Physical attacks
Mobile Apps Pentesting
Pentesting

161,162,10161,10162/udp - Pentesting SNMP

SNMP - Explained

SNMP - Simple Network Management Protocol is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...).

The information from the SNMP Agents is sent to the Management system using the OIDs (Object Identifier). This objects are unique and are related to some data, then, when the agent send the OID and the information of it, the Management system has to know the meaning of this OID. An example of OID is: 1.3.6.1.2.1.25.1.1.0 (This OID is the system uptime).

The initial parts of the OID are the more generic ones and can be related with the manufacturer (for example 1.3.6.1.4.1.9 --> Cisco).

Also, the manufacturers can use their own private OIDs (but remember that the Management System has to understand them).

There are 2 important versions of SNMP:

  • SNMPv1: Main one, it is still the most frequent, the authentication is based on a string (community string) that travels in plain-text (all the information travels in plain text). The version 2 and 2c send the traffic in plain text also.

  • SNMPv3: Uses a better authentication form and the information travels encrypted using (dictionary attack could be performed).

You need to know the community string to access the data of SNMP inside the device.

The are 2 types of community strings: "public" (Read Only functions) and "private" (Read Write).

If you try to use a bad community string the server will return anything.

161/udp open snmp udp-response ttl 244 ciscoSystems SNMPv3 server (public)

Ports

Guessing Community String:

To guess the community string you could perform a dictionary attack:

msf> use auxiliary/scanner/snmp/snmp_login
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp_onesixtyone.txt <IP>
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp

Enumerating SNMP

Then, you can access the data using SNMPWalk or SNMP-Check:

snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP]
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] 1.3.6.1.2.1.4.34.1.3 #Get IPv6, needed dec2hex
snmp-check [DIR_IP] -p [PORT] -c [COMM_STRING]
nmap --script "snmp* and not snmp-brute" <target>

To see whats does means each OID gathered from the device, it is recommended to install:

apt-get install snmp-mibs-downloader
download-mibs

And in /etc/snmp/snmp.conf comment the line "mibs :"

It is recommended to install and configure this before launching any SNMP enumeration.

Massive SNMP

Braa is a mass SNMP scanner. The intended usage of such a tool is, of course, making SNMP queries – but unlike snmpwalk from net-snmp, it is able to query dozens or hundreds of hosts simultaneously, and in a single process. Thus, it consumes very few system resources and does the scanning VERY fast.

Braa implements its OWN snmp stack, so it does NOT need any SNMP libraries like net-snmp.

Syntax: braa [Community-string]@[IP of SNMP server]:[iso id]

braa ignite123@192.168.1.125:.1.3.6.*

This can extract a lot MB of information that you cannot process manually.

So, lets look for the most interesting information (from https://blog.rapid7.com/2016/05/05/snmp-data-harvesting-during-penetration-testing/):

Devices

One of the first things I do is extract the sysDesc .1.3.6.1.2.1.1.1.0 MIB data from each file to determine what devices I have harvested information from. This can easily be done using the following grep command:

grep ".1.3.6.1.2.1.1.1.0" *.snmp

Identify private string

As an example, if I can identify the private community string used by an organization on their Cisco IOS routers, then I could possibly use that community string to extract the running configurations from those routers. The best method for finding such data has often been related to SNMP Trap data. So again, using the following grep we can parse through a lot of MIB data quickly searching for the key word of “trap”:

grep -i "trap" *.snmp

Usernames/passwords

Another area of interest is logs, I have discovered that there are some devices that hold logs within the MIB tables. These logs can also contain failed logon attempts. Think about the last time you logged into a device via Telnet or SSH and inadvertently entered your password as the username. I typically search for key words such as fail, failed or login and examine that data to see if there is anything of value.

grep -i "login\|fail" *.snmp

Emails

grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" *.snmp

Modifying SNMP values

You can use NetScanTools to modify values. You will need to know the private string in order to do so.

Spoofing

If there is an ACL that only allows some IPs to query the SMNP service, you can spoof one of this addresses inside the UDP packet an sniff the traffic.

Examine SNMP Configuration files

  • snmp.conf

  • snmpd.conf

  • snmp-config.xml