blog SNMP Enumeration

Exploiting SNMP like a Boss

1 Comment

Introduction
SNMP(Simple Network Management Protocol) is running on the port 161/UDP. Simply, it allows you to view what’s going on the devices (computers, printers etc) on your network and fix issues before they become the major problem.

SNMP usually a component used in a software package. For example, if you are using any network management software to monitoring your network so these software uses SNMP protocol in order to communicate with all the devices on the network and gather information from them.

Normal things observed by SNMP on network

  • It can see how much multiple hard-drive space has been used.
  • It can see how much your CPU is being used.
  • Beyond that, it can see what’s going on with the hardware on your computer like computer fan is working properly, memory slot is working properly or not.

So, after checking these some of the things, SNMP sends these kind of information to the management server where SNMP server is installed (simply where your network management software is installed).

Generally, suppose you have installed 1000 servers somewhere to run some sort of application or whatsoever reason. You wanted to be sure every server is working properly or not. So, walking to each 1000 servers is not an easy task and at that point SNMP will be your best friend to tell you if there is any issue present on any network devices present on your network.

When you are dealing with SNMP, following things you have :-

  • Operating system on which SNMP management software is installed: Here you’ll get all of the alerts of issues on the devices and as per the rules configured on SNMP management software these alerts will be reported to concerned team in your organisation.
  • SNMP Agent: Small software running on all network devices which is able to read the information on the devices and send back to the SNMP management console.

It is possible from management console to connect  any network devices to check for the issues. But, if you wanted to get real time statistics from the devices itself then you need to setup “TRAP” on the network devices to send real time statistics back to the management console.

For example, on your network device you have configured a rule, if my hard-drive usage exceeds 80% then alert to SNMP management console, then “TRAP” will do this activity for you.

Versions of SNMP

  • SNMP v1:- SNMPv1 was the first version of SNMP. Although it accomplished its goal of being an open, standard protocol, it was found to be lacking in key areas for certain applications.
  • SNMP v2c: SNMPv2c is a sub-version of SNMPv2. Its key advantage over previous versions is the Inform command. Unlike Traps, which are simply received by a manager, Informs are positively acknowledged with a response message. If a manager does not reply to an Inform, the SNMP agent will resend the Inform.Other advantages include:
    • improved error handling
    • improved SET commands
  • SNMP V3
    SNMPv3 is the newest version of SNMP. Its primary feature is enhanced security.The “EngineID” Identifier in SNMPv3 uniquely identifies each SNMP entity. Conflicts can occur if two SNMP entities have duplicate EngineID’s. The EngineID is used to generate the key for authenticated messages.SNMPv3 security comes primarily in 2 forms:

    • Authentication is used to ensure that traps are read by only the intended recipient. As messages are created, they are given a special key that is based on the EngineID of the entity. The key is shared with the intended recipient and used to receive the message.
    • Privacy encrypts the payload of the SNMP message to ensure that it cannot be read by unauthorized users. Any intercepted traps will be filled with garbled characters and will be unreadable. Privacy is especially useful in applications where SNMP messages must be routed over the Internet.

Exploiting SNMP protocols to gain knowledge about the target system

During regular pentest, we encountered with SNMP protocol and proper testing of SNMP protocol provides very useful information which allows an attacker to build the overall structure of target system.

For now, I have configured a lab with the following details:-

  • My MacBook will be attacker’s machine
  • Windows 7 will be Target machine with SNMP configured.

So, basic reconnaissance on port 161/UDP provide the following information:

 

Ok, after being sure that SNMP protocol is up and running on the target system. My next step will be to check “Is there is any default community string is present that i can use to login into SNMP device ” ?

So, for obvious reasons, brute-forcing of community strings will strike on my mind and there are alot open source scripts which will be perform this activity for you. Some of the utilities are:-

So, I’ll show all three ways here and let’s start with nmap

  • Using Nmap script : 

sudo nmap -sU  172.16.201.130 -p161 --script=snmp-brute  -Pn --script-args snmp-brute.communitiesdb=list.txt

 

  • Using Metasploit Framework

I have used this auxiliary to perform brute-force attack on community strings:-

auxiliary/scanner/snmp/snmp_login

  • Using script named SNMP-Brute (Credits to this guy for making this script)

 

So, now we got the credentials and luckily the enumerated community strings have read and write access. Now, lets start to enumerate further to gather more juicy details about the target operating system.

I am using metasploit framework for this activity and obviously there are other utilities to perform this activity. I recommend to use metasploit as you’ll get details in proper readable format so that you’ll not miss any important information.

When you do search on metasploit, you’ll see following auxiliaries for enumeration and you may use accordingly as per your requirement.

So, as per my requirement I’ll be using following auxiliaries

  • auxiliary/scanner/snmp/snmp_enum
  • auxiliary/scanner/snmp/snmp_enumshares
  • auxiliary/scanner/snmp/snmp_enumusers

On using above first auxiliary, following are the requirement that you need to fill

As I have already enumerated my community string “demopublic” and below mentioned are the results after running this auxiliary.

System Information:-

Routing Information and TCP Connections:-

Softwares Installed on target system:

 

As you can see, if SNMP is mis configured so there is lot’s of possibilities to extract the juicy information about target system.

Thanks very much for taking time to read this blog. If you have any queries or if you wanted to share any feedback for this so feel free to comment. Your feedbacks will  help me to create good and easily understandable blogs.

 

 

 

 

 

 

1 comment

Leave a Reply

Your email address will not be published. Required fields are marked *