Wednesday, March 18, 2015

How to Download an IOS configuration with NMAP's snmp-ios-config Script

If a Cisco switch/router running IOS has a RW community string you can run the NMAP snmp-ios-config script to pull down the configuration. In this example, the switch is at and has a RW community string of private.

nmap -sU -p 161 --script snmp-ios-config --script-args snmpcommunity=private

Update June 29, 2017

nmap 7.40 and above has been updated to use a standard snmp libary for all snmp based scripts. This changes the script-args as follows:

nmap -sU -p 161 --script snmp-ios-config --script-args creds.snmp=private

You should upgrade to nmap 7.50 as it includes a lot of new scripts and bug fixes.

Starting Nmap 6.47 ( ) at 2015-03-03 15:23 Pacific Standard Time
Nmap scan report for
Host is up (0.0031s latency).
161/udp open  snmp
| snmp-ios-config:
| !
| ! Last configuration change at 15:21:28 PST Tue Mar 3 2015 by mhubbard
| ! NVRAM config last updated at 15:21:31 PST Tue Mar 3 2015 by mhubbard
| !
| version 15.0
| no service pad
| service tcp-keepalives-in
| service tcp-keepalives-out
| service timestamps debug datetime msec localtime show-timezone
| service timestamps log datetime msec localtime show-timezone
| service password-encryption
| service sequence-numbers
| !
| hostname ACME_Test
| !
| boot-start-marker
| boot-end-marker
| !
| !
| username Test privilege 15 password 7 0037312531682F2506324F41
| username cisco privilege 15 secret 5 $1$CxMS$kdjNOfZxN6qcqqCWBDEvQ1


This example should be enough to convince you not to use private as a RW string and use ACLs to limit logical access to your network devices!

In our example the SNMP monitoring stations are at and .201. To add access lists:

ACME_Test(config)# access-list 99 permit
ACME_Test(config)# access-list 99 permit
ACME_Test(config)# snmp-server community public ro 99

Trouble Shooting

I have found this script to very reliable but I have run into two things that caused it fail.

You cannot have a TFTP server running on the machine you are running the script from. This is because the script has a TFTP server built in. On Windows you will get the following error "NSOCK ERROR [9.3070s] mksock_bind_addr(): Bind to failed (IOD #2): An attempt was made to access a socket in a way forbidden by its access permissions.  (10013)".

A community string that is for lack of a better word invalid. What does that mean? I could not get the script to work during a new deployment. I ran Wireshark and saw that the script sent the snmp SET but the switch didn't answer. I checked the access list on the SNMP config, made sure there wasn't a TFTP server running, checked the firewall, etc. Finally I ran "show snmp community" and to my surprise the RW string wasn't bound to any interfaces!

On this switch I am using vlan18 as the management vlan. You can see that the RW string isn't listed with an interface. I changed the RW string and ran the show command again. This time the RW string had vlan18 and the access-list and the script worked.

These aren't the actual strings I was using. The real strings had a lot of special characters and mixed caps.

ACME_Test#sh run | sec snmp
snmp-server community SuperSecret RW 25
snmp-server community BigSecret RO 20
snmp-server trap-source Vlan18

ACME_Test#sh snmp com
Community name: SuperSecret
Community Index: SuperSecret
Community SecurityName: SuperSecret
storage-type: nonvolatile        active

Community name: BigSecret
Community Index: BigSecret
Community SecurityName: BigSecret
storage-type: nonvolatile        active access-list: 20

Community name: BigSecret@18
Community Index: BigSecret@18
Community SecurityName: BigSecret
storage-type: read-only  active access-list: 20


No comments:

Post a Comment