ADMsnmp SNMP Audit scanner

From: root (rootat_private)
Date: Wed Feb 17 1999 - 16:02:25 PST
Next message: Don Lewis: "Re: [HERT] Advisory #002 Buffer overflow in lsof"
Previous message: Steven Hodges: "Tetrix 1.13.16 is Vulnerable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
                      ___      ______      _       _
                    /     \   |   _   \   |  \   /  |
                   |  / \  |  |  |  \  |  |   \_/   |
                   | |___| |  |  |_ /  |  |   \_/   |
..oO  THE          |  ---  |  |       /   |  |   |  |         CreW Oo..
                   '''   '''   '''''''    ''''   ''''
                               presents

                         [ ADMsnmp v 0.1 ]
                      * SNMP audit scanner *

ftp://ADM.isp.at/ADM/ADMsnmp.0.1.tar.gz
http://ADM.isp.at/ADM/ADMsmp.0.1.tar.gz
http://el8.org/~antilove/ADMsnmp.0.1.tar.gz

ADMsnmp is an snmpd audit scanner.
Any of you know how weak and funny snmp is?
You can obtain a great deal of usefull info  like  admin name's,
you can play with the interface of the router, reboot the machine
get the password file of the router (Ascend), or execute commands remoteley,
anyway snmp is a BIG hole.

ADMsnmp can brute force the snmp community name (with a wordfile) or
make a wordfile list derived the hostname.
ADMsnmp can report to you all valid community
names found and inform you if writable access to the MIB has been attained.

ADMsnmp is very easy to use and designed with speed in mind!

here is an example session

[root@ADM apps]# a.out  172.21.6.1  -wor snmp.passwd -sleep 1
ADMsnmp vbeta 0.1 (c) The ADM crew
ftp://ADM.isp.at/ADM/
greets: !ADM, el8.org, ansia
>>>>>>>>>>> get req name=root  id = 2 >>>>>>>>>>>
>>>>>>>>>>> get req name=public   id = 5 >>>>>>>>>>>
>>>>>>>>>>> get req name=private  id = 8 >>>>>>>>>>>
>>>>>>>>>>> get req name=write  id = 11 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 9 name = private ret =0 <<<<<<<<<<
>>>>>>>>>>>> send setrequest id = 9 name = private >>>>>>>>
>>>>>>>>>>> get req name=admin  id = 14 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 10 name = private ret =0 <<<<<<<<<<
>>>>>>>>>>> get req name=proxy  id = 17 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 140 name = private ret =0 <<<<<<<<<<
>>>>>>>>>>> get req name=ascend  id = 20 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 140 name = private ret =0 <<<<<<<<<<
>>>>>>>>>>> get req name=cisco  id = 23 >>>>>>>>>>>
>>>>>>>>>>> get req name=router  id = 26 >>>>>>>>>>>
>>>>>>>>>>> get req name=shiva  id = 29 >>>>>>>>>>>
>>>>>>>>>>> get req name=all private  id = 32 >>>>>>>>>>>
>>>>>>>>>>> get req name= private  id = 35 >>>>>>>>>>>
>>>>>>>>>>> get req name=access  id = 38 >>>>>>>>>>>
>>>>>>>>>>> get req name=snmp  id = 41 >>>>>>>>>>>


<!ADM!>         snmp check on router.dream.on.it                <!ADM!>
sys.sysName.0:router.dream.on.it
name = private write access

ADMsnmp inform's you if it has write access to the MIB with the community name private.
snmpwalk <ip> <community name>  and enjoy ;)

another example ADMsnmp localhost -g  (with the guessname option)
ADMsnmp vbeta 0.1 (c) The ADM crew
ftp://ADM.isp.at/ADM/
greets: !ADM, el8.org, ansia
>>>>>>>>>>> get req name=public   id = 2 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 3 name = public  ret =2 <<<<<<<<<<

>>>>>>>>>>> get req name=private  id = 5 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 4 name = public  ret =2 <<<<<<<<<<

>>>>>>>>>>> get req name=localhost95  id = 8 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 6 name = private ret =0 <<<<<<<<<<

