DiscordHackTheBoxTryHackMeGitHub

SNMP

About

SNMP (Simple Network Management Protocol) is an application-layer Internet Standard protocol used for managing information about devices on an IP network. It can also be used to modify the device information and change device behavior. The protocol lets devices on the same network communicate with each other and is commonly used for collecting information about the health and status of the devices on the network. SNMP also transmits control commands using agents over UDP port 161 and sometimes port 162

  • OID - Object Identifier. An OID represents a node in a hierarchical namespace. A sequence of numbers uniquely identifies each node, allowing the node's position in the tree to be determined.

  • MIB - Management Information Base. MIB is an independent format for storing device information. A MIB is a text file in which all queryable SNMP objects of a device are listed in a standardized tree hierarchy. It contains at least one OID

  • Community String - Is essentially a password or authentication string used to grant access to devices in an SNMP-managed network. It acts as a form of security to restrict access to the SNMP agent running on a device.

Versions

  1. SNMPv1 - No authentification. For SNMPwalk use -v1 argument to use.

  2. SNMPv2 - No encryption. Community strings can be seen as passwords that are used to determine whether the requested information can be viewed or not. Also could be called as v2c, which meansv2 community In v2c can be intercepted.

  3. SNMPv3 - Finally now it has authentification and encryption. That's a win.

Dangerous Settings

View config file

cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d'

  • rwuser noauth - Provides access to the full OID tree without authentication.

  • rwcommunity <community string> <IPv4 address> - Provides access to the full OID tree regardless of where the requests were sent from.

  • rwcommunity6 <community string> <IPv6 address> - Same access as with rwcommunity with the difference of using IPv6.

SNMPwalk

SNMPwalk is an application that repeatedly sends out GetNextRequest to collect information about different OIDs. The application bundles together multiple SNMP commands and lets you collect information from multiple devices without having to type out individual commands for all OIDs. It can help you identify devices in the network that are not working. By performing an SNMP walk, you can find out the entire list of devices in your network that supports SNMP and form a library of MIBs.

SNMPwalk

snmpwalk -v2c -c public 13.13.13.13

Tips2Hack

  1. OneSixtyOne (SNMP scanner). Can be used to brute-force the names of the community strings since they can be named arbitrarily by the administrator

onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt 13.13.13.13

  1. Braa. Once we know a community string, we can use it with braa to brute-force the individual OIDs and enumerate the information behind them.

> braa <community string>@13.13.13.13:.1.3.6.*
PreviousRSYNCNextIPMI

Last updated