\!/ KyuuKazami \!/

Path : /usr/share/nmap/scripts/
Upload :
Current File : //usr/share/nmap/scripts/snmp-hh3c-logins.nse

local nmap = require "nmap"
local shortport = require "shortport"
local snmp = require "snmp"
local stdnse = require "stdnse"

description = [[
Attempts to enumerate Huawei / HP/H3C Locally Defined Users through the
hh3c-user.mib OID

For devices running software released pre-Oct 2012 only an SNMP read-only
string is required to access the OID. Otherwise a read-write string is
required.

Output is 'username - password - level: {0|1|2|3}'

Password may be in cleartext, ciphertext or sha256
Levels are from 0 to 3 with 0 being the lowest security level

https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03515685
http://grutztopia.jingojango.net/2012/10/hph3c-and-huawei-snmp-weak-access-to.html
]]

---
-- @usage
-- nmap -sU -p 161 --script snmp-hh3c-logins --script-args --script-args snmpcommunity=<community> <target>
--
-- @output
-- | snmp-hh3c-logins:
-- |   users:
-- |     admin - admin - level: 3
-- |_    h3c - h3capadmin - level 0
--
-- @xmloutput
-- <table>
--   <elem key="password">admin<elem>
--   <elem key="username">admin</elem>
--   <elem key="level">3</elem>
-- </table>
-- <table>
--   <elem key="password">h3capadmin<elem>
--   <elem key="username">h3c</elem>
--   <elem key="level">0</elem>
-- </table>

author = "Kurt Grutzmacher"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}
dependencies = {"snmp-brute"}

-- Version 0.3
-- Created 10/01/2012 - v0.1 - created via modifying other walk scripts
-- Updated 10/25/2012 - v0.2 - bugfixes and better output per NSE standards
-- Updated 11/08/2012 - v0.3 - added xmloutput


portrule = shortport.portnumber(161, "udp", {"open", "open|filtered"})

--- Gets a value for the specified oid
--
-- @param tbl table containing <code>oid</code> and <code>value</code>
-- @param oid string containing the object id for which the value should be extracted
-- @return value of relevant type or nil if oid was not found
function get_value_from_table( tbl, oid )

	for _, v in ipairs( tbl ) do
		if v.oid == oid then
			return v.value
		end
	end

	return nil
end

--- Processes the table and creates the script output
--
-- @param tbl table containing <code>oid</code> and <code>value</code>
-- @return <code>stdnse.output_table</code> formatted table
function process_answer( tbl )

	-- h3c-user MIB OIDs (oldoid)
	local h3cUserName = "1.3.6.1.4.1.2011.10.2.12.1.1.1.1"
	local h3cUserPassword = "1.3.6.1.4.1.2011.10.2.12.1.1.1.2"
	local h3cUserLevel = "1.3.6.1.4.1.2011.10.2.12.1.1.1.4"
	local h3cUserState = "1.3.6.1.4.1.2011.10.2.12.1.1.1.5"

	-- hh3c-user MIB OIDs (newoid)
	local hh3cUserName = "1.3.6.1.4.1.25506.2.12.1.1.1.1"
	local hh3cUserPassword = "1.3.6.1.4.1.25506.2.12.1.1.1.2"
	local hh3cUserLevel = "1.3.6.1.4.1.25506.2.12.1.1.1.4"
	local hh3cUserState = "1.3.6.1.4.1.25506.2.12.1.1.1.5"

	local output = stdnse.output_table()
	output.users = {}
	
	for _, v in ipairs( tbl ) do
		
		if ( v.oid:match("^" .. h3cUserName) ) then
			local item = {}
			local oldobjid = v.oid:gsub( "^" .. h3cUserName, h3cUserPassword)
			local password = get_value_from_table( tbl, oldobjid )

			if ( password == nil ) or ( #password == 0 ) then
				local newobjid = v.oid:gsub( "^" .. hh3cUserName, hh3cUserPassword)
				password = get_value_from_table( tbl, newobjid )
			end

			oldobjid = v.oid:gsub( "^" .. h3cUserName, h3cUserLevel)
			local level = get_value_from_table( tbl, oldobjid )

			if ( level == nil ) then
				local newobjoid = v.oid:gsub( "^" .. hh3cUserName, hh3cUserLevel)
				level = get_value_from_table( tbl, oldobjid )
			end

			output.users[#output.users + 1] = {username=v.value, password=password, level=level}
		end
	
	end
	
	return output
end

action = function(host, port)

	local socket = nmap.new_socket()
	local catch = function() socket:close()	end
	local try = nmap.new_try(catch)	
	local data, oldsnmpoid = nil, "1.3.6.1.4.1.2011.10.2.12.1.1.1"
	local data, newsnmpoid = nil, "1.3.6.1.4.1.25506.2.12.1.1.1"
	local users = {}
	local status

	socket:set_timeout(5000)
	try(socket:connect(host, port))
	
	status, users = snmp.snmpWalk( socket, oldsnmpoid )
	socket:close()

	if (not(status)) or ( users == nil ) or ( #users == 0 ) then

		-- no status? try new snmp oid
		socket:set_timeout(5000)
		try(socket:connect(host, port))
		status, users = snmp.snmpWalk( socket, newsnmpoid )
		socket:close()

		if (not(status)) or ( users == nil ) or ( #users == 0 ) then
			return users
		end

	end

	nmap.set_port_state(host, port, "open")
	return process_answer(users)

end

@KyuuKazami