snmp assets
Part 1:setup snmp service
ref: http://resources.infosecinstitute.com/vulnerability-assessment-of-snmp-service-i/
1. ifconfig
2. ping baidu.com
3. apt-get install snmpd
4. vim /etc/snmp/snmpd.conf
5. comment agentAddress udp:127.0.0.1:161
6. uncomment agentAddress udp:161,udp6:[::1]:161
7. /etc/init.d/snmpd restart
==================================================================================
Part2:
ref: http://resources.infosecinstitute.com/vulnerability-assessment-of-snmp-service-ii/
Management Information Base (MIB):is a database used for managing the entities in a communications network(wiki: http://en.wikipedia.org/wiki/Management_information_base)
Community String:
An SNMP community string is a text string which acts as an authentication token (a password basically) between the management stations and network devices on which SNMP agents are hosted. Community Strings travel in clear text over the network, hence are subject to network sniffing attacks. Community Strings are sent with every network packet exchanged between the node and management station.
There are two different modes in which SNMP operates and both of these modes have different community strings:
Read only
This mode permits querying the device and reading the information, but does not permit any kind of changes to the configuration. The default community string for this mode is “public.”
Read Write
In this mode, changes to the device are permitted; hence if one connects with this community string, we can even modify the remote device’s configurations. The default community string for this mode is “private.”
Port Scanning:
By default, SNMP runs on UDP port number 161. Unless explicitly configured, SNMP will not run on a different port.
The next step for us is to check if default community strings are enabled or not. If we find out any such host, consider it as a lottery because SNMP can give us lots and lots of information, which otherwise could have been hours worth of work for a penetration tester.
The tool is known as " onesixtyone".
Onesixtyone is basically a utility that can be used to bruteforce the SNMP community strings. It takes a list of hosts as an input and a password dictionary. It supports large dictionary files and is quick in checking if any of the passwords match. This is very helpful to penetration testers because during a pentest one wants to do quick checks to identify whether any of the hosts, out of a gamut of devices identified running SNMP, are running with default passwords. If there is more time and one wants to go ahead and check it against large dictionary, it could be done as well. The tool caters to both these requirements.
To invoke this utility, just type "onesixtyone" at the command prompt and you’ll see something like the following:
root@kali:/opt/metasploit# onesixtyone
onesixtyone 0.3.2 [options] <host> <community>
-c <communityfile> file with community names to try
-i <inputfile> file with target hosts
-o <outputfile> output log
-d debug mode, use twice for more information
-w n wait n milliseconds (1/1000 of a second) between sending packets (default 10)
-q quiet mode, do not print log to stdout, use with -l
examples: ./s -c dict.txt 192.168.4.1 public
./s -c dict.txt -i hosts -o my.log -w 100
Switch “i” is used to input the target file which we created previously. This will be treated as a target list and every host mentioned in the input file will be tried one by one against the password dictionary that we fed to the tool using switch “c.”
If a match is found by the tool,refer to image 2
else refer to image 3
==================================================================================
Part 3: snmpcheck
ref: http://resources.infosecinstitute.com/vulnerability-assessment-of-snmp-service-iii/
“snmpcheck” that can be used to harvest the information from hosts running default installations of SNMP.Using “snmpcheck” tool, we can enumerate information like system up time, host name of the remote system, users on the remote system, software installed with their exact versions, a list of running processes and a list of all TCP and UDP ports and many other details.
Snmpcheck runs through the SNMP’s MIB retrieving the information stored and displaying the same in a user friendly manner which could be read by a layman
However, this will only be possible in cases where the community string of the remote host is known to the tool, without which the authentication will fail and we’ll not be able to retrieve any information from the target.
“t” – This switch is used to specify the target IP address on which we want to run the tool. “t” is a mandatory switch. Tool can never work without a target.
“w” – This switch is used to confirm whether the target IP address has write access enabled or not. “w” is an optional switch. Not all devices will have write access enabled, but if any of the network devices has write access enabled and if we can brute force the community string for SNMP write mode, we can even make configuration changes on the remote host.
“p” – This switch is used to
specify the port number on which SNMP service is running on target node. This is an optional switch and if the end user does not specify a port number when running the tool, then snmpcheck will take the default configuration. By default, the tool is configured to run on UDP port 161.
“c” – This switch is used to specify the community string. This switch is also optional. Default configuration is “public”.
“v” – This switch is used to specify the SNMP version in case the user knows what is running on the target box. This switch is optional as well. Default configuration for this switch is “version 1″.
“r” – This switch is used to specify the number of retries. It is required in case an end user wants to explicitly instruct the tool to try for “x” number of times before giving up on a host. This switch is optional as well and defaults to a single retry.
“d” – This optional switch disables connection to TCP ports when specified, thus avoiding the overhead time (maybe a couple of seconds) which snmpcheck would otherwise take.
