Re: Quick SNMP Payload Structure Question

From: Jim Kovalchuk (raxorat_private)
Date: Tue Feb 26 2002 - 09:19:19 PST

Next message: Burak DAYIOGLU: "Re: Possible IDS-evasion technique"

Previous message: Teodor Cimpoesu: "Re: SSH2 Exploit?"
In reply to: Josha Bronson: "Quick SNMP Payload Structure Question"
Next in thread: rpc: "Re: Quick SNMP Payload Structure Question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

SNMP messages use BER for encoding the data.

The most basic concept of BER is that it uses three (3) fields for every
piece of data in the SNMP message. 

[tag][len][value]

Where tag identifies the type of data, len is the length of value in
bytes, and value being data itself.

So you see most (valid) SNMP messages look something like: 
30 2a 02 01 00 04 06 70 75 62 6c 69 63 . . . 

First byte is the tag byte, 30h stands for a sequence. 
Second byte is the length byte of the entire message.

Next 3 bytes belong to the version field.

02  01  00
tag len value

02h stands for an integer.

Value is SNMP verision number - 1.
So for SNMPv1 the value is actually 00h.

Next comes the community string, preceeded by a tag byte and a len byte.

04h stands for an octet string.
06h = sizeof("public");  

The octet string follows.

For you to modify the community string: 
1. modify the octet string to reflect the new community string you wish to
use.
2. adjust the len field for the community string accordingly.
3. adjust the len field for the SNMP message (the second byte in payload) 
4. read up on BER if your message length exceeds 255 and you're wondering
how to squeeze that into one byte. 

Good luck.

-Jim 

pub  1024D/4D4E605E 2001-10-05 Jim Kovalchuk <raxorat_private>
Fingerprint: 6DF1 31C6 05E9 FCA6 02AB  386D 5640 EF8C 4D4E 605E

On Mon, 25 Feb 2002, Josha Bronson wrote:

> 
> Hey folks,
> 
> Trying to work on generating arbitrary SNMP request packets, but for the
> life of me I can not figure out how the second byte of the payload data
> is calculated. I *think* that it is some sort of length signifier...  I
> think there are also other length based bytes that might need to be
> calculated elsewhere in the payload.
> 
> What I am trying to do is figure out what bytes need to be modified in a
> basic payload structure so that I can drop in different communities,
> only altering the bytes necessary.
> 
> I've already used ethereal's excellent packet analysis, but it does not
> say what the significance is of all the packets, including the second
> byte.
> 
> Any quick answers or links are greatly appreciated.
> 
> -- 
> Josha Bronson
> dmuzat_private
> AngryPacket Security
>

Next message: Burak DAYIOGLU: "Re: Possible IDS-evasion technique"
Previous message: Teodor Cimpoesu: "Re: SSH2 Exploit?"
In reply to: Josha Bronson: "Quick SNMP Payload Structure Question"
Next in thread: rpc: "Re: Quick SNMP Payload Structure Question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 17:00:19 PST