>>>>>>>>>>>> send setrequest id = 6 name = private >>>>>>>>
>>>>>>>>>>> get req name=localhost96  id = 11 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 7 name = private ret =0 <<<<<<<<<<

>>>>>>>>>>> get req name=localhost97  id = 14 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 9 name = localhost95 ret =2 <<<<<<<<
<<
>>>>>>>>>>> get req name=localhost98  id = 17 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 10 name = localhost95 ret =2 <<<<<<<
<<<
>>>>>>>>>>> get req name=localhost99  id = 20 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 137 name = private ret =0 <<<<<<<<<<

>>>>>>>>>>> get req name=localhost0  id = 23 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 137 name = private ret =0 <<<<<<<<<<

>>>>>>>>>>> get req name=localhost1  id = 26 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 12 name = localhost96 ret =2 <<<<<<<
<<<
>>>>>>>>>>> get req name=localhost2  id = 29 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 13 name = localhost96 ret =2 <<<<<<<
<<<
>>>>>>>>>>> get req name=localhost3  id = 32 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 15 name = localhost97 ret =2 <<<<<<<
<<<
>>>>>>>>>>> get req name=localhost4  id = 35 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 16 name = localhost97 ret =2 <<<<<<<
<<<
>>>>>>>>>>> get req name=localhost5  id = 38 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 18 name = localhost98 ret =2 <<<<<<<
<<<
>>>>>>>>>>> get req name=localhost6  id = 41 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 19 name = localhost98 ret =2 <<<<<<<
<<<
>>>>>>>>>>> get req name=localhost7  id = 44 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 21 name = localhost99 ret =2 <<<<<<<
<<<
>>>>>>>>>>> get req name=localhost8  id = 47 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 22 name = localhost99 ret =2 <<<<<<<
<<<
>>>>>>>>>>> get req name=localhost9  id = 50 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 24 name = localhost0 ret =2 <<<<<<<<
<<
>>>>>>>>>>> get req name=localhost10  id = 53 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 25 name = localhost0 ret =2 <<<<<<<<
<<
>>>>>>>>>>> get req name=localhost00  id = 56 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 27 name = localhost1 ret =2 <<<<<<<<
<<
>>>>>>>>>>> get req name=localhost01  id = 59 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 28 name = localhost1 ret =2 <<<<<<<<
<<
>>>>>>>>>>> get req name=localhost02  id = 62 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 30 name = localhost2 ret =2 <<<<<<<<
<<
>>>>>>>>>>> get req name=localhost03  id = 65 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 31 name = localhost2 ret =2 <<<<<<<<
>>>>>>>>>>> get req name=localhost04  id = 68 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 33 name = localhost3 ret =2 <<<<<<<<
<<
>>>>>>>>>>> get req name=localhost05  id = 71 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 34 name = localhost3 ret =2 <<<<<<<<
<<
>>>>>>>>>>> get req name=localhost06  id = 74 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 36 name = localhost4 ret =2 <<<<<<<<
<<
>>>>>>>>>>> get req name=localhost07  id = 77 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 37 name = localhost4 ret =2 <<<<<<<<
<<
>>>>>>>>>>> get req name=localhost08  id = 80 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 39 name = localhost5 ret =2 <<<<<<<<
<<
>>>>>>>>>>> get req name=localhost09  id = 83 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 40 name = localhost5 ret =2 <<<<<<<<
<<
>>>>>>>>>>> get req name=localhost10  id = 86 >>>>>>>>>>>
<<<<<<<<<<< recv snmpd paket id = 42 name = localhost6 ret =2 <<<<<<<<
<<
>>>>>>>>>>> get req name=LOCALHOST95  id = 89 >>>>>>>>>>>
 etc..


ADMsnmp is available on
ftp://ADM.isp.at/ADM/ADMsnmp.0.1.tar.gz
http://ADM.isp.at/ADM/ADMsmp.0.1.tar.gz
http://el8.org/~antilove/ADMsnmp.0.1.tar.gz

happy snmp walking :)

The ADM Crew
(thx to #as400 who help me to boot my as400 )
Next message: Don Lewis: "Re: [HERT] Advisory #002 Buffer overflow in lsof"
Previous message: Steven Hodges: "Tetrix 1.13.16 is Vulnerable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:35:28 PDT