want to scan a range of IP addresses, just create a quick perl # script to dump a range for you, to a textfile. Some like this ought to # work: # # #!/usr/bin/perl -w # for ($a = 1; $a < 254; $a++) { print "10.99.1.$a\n"; } # # # If you want to log the output to a file, >'ing to a file will work. # # # Thanks: # lumpy_ & knight@phunc.com for perl & snmp code to look at # fyodor (nmap) & dugsong (dsniff) for fantastic auditing tools! # rfp for endless contributions to computer security # SirDystic for keeping me intrigued with net security & a # scorpion-free place to crash ;-) # # # Greetings: # rhicks, shep@juniper, dale smith@uoregon, captain skynyrd, the cDc, # sangfroid, t12, gauss, optyx, syke, bronc, athena # # # License: # Do whatever with this program, just give credit where it's due. If you # like this little program, e-mail me and let me know, it let's me know # if I'm doing something worthwhile or not ;-) # # # AND REMEMBER!: # If you use this script to find potential cracking victims, you're a # gosh darned script kiddy and a waste to computer security. # # Known things that suck: # - the speed, I'm working on it! :-) # ####################################################################### use strict; use Net::SNMP; ##### User defined variables my @my_comms = ( # list of community strings to try "public", # add more if you'd like "private", "cisco" ); my $port = 161; # udp port to use ##### Leave these alone my $version = "0.5"; # yep. my $a; # counter variable my $i; # counter variable my $hostname; # var declaration for current host to scan ####################################################################### # BEGIN MAIN # ####################################################################### &PrintBanner; while() { chop; my $CSReturn = ""; $hostname = $_; print "-----------------------------------------------------------------------\n"; print " Host: $hostname\n"; for($i = 0; $i < scalar(@my_comms); $i++) { $CSReturn = Sping($my_comms[$i]); if($CSReturn eq 1) { print " --> $hostname responds to string \"$my_comms[$i]\"\n"; } } print "-----------------------------------------------------------------------\n\n\n"; $|++; } ####################################################################### # END MAIN # ####################################################################### ####################################################################### # SUBROUTINES # ####################################################################### sub PrintBanner { print <<"EOF"; +---------------------------------------------------------------------+ | snoopy.pl v$version - A simple SNMP scanner | | (C) 2001 jshaw[at]sps.lane.edu | | \$ more snoopy.pl for documentation | +---------------------------------------------------------------------+ EOF } sub Sping { my ($community) = @_; my $response = ""; my $sysDescr = '1.3.6.1.2.1.1.1.0'; my ($session, $error) = Net::SNMP->session( Hostname => $hostname, Community => $community, Port => $port ); if(!defined($session)) { printf("ERROR: %s\n", $error); return 0; } $session->timeout(1); # Numbers of secs to wait for response $session->retries(1); # Number of retries to send if(!defined($response = $session->get_request($sysDescr))) { $session->close; return 0; } print "sysDescr: $response->{$sysDescr}\n"; $session->close; return 1; } # Yes, it's quite possible the comments section at top is longer than the # program itself.