“T”- This switch allows the end user to configure a specific timeout (in seconds). Unless explicitly specified, the timeout is set to 45 seconds since this switch is optional.
“l” – It enables the logging feature of the tool when specified but it need not be mandatorily specified though.
“h” – This pulls up the help menu of the tool which can aid the user for quick reference of the switches they can use to fine tune its behavior and output.
root@kali:/opt/metasploit# snmpcheck -t 192.168.59.134 -c public
Check if Write Access is enabled:
We can check whether write access is enabled or not by adding one more switch to our initial command “-w”
root@kali:/opt/metasploit# snmpcheck -t 192.168.59.134 -c public -w
resutl refer image 4
Let me quickly demonstrate how the output would look if write access is not enabled. I ran the tool a second time after disabling the write access on the concerned target and this time, we have a different output. “Snmpcheck” timed out, and the output is significantly different from the previous one. One thing notable here is that the tool did connect to the remote host, so the timeout shown is definitely not a connection timeout.
refer to image 5
==================================================================================
Part 4: SNMPWALK
ref http://resources.infosecinstitute.com/vulnerability-assessment-of-snmp-service-part-4/
Users can feed in a specific OID directly to “snmpwalk” to probe that object (in MIB tree structure).
“Snmpwalk” is a tool that uses SNMP GETNEXT operation to query the network device for a tree of information. When an end user feeds the OID to the tool using the command line, this basically is an instruction to GETNEXT operation as to what portion of the tree it should look into.
Using GETNEXT requests, “snmpwalk” will query all variables listed under that particular OID (sub-tree) and the results obtained are presented via these requests to the end user.
Let’s first see how we can walk through the entire OID tree using “snmpwalk”.Our first command will go through every available object and return the values back to us for each of these nodes.
snmpwalk 192.168.1.101 –c public –v1 1
Snmpwalk is followed by the target IP address in the above command. The “c” switch is used to provide the community string and the “v” switch specifies the version of SNMP on the target system. I used “1″ as the version since that’s the version of SNMP on the target box. The last “1″ is nothing but the OID. Since we are giving the OID for ISO, snmpwalk will walk through the entire MIB tree and retrieve everything.
I’ll now cover an example of leaf node OID.
snmpwalk 192.168.1.101 –c public –v1 sysName
Following is an example of running the tool using a specific OID.
snmpwalk 192.168.1.101 –c public –v1 1.3.6.1
ref: http://resources.infosecinstitute.com/vulnerability-assessment-of-snmp-service-i/
1. ifconfig
2. ping baidu.com
3. apt-get install snmpd
4. vim /etc/snmp/snmpd.conf
5. comment agentAddress udp:127.0.0.1:161
6. uncomment agentAddress udp:161,udp6:[::1]:161
7. /etc/init.d/snmpd restart
==================================================================================
Part2:
ref: http://resources.infosecinstitute.com/vulnerability-assessment-of-snmp-service-ii/
Management Information Base (MIB):is a database used for managing the entities in a communications network(wiki: http://en.wikipedia.org/wiki/Management_information_base)
Community String:
An SNMP community string is a text string which acts as an authentication token (a password basically) between the management stations and network devices on which SNMP agents are hosted. Community Strings travel in clear text over the network, hence are subject to network sniffing attacks. Community Strings are sent with every network packet exchanged between the node and management station.
There are two different modes in which SNMP operates and both of these modes have different community strings:
Read only
This mode permits querying the device and reading the information, but does not permit any kind of changes to the configuration. The default community string for this mode is “public.”
Read Write
In this mode, changes to the device are permitted; hence if one connects with this community string, we can even modify the remote device’s configurations. The default community string for this mode is “private.”
Port Scanning:
By default, SNMP runs on UDP port number 161. Unless explicitly configured, SNMP will not run on a different port.
The next step for us is to check if default community strings are enabled or not. If we find out any such host, consider it as a lottery because SNMP can give us lots and lots of information, which otherwise could have been hours worth of work for a penetration tester.
The tool is known as " onesixtyone".
Onesixtyone is basically a utility that can be used to bruteforce the SNMP community strings. It takes a list of hosts as an input and a password dictionary. It supports large dictionary files and is quick in checking if any of the passwords match. This is very helpful to penetration testers because during a pentest one wants to do quick checks to identify whether any of the hosts, out of a gamut of devices identified running SNMP, are running with default passwords. If there is more time and one wants to go ahead and check it against large dictionary, it could be done as well. The tool caters to both these requirements.
