SNMP
Summary:
Polling: Network monitor connects to device on port 161 UDP. So the monitor will ask a NAS for information on an OID and the device responds.
Notifying: The device sends out info about its own OIDs towards port 162 UDP. These messages towards 162 are called [traps/notifications/informs].
Used for network management. Basic commands (read(monitor), write(config), trap(collection), traversal ops(get supported variables)) Tends to be overly verbose. Often misconfigured, leads to information leakage. UDP based, stateless protocol that is vulnerable to IP spoofing and replay attacks. Versions 1, 2, 2c offer no traffic encryption and are the easiest to hack. The don't utilize a user pass combo rather just a single community string to auth in. SNMP info can also be easily intercepted. 3c will require user and password and offers encryption but can still fall to brute forcing attacks. Always check for weak auth schemes and normally has default public and private community strings.
SNMP Verbs: Get, GetNext, Set, Trap
Community Strings:
Private: write access Public: read access OID: These are numerical ID for sensor data on things like fans, heat, drive cap, etc. These are laid out in a tree structure where they can be vague or granular MIB: This are human friendly names for OIDs
There are default MIBs and OIDs for systems where you can ask almost any system something like [sysuptime.0] and get info from it. These are built in and can find list with google ["OID for synology nas"] and look at the product manuals. SNMP management information base (mib) is a network settings database organized as a tree. If we can access the MIB and know how to read and interpret the info, we can then know each and every device on the network. If we can crack the password on SNMP, we may be able to control each networked device.
---Common attacks---
(Before you try any hack on SNMP, make certain you try these default passwords first.) Default Community: using default community strings Sniffing Community Strings: (works with v1-v2//clear text coms) Brute forcing strings: (will trigger IDS systems as they see many login attempts with different strings) Flooding: a DOS attack where we spoof an snmp agent then flood the SNMP trap manager with traps varying in sizes from 50b to 32kb until the management trap is unable to function
Tools:
snmpwalk - uses getnext to enumerate the network tree. We provide an OID and it will walk everything under that OID. Otherwise it will try to walk as much tree as it can see.
We want to install "snmp-mibs-downloader" then in the file /etc/snmp/snmp.conf we will add and OIDs that we find to the 4th line of the file and this will help us enumerate better.
//walk through snmp mib tree for an IP
//We must be authenticated to use this tool... usually its “public” or “private”
#snmpwalk -c public -v 1 <ip> //-c community string (normally public) and then the version being used in this case v1 but also try -v 2c
# snmpwalk -c public 192.168.38.200 -v 2c
//we can also use the keys from the [cat mib-values]
#snmpwalk -c public -v 1 -t 10 <ip> 1.3.6.1.4.1.77.1.2.25 //enumerating users
snmpset:
#snmpwalk -v 2c -c public 192.168.102.149 system.syscontact.0 //this gave us the system contact of “String: admin@els.com”
#snmpset -v 2c -c public 192.168.102.149 system.syscontact.0 s new@els.com //we now set a new user to the contact
Nmap Scripts:
Scan for SNMP ports on network
# nmap -sU --open -p 161 10.11.1.1-254 -oG mega-snmp.txt
Brute list in: /usr/share/nmap/nselib/data/snmpcommunities.lst // there is a seclist for this at: /usr/share/seclists/Misc/wordlist-common-snmp-community-strings.txt
snmp-brute //add our strings here or specify a new list --script-args snmp-brute.communitiesdb=<wordlsit>
snmp-info
snmp-interfaces
snmp-netstat
snmp-processes
snmp-sysdescr
snmp-win32-services
snmp-win32-users
..more at: ls -l /usr/share/nmap/scripts | grep -i snmp
Use a script
#nmap -sU -p 161 10.11.1.1 --script=<name>
cat mib-values //MS snmp params
This will give us stuff like:
system processes
running programs
process path
storage units
user accounts
tcp local ports
SNMP Brute Force
echo public > community
echo private >> community
echo manager >> community
for ip in $(seq 1 254);do echo 10.11.1.$ip;done > ips
onesixtyone -c community -i ips
Brute Force community strings and IPs
#onesixtyone [options] <host> <community>
#onesixtyone -c dict.txt 192.168.1.119
Will use the default wordlist /usr/share/doc/onesixtyone/dict.txt to try to crack the community string
(Authenticated) Enumeration of OIDs: //auth with the community string
#perl snmpenum.pl <IP-address> <community string> <config file>
//the config file can be the following: //(part of snmpenum)can download if we need to. If you have trouble with the files running then use dos2unix *.txt to format them
~/tools/snmp/cisco.txt
~/tools/snmp/linux.txt
~/tools/snmp/windows.txt
//these lists contains several OIDs to check
#snmp-check 192.168.1.2 -c public
MIB Lookup
Last updated
Was this helpful?
