Re: Quick SNMP Payload Structure Question

From: rpc (h@ckz.org)
Date: 02/28/02 

Date: Wed, 27 Feb 2002 19:51:44 -0800
From: rpc <h@ckz.org>
To: Josha Bronson <dmuz@slartibartfast.angrypacket.com>, vuln-dev@securityfocus.com

On Mon, 25 Feb 2002 12:56:28 -0800
Josha Bronson <dmuz@slartibartfast.angrypacket.com> wrote:

Heya,

>
> Hey folks,
>
> Trying to work on generating arbitrary SNMP request packets, but for the
> life of me I can not figure out how the second byte of the payload data
> is calculated. I *think* that it is some sort of length signifier... I
> think there are also other length based bytes that might need to be
> calculated elsewhere in the payload.
>
> What I am trying to do is figure out what bytes need to be modified in a
> basic payload structure so that I can drop in different communities,
> only altering the bytes necessary.

Here is what I've discovered about SNMP packets so far.
For example, a request header might look like this:
"\x30\x82\x01\x23\x02\x01\x00\x04\x82\x01\x00"community"morestuffmorestuffmorestuff

Where 'morestuff' is the actual encoded snmp request and, in this case, community is 256 bytes long.
A description of the header byte for byte:

0x30: ASN_SEQUENCE | ASN_CONSTRUCTOR
0x82: ASN_LONG_LEN | 2 (2 bytes of data i think)
0x01,0x23 = 0x123 = packet size

0x02: ASN.1 integer
0x01: lenbyte (1 byte)
0x00: SNMPv1

0x04 ASN.1 octet string (primstring)
0x82: ASN_LONG_LEN | 2 (2 bytes)
0x01,0x00 = 0x100 = 256 bytes (my what a long community string ;)

Then the octets of the community string begin.

The important bytes in the header are (starting with offset 0)
2, 3 = packet size
8,[9,10] = community string length

Note that ASN_LONG_LEN is only necessary if the community string is > 0xff bytes. If it's not, the sequence is "\x04",lenbyte,community. If this is the case, note the header will be 2 bytes shorter.

asn1.c, asn1.h, snmp_api.c and snmp_auth.c from snmplib are invaluable for hacking with ASN data.

Hope this helps,
--rpc

>
> I've already used ethereal's excellent packet analysis, but it does not
> say what the significance is of all the packets, including the second
> byte.
>
> Any quick answers or links are greatly appreciated.
>
> --
> Josha Bronson
> dmuz@angrypacket.com
> AngryPacket Security
>

Relevant Pages

  • core dump on kldload atapicam
    ... Dump header from device /dev/ad4s4b ... Panic String: page fault ... data packets ... connections established ...
    (freebsd-current)
  • Re: Improving FreeBSD NFS performance (esp. directory updates)
    ... >> I don't think the network is at fault, nor is the server really going ... 155645171 data packets ... discarded for bad header offset fields ... 790 connections established ...
    (freebsd-questions)
  • Re: Advice on a multithreaded netisr patch?
    ... cache, and the link layer will take a cache miss on the front of the ... netstat packets per second and my application's TCP ... header flowid field, and use that instead of the hash for work placement. ...
    (freebsd-net)
  • Re: sendfile(2) SF_NOPUSH flag proposal
    ... >> in separate packet nevertheless the size of header and of the file. ... > tiny files, and a relatively high total cost, or you can argue ... My argument is simple - I want to avoid the partial packets because it ... sendfile() already works according to TCP_NOPUSH flag. ...
    (freebsd-arch)
  • [patch] gsoc project: improving layer2 filtering
    ... This summer I was working on improving layer2 filtering (my mentor is ... +Table entry can contain optional ethernet address. ... further packets matching the rule that would ... +When enabled a special tag containing MAC header is appended to incoming ...
    (freebsd-net)