To invoke this utility, just type "onesixtyone" at the command prompt and you’ll see something like the following:
root@kali:/opt/metasploit# onesixtyone
onesixtyone 0.3.2 [options] <host> <community>
-c <communityfile> file with community names to try
-i <inputfile> file with target hosts
-o <outputfile> output log
-d debug mode, use twice for more information
-w n wait n milliseconds (1/1000 of a second) between sending packets (default 10)
-q quiet mode, do not print log to stdout, use with -l
examples: ./s -c dict.txt 192.168.4.1 public
./s -c dict.txt -i hosts -o my.log -w 100
Switch “i” is used to input the target file which we created previously. This will be treated as a target list and every host mentioned in the input file will be tried one by one against the password dictionary that we fed to the tool using switch “c.”
If a match is found by the tool,refer to image 2
else refer to image 3
==================================================================================
Part 3: snmpcheck
ref: http://resources.infosecinstitute.com/vulnerability-assessment-of-snmp-service-iii/
“snmpcheck” that can be used to harvest the information from hosts running default installations of SNMP.Using “snmpcheck” tool, we can enumerate information like system up time, host name of the remote system, users on the remote system, software installed with their exact versions, a list of running processes and a list of all TCP and UDP ports and many other details.
Snmpcheck runs through the SNMP’s MIB retrieving the information stored and displaying the same in a user friendly manner which could be read by a layman
However, this will only be possible in cases where the community string of the remote host is known to the tool, without which the authentication will fail and we’ll not be able to retrieve any information from the target.
“t” – This switch is used to specify the target IP address on which we want to run the tool. “t” is a mandatory switch. Tool can never work without a target.
“w” – This switch is used to confirm whether the target IP address has write access enabled or not. “w” is an optional switch. Not all devices will have write access enabled, but if any of the network devices has write access enabled and if we can brute force the community string for SNMP write mode, we can even make configuration changes on the remote host.
“p” – This switch is used to
specify the port number on which SNMP service is running on target node. This is an optional switch and if the end user does not specify a port number when running the tool, then snmpcheck will take the default configuration. By default, the tool is configured to run on UDP port 161.
“c” – This switch is used to specify the community string. This switch is also optional. Default configuration is “public”.
“v” – This switch is used to specify the SNMP version in case the user knows what is running on the target box. This switch is optional as well. Default configuration for this switch is “version 1″.
“r” – This switch is used to specify the number of retries. It is required in case an end user wants to explicitly instruct the tool to try for “x” number of times before giving up on a host. This switch is optional as well and defaults to a single retry.
“d” – This optional switch disables connection to TCP ports when specified, thus avoiding the overhead time (maybe a couple of seconds) which snmpcheck would otherwise take.
“T”- This switch allows the end user to configure a specific timeout (in seconds). Unless explicitly specified, the timeout is set to 45 seconds since this switch is optional.
“l” – It enables the logging feature of the tool when specified but it need not be mandatorily specified though.
“h” – This pulls up the help menu of the tool which can aid the user for quick reference of the switches they can use to fine tune its behavior and output.
root@kali:/opt/metasploit# snmpcheck -t 192.168.59.134 -c public
Check if Write Access is enabled:
We can check whether write access is enabled or not by adding one more switch to our initial command “-w”
root@kali:/opt/metasploit# snmpcheck -t 192.168.59.134 -c public -w
resutl refer image 4
Let me quickly demonstrate how the output would look if write access is not enabled. I ran the tool a second time after disabling the write access on the concerned target and this time, we have a different output. “Snmpcheck” timed out, and the output is significantly different from the previous one. One thing notable here is that the tool did connect to the remote host, so the timeout shown is definitely not a connection timeout.
refer to image 5
==================================================================================
Part 4: SNMPWALK
ref http://resources.infosecinstitute.com/vulnerability-assessment-of-snmp-service-part-4/
Users can feed in a specific OID directly to “snmpwalk” to probe that object (in MIB tree structure).
“Snmpwalk” is a tool that uses SNMP GETNEXT operation to query the network device for a tree of information. When an end user feeds the OID to the tool using the command line, this basically is an instruction to GETNEXT operation as to what portion of the tree it should look into.
Using GETNEXT requests, “snmpwalk” will query all variables listed under that particular OID (sub-tree) and the results obtained are presented via these requests to the end user.
Let’s first see how we can walk through the entire OID tree using “snmpwalk”.Our first command will go through every available object and return the values back to us for each of these nodes.
snmpwalk 192.168.1.101 –c public –v1 1
Snmpwalk is followed by the target IP address in the above command. The “c” switch is used to provide the community string and the “v” switch specifies the version of SNMP on the target system. I used “1″ as the version since that’s the version of SNMP on the target box. The last “1″ is nothing but the OID. Since we are giving the OID for ISO, snmpwalk will walk through the entire MIB tree and retrieve everything.
I’ll now cover an example of leaf node OID.
snmpwalk 192.168.1.101 –c public –v1 sysName
Following is an example of running the tool using a specific OID.
snmpwalk 192.168.1.101 –c public –v1 1.3.6.1