Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement SNMPv3 support #222

Merged
merged 1 commit into from
Aug 13, 2023
Merged

Implement SNMPv3 support #222

merged 1 commit into from
Aug 13, 2023

Conversation

lowSoA
Copy link

@lowSoA lowSoA commented Nov 18, 2022
edited
Loading

It was a great addition in #218 to support SNMP (https://zxsecurity.co.nz/research/insights/run-zero-credentials-capture/ awesome work!). This PR implements the support for SNMPv3 that was still outstanding.

This is the current output for SNMPv3, SNMPv1 and SNMPv2c:
image

The output for SNMPv3 hash can be formatted easily for later cracking, for example with Hashcat. There is a gist which eases this process (with an included hash example from this PR).

Note: as in the original PR #218, pyasn1 is required. Tested with pyasn1==0.4.8 in case it can be added to requirements.txt.

@lowSoA
Copy link
Author

lowSoA commented Nov 18, 2022

For the sake of completeness, this is the output from the gist with the example hash from the screenshot:

$ python formatSNMPv3.py user:308197020103301002034d27bb020300ffe30401010201030431302f041180001f88808106d566db57fd6000000000020100020100040475736572040ce3b25b0e48c5587d5bb1ecf50400304d041180001f88808106d566db57fd60000000000400a736020400d470870201000201003028300d06082b060102010103004301003017060a2b06010603010104010006092b0601060301010505:80001f88808106d566db57fd6000000000:e3b25b0e48c5587d5bb1ecf5
[$] Hashcat format:
user:$SNMPv3$0$45889431$308197020103301002034d27bb020300ffe30401010201030431302f041180001f88808106d566db57fd6000000000020100020100040475736572040c0000000000000000000000000400304d041180001f88808106d566db57fd60000000000400a736020400d470870201000201003028300d06082b060102010103004301003017060a2b06010603010104010006092b0601060301010505$80001f88808106d566db57fd6000000000$e3b25b0e48c5587d5bb1ecf5
    Hashcat mode: 25000

Hashcat output:

$ hashcat -a 0 -m 25000 testsnmp.hash testdict.txt --username
<SNIPPED>
$SNMPv3$0$45889431$308197020103301002034d27bb020300ffe30401010201030431302f041180001f88808106d566db57fd6000000000020100020100040475736572040c0000000000000000000000000400304d041180001f88808106d566db57fd60000000000400a736020400d470870201000201003028300d06082b060102010103004301003017060a2b06010603010104010006092b0601060301010505$80001f88808106d566db57fd6000000000$e3b25b0e48c5587d5bb1ecf5:hashcat1

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 25000 (SNMPv3 HMAC-MD5-96/HMAC-SHA1-96)
Hash.Target......: $SNMPv3$0$45889431$308197020103301002034d27bb020300...b1ecf5
Time.Started.....: <REDACTED> 2022 (0 secs)
Time.Estimated...: <REDACTED> 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (testdict.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     1102 H/s (3.53ms) @ Accel:16 Loops:131072 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 100/100 (100.00%)
Rejected.........: 57/100 (57.00%)
Restore.Point....: 0/100 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:917504-1048576
Candidate.Engine.: Device Generator
Candidates.#1....: 123456789 -> hashcat1
Hardware.Mon.#1..: Temp: 47c Util: 98% Core: 212MHz Mem:1230MHz Bus:16

@lgandx lgandx merged commit 83c817d into lgandx:master Aug 13, 2023
@lgandx
Copy link
Owner

lgandx commented Aug 13, 2023

Merged, thanks for this addition!

@lowSoA lowSoA deleted the enhancement-snmpv3-support branch May 24, 2024 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lowSoA @lgandx