mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-02-02 16:53:25 +08:00
59 lines
1.8 KiB
YAML
59 lines
1.8 KiB
YAML
id: snmpv1-community-detect-string
|
|
|
|
info:
|
|
name: SNMPv1 Public Community String - Detect
|
|
author: matejsmycka
|
|
severity: high
|
|
description: |
|
|
SNMPv1 was configured with the default public community string, which allows unauthorized users to query system information. This may expose sensitive details such as network configuration, running processes, and device information.
|
|
reference:
|
|
- https://hackers-arise.com/exploiting-snmpv1-for-reconnaissance/
|
|
- https://hacktricks.boitatech.com.br/pentesting/pentesting-snmp
|
|
- https://www.tenable.com/plugins/nnm/1344
|
|
- https://linux.die.net/man/1/snmpwalk
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
shodan-query: product:"SNMP"
|
|
tags: js,udp,network,snmp
|
|
|
|
javascript:
|
|
- pre-condition: |
|
|
isUDPPortOpen(Host, Port);
|
|
|
|
code: |
|
|
const c = require("nuclei/net");
|
|
const conn = c.Open('udp', `${Host}:${Port}`, `${Timeout}`);
|
|
let community_string = bytes.NewBuffer();
|
|
community_string.WriteString(Community);
|
|
let payload = "30290201010406";
|
|
payload += community_string.Hex();
|
|
payload += "a01c02040eb376f4020100020100"
|
|
payload += "300e300c06082b060102010105000500" // VarBind list for sysName.0
|
|
conn.SendHex(payload);
|
|
let resp = conn.RecvFull(64);
|
|
resp;
|
|
|
|
args:
|
|
Host: "{{Host}}"
|
|
Port: 161
|
|
Timeout: 2
|
|
Community: "{{community_string}}"
|
|
|
|
attack: clusterbomb
|
|
|
|
payloads:
|
|
community_string:
|
|
- public
|
|
|
|
matchers:
|
|
- type: binary
|
|
binary:
|
|
- "0201010406"
|
|
|
|
extractors:
|
|
- type: regex
|
|
group: 1
|
|
regex:
|
|
- "public.*\x00\x04.(.*)"
|
|
# digest: 490a0046304402207ad19f3ab50a58f3f505d4c028471c9c8e86b28716b73d968f924b2bd7333a670220411c4fdb525ff12b7d54866edc81b8afe01e56e55199d58c8ec0d5d17eb315c4:922c64590222798bb761d5b6d8e72950 |