Free MP3 Music Header Free MP3 Music Header Free MP3 Music Header
Chrome Strip
Chrome Strip
EXPLOITING SNMP

====================================================================
SNMP ENUMERATION: ACTIVE INFORMATION GATHERING:
====================================================================

///////////////////////////////////////////////////////////////////
ANY MACHINES RUNNING THE SNMP SERVICE ARE THE TARGETS IN THE LABS HERE
//////////////////////////////////////////////////////////////////

The SNMP protocol is another protocol that is often overly verbose.

SNMP is often a misunderstood protocol by many network administrators. This often results in miscofigurations which can lead to a dramatic amount of information leakage at best.

*************************
SNMP is based on UDP a simple stateless protocol and is therefor susceptible to IP soofing and replay attacks. In addition the commonly used SNMP protocol 1,2 and 2c offer not traffic encryption so credentials can be easily intercepted across a local network.
*************************

Traditional SNMP protocols have weak authentication schemes and are commonly left misconfigured with default public and private community strings.

All of this exists in a protocol that is intended to Manage the network.

DISCOVER, ENUMERATE AND EXPLORE DURING THE INFORMATION GATHERING PHASE.

The following MIB values correspond to specific Microsoft Windows SNMP parameters:

1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports

To read more about the MIB tree, refer to the following
URL:
o http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.progcomm/doc/progcomc/mib.htm

SNMP ENUMERATION: ACTIVE INFORMATION GATHERING: SNMP MIB

/////////////////////////////////////////////////////////
ANY MACHINES RUNNING THE SNMP SERVICE ARE THE TARGETS IN THE LABS HERE /////
////////////////////////////////////////////////////////

SNMP Management Information Base is a database containing information usually related to network management.

The database is organised as a tree where branches represent different organisations or different functions. The leaves of the tree or final endpoints usually correspond to specific values that can be assessed and probed by a external user.

eg:
#cat mib-values

Let's look at the MIB values that correspond to specific Microsoft Windows SNMP Parameters such as:
- System processes
- User Accounts
- TCP Local Ports

The SNMP protocol listens by default on UDP port 161.

We can use Nmap to search for open ports using the following syntax:

*********************************
#nmap -sU --open -p 161 192.168.31.200-254 --open
*********************************

Alternavitely, we can use a tool such as onesixtyone which will take this a step further and check for given community strings against an IP list. Essentially allowing us to bruteforce various community strings against given IPS.

To demonstrate the use of onesixtyone, we need a list of community strings:
#cat community
public
private
manager

We also have a list of ip addresses that we wish to run our SNMP scan against:

#for ip in $(seq 200-254); do echo 192.168.1.$ip;done >ips

We now have 2 files
- Community String in community
- IPs in ips

**********************************
Eg:
#onesixtyone -c community -i ips
**********************************

Once these SNMP services are found and known to respond to a specific community string, we can start querrying them for additional SNMP MIB data that might be interesting to us.

SNMP ENUMERATION: ACTIVE INFORMATION GATHERING: SNMPWalk

/////////////////////////////////////////////////////////////
ANY MACHINES RUNNING THE SNMP SERVICE ARE THE TARGETS IN THE LABS HERE ///// /////////////////////////////////////////////////////////////

We can probe and query SNMP service using tools such as SNMP walk providing that we know at least the SNMP read only community string which in most cases is the string 'public'.

Let's try some examples against a windows lab machine that is running the SNMP service.

We will start by using SNMPWalk to walk through the entire MIB tree of a windows SNMP service and display he values of each leaf in the tree.

-c = community string
-v = the version of SNMP to use

#snmpwalk -c public -v1 192.168.31.227

The output on this query will include a huge amount of information which at times will be hard to digest or even understand.
A better approach will be to only querry certain branches or values in this MIB tree. Thus getting more targeted information.

Using the MIB values in this file, I'll use SNMPWalk to extract very specific information about the windows machine.

#cat mib-values
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.6.13.1.3 TCP Local Ports

Lets see if we can get a list of running programs:
#snmpwalk -c public -v1 192.168.31.227 1.3.6.1.2.1.25.4.2.1.2

Or a List of Open TCP Ports on this machine:
#snmpwalk -c public -v1 192.168.31.227 1.3.6.1.2.1.6.13.1.3

The same goes for software installed etc. We just need the MIB values. This information is verbose and can certainly aid an attacker in compromise.

Kali Linux includes several SNMP enumeration tools such as
- SNMPenum
- SNMPcheck

Both are capable of extracting interesting information from a co-operative SNMP service.

******************************
******************************
Take some time to experiment with both SNMPenum and SNMPcheck in the labs
******************************
******************************