SNMP

Summary:

Polling: Network monitor connects to device on port 161 UDP. So the monitor will ask a NAS for information on an OID and the device responds.

Notifying: The device sends out info about its own OIDs towards port 162 UDP. These messages towards 162 are called [traps/notifications/informs].

Used for network management. Basic commands (read(monitor), write(config), trap(collection), traversal ops(get supported variables)) Tends to be overly verbose. Often misconfigured, leads to information leakage. UDP based, stateless protocol that is vulnerable to IP spoofing and replay attacks. Versions 1, 2, 2c offer no traffic encryption and are the easiest to hack. The don't utilize a user pass combo rather just a single community string to auth in. SNMP info can also be easily intercepted. 3c will require user and password and offers encryption but can still fall to brute forcing attacks. Always check for weak auth schemes and normally has default public and private community strings.

SNMP Verbs: Get, GetNext, Set, Trap

Community Strings:

Private: write access Public: read access OID: These are numerical ID for sensor data on things like fans, heat, drive cap, etc. These are laid out in a tree structure where they can be vague or granular MIB: This are human friendly names for OIDs

There are default MIBs and OIDs for systems where you can ask almost any system something like [sysuptime.0] and get info from it. These are built in and can find list with google ["OID for synology nas"] and look at the product manuals. SNMP management information base (mib) is a network settings database organized as a tree. If we can access the MIB and know how to read and interpret the info, we can then know each and every device on the network. If we can crack the password on SNMP, we may be able to control each networked device.

---Common attacks---

(Before you try any hack on SNMP, make certain you try these default passwords first.) Default Community: using default community strings Sniffing Community Strings: (works with v1-v2//clear text coms) Brute forcing strings: (will trigger IDS systems as they see many login attempts with different strings) Flooding: a DOS attack where we spoof an snmp agent then flood the SNMP trap manager with traps varying in sizes from 50b to 32kb until the management trap is unable to function

Tools:

snmpwalk - uses getnext to enumerate the network tree. We provide an OID and it will walk everything under that OID. Otherwise it will try to walk as much tree as it can see.

We want to install "snmp-mibs-downloader" then in the file /etc/snmp/snmp.conf we will add and OIDs that we find to the 4th line of the file and this will help us enumerate better.

//walk through snmp mib tree for an IP //We must be authenticated to use this tool... usually its “public” or “private” #snmpwalk -c public -v 1 <ip> //-c community string (normally public) and then the version being used in this case v1 but also try -v 2c # snmpwalk -c public 192.168.38.200 -v 2c //we can also use the keys from the [cat mib-values] #snmpwalk -c public -v 1 -t 10 <ip> 1.3.6.1.4.1.77.1.2.25 //enumerating users

snmpset: #snmpwalk -v 2c -c public 192.168.102.149 system.syscontact.0 //this gave us the system contact of “String: admin@els.com”

#snmpset -v 2c -c public 192.168.102.149 system.syscontact.0 s new@els.com //we now set a new user to the contact

Nmap Scripts: Scan for SNMP ports on network # nmap -sU --open -p 161 10.11.1.1-254 -oG mega-snmp.txt

Brute list in: /usr/share/nmap/nselib/data/snmpcommunities.lst // there is a seclist for this at: /usr/share/seclists/Misc/wordlist-common-snmp-community-strings.txt

  • snmp-brute //add our strings here or specify a new list --script-args snmp-brute.communitiesdb=<wordlsit>

  • snmp-info

  • snmp-interfaces

  • snmp-netstat

  • snmp-processes

  • snmp-sysdescr

  • snmp-win32-services

  • snmp-win32-users

  • ..more at: ls -l /usr/share/nmap/scripts | grep -i snmp

Use a script #nmap -sU -p 161 10.11.1.1 --script=<name> cat mib-values //MS snmp params This will give us stuff like:

  • system processes

  • running programs

  • process path

  • storage units

  • user accounts

  • tcp local ports

SNMP Brute Force

echo public > community echo private >> community echo manager >> community for ip in $(seq 1 254);do echo 10.11.1.$ip;done > ips onesixtyone -c community -i ips

Brute Force community strings and IPs #onesixtyone [options] <host> <community> #onesixtyone -c dict.txt 192.168.1.119 Will use the default wordlist /usr/share/doc/onesixtyone/dict.txt to try to crack the community string

(Authenticated) Enumeration of OIDs: //auth with the community string #perl snmpenum.pl <IP-address> <community string> <config file> //the config file can be the following: //(part of snmpenum)can download if we need to. If you have trouble with the files running then use dos2unix *.txt to format them

~/tools/snmp/cisco.txt ~/tools/snmp/linux.txt ~/tools/snmp/windows.txt //these lists contains several OIDs to check #snmp-check 192.168.1.2 -c public

MIB Lookup

PreviousFingerNextLDAP

Last updated