Skip to content

pcap2john: Add SNMPv3 parser #5783

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: bleeding-jumbo
Choose a base branch
from
Open

pcap2john: Add SNMPv3 parser #5783

wants to merge 1 commit into from

Conversation

AlbertVeli
Copy link
Contributor

This adds support for extracting SNMPv3 USM hashes. The parser handles both authentication-only (authNoPriv) and authentication with privacy (authPriv) modes.

Hashes are printed in $SNMPv3$ format, with authProto set to 0 to allow John to try both MD5 and SHA1. If the authProto is known the 0 can be changed to 1 (MD5) or 2 (SHA1). This is not done automatically.

@AlbertVeli
pcap2john: Add SNMPv3 parser
75d5ccd 
This adds support for extracting SNMPv3 USM hashes. The parser handles
both authentication-only (authNoPriv) and authentication with privacy
(authPriv) modes.

Hashes are printed in $SNMPv3$ format, with authProto set to 0 to allow
John to try both MD5 and SHA1. If the authProto is known the 0
can be changed to 1 (MD5) or 2 (SHA1). This is not done automatically.

Signed-off-by: Albert Veli <albert.veli@gmail.com>
@AlbertVeli
Copy link
Contributor Author

AlbertVeli commented Jun 4, 2025
edited
Loading

Since I was assisted by ChatGPT-4o when writing this I asked about licensing and it responded with the following suggestion for licensing information.

This code is my original contribution, written with assistance from
ChatGPT. I am submitting it under the terms of the GPLv2+ license as
required by the John the Ripper project.

It may still need some refactoring. Does it support all formats that snmp_fmt_plug.c supports? Can the SNMP plugin crack the (optional) encryption password too? This only extracts the authentication password hash.

@solardiz
Copy link
Member

solardiz commented Jun 9, 2025

Thank you for your contribution @AlbertVeli! I intend to take a closer look a bit later.

@solardiz
Copy link
Member

@AlbertVeli What input files did you test this with? I notice that comments in snmp_fmt_plug.c have URLs and filenames for pcap files corresponding to the test vectors. I think we should make copies of those files in our https://github.com/openwall/john-samples repo - can you please send us a pull request with that?

@kholia How did you create those test vectors? Is there possibly already an extraction tool that @AlbertVeli has missed?

GPLv2+ license as required by the John the Ripper project.

We actually prefer our cut-down BSD license where possible, please see doc/pcap2john.readme for licenses that apply to this script. I suggest you add a similar copyright statement + license for your contribution. If you add to that documentation file, then you'll also need to revise its initial wording that currently says it's only about "prior copyright headers" (yours wouldn't be "prior", but is a new addition).

Seeing the commit history for pcap2john.py, I think @exploide should also add a copyright statement + license.

Maybe we should collect the copyright statements and list them in the script itself (one line per person) and group them by license (most are our cut-down BSD), but I see one contribution is GPLv3 (unfortunately).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AlbertVeli @solardiz