Title: ISSA KY March 2013 Workshop: Introduction to Pen Testing Simple Network Management Protocol (SNMP)

Updates/Video Postings/etc.: Twitter: @webpwnized

Software Required: Backtrack 5 R3, Metasploit, snmpset, snmpget, snmpwalk, tcpdump, nmap

URL: Introduction to Pen Testing Simple Network Management Protocol (SNMP) - YouTube

Notes: Please see below

Author: Jeremy Druin

From: Kentucky ISSA March 2013 Workshop

The Simple Network Management Protocol (SNMP) is used on networked deviced to read, write, and update device configuration remotely. Windows desktop systems typically do not run snmp services by default but these can be enabled for testing. Server operating systems often run snmp services by default as do network devices such as routers, printers, special purpose equiptment, switches, and firewalls.

In this video, a windows xp box has snmp enabled to act as a test target. A Backtrack 5 R3 host is used to perform assessment. The video progresses through host discovery, port identification, service verification, finding community strings, dumping device configuration, and altering device configuration. Tools used include nmap, msfconsole, snmpwalk, snmpset, and snmpget.

Notes from talk can be found below.

SNMP Discovery

Sweep network: nmap -sU -p 161 -sV <ip address range>

Additionally run default scripts: nmap -sU -p 161 -sV -sC <ip address range>

Additionally run custom scripts: nmap -sU -p 161 -sV --script="snmp-brute(or whatever)" <ip address range>

Additionally run custom scripts with custom arguments: nmap -sU -p 161 -sV --script="whatever" --script-args="snmpcommunity=internal" <ip address range>

Nmap NSE Scripts (Note: use –sU –p 161 to scan SNMP port)

  i. Example:

nmap -p 161 -sU --script="snmp-interfaces,snmp-netstat,snmp-processes,snmp-sysdescr,snmp-win32- services,snmp-win32-shares,snmp-win32-software,snmp-win32-users" --script-args="snmpcommunity=UPSSupport" 

  ii. snmp-brute attempts to find an SNMP community string by brute force guessing.

  iii. snmp-hh3c-logins Attempts to enumerate Huawei / HP/H3C Locally Defined Users through the hh3c-user.mib OID

  iv.  snmp-interfaces attempts to enumerate network interfaces through SNMP.

  v.  snmp-ios-config attempts to downloads Cisco router IOS configuration files using SNMP RW (v1) and display or save them.

  vi.  snmp-netstat attempts to query SNMP for a netstat like output. The script can be used to identify and automatically add new targets to the scan by supplying the newtargets script argument.

  vii.  snmp-processes attempts to enumerate running processes through SNMP.

  viii.  snmp-sysdescr attempts to extract system information from an SNMP version 1 service.

  ix.  snmp-win32-services attempts to enumerate Windows services through SNMP.

  x.  snmp-win32-shares attempts to enumerate Windows Shares through SNMP.

  xi.  snmp-win32-software attempts to enumerate installed software through SNMP.

  xii.  snmp-win32-users attempts to enumerate Windows user accounts through SNMP

SNMP Brute Force Community Strings

nmap snmp-brute script

Notes on nmap snmp-brute: file to use parameter is communitiesbd. default file is nselib/data/snmpcommunities.lst. nselib/data/passwords.lst is use if default file is not available. file passed in parameter is used if available.

Metasploit auxiliary/scanner/snmp/snmp_login

  i. SNMP Community Scanner: Scan for SNMP devices using common community names

  ii. Note: Community strings attempted located in /opt/<Metasploit>/apps/pro/msf3/data/wordlists/snmp_default_pass.txt

SNMP Enumerate Values

a. Metasploit auxiliary/scanner/snmp/snmp_enum

  i. SNMP Enumeration Module

  ii. This module allows enumeration of any devices with SNMP protocol  support. It supports hardware, software, and network information.  The default community used is "public".

b. Metasploit auxiliary/scanner/snmp/snmp_enumshares

  i. SNMP Windows SMB Share Enumeration

  ii. This module will use LanManager OID values to enumerate SMB shares on a Windows system via SNMP

c. Metasploit auxiliary/scanner/snmp/snmp_enumusers

  i. SNMP Windows Username Enumeration

d. BT /pentest/enumeration/snmpcheck/snmpcheck.pl

  i. Given community string, pull MIB information via snmp

  ii. Can be invoked by using Metasploit auxiliary/scanner/snmp/snmp_enum

e. snmpget

  i. Example:  snmpget -v 1 -c public .

f. snmpwalk

  i. Example: snmpwalk -v 1 -c public > /root/engagements/HPAC/snmp-walk-10-10-10-10.internal.txt

g. snmpbulkwalk

  i. Note: Only works with SNMP version 2 (faster)

  ii. Example: snmpbulkwalk -v 2 -c public > /root/engagements/HPAC/snmp-walk-10-10-10-10.internal.txt

h. snmpnetstat

  i. Enumerates network interfaces

SNMP Exploitation (Setting Values)

  a. Metasploit auxiliary/scanner/snmp/snmp_set

   i. normal  SNMP Set Module

  b. snmpset

   i. Example: snmpset -v 1 -c public SNMPv2-MIB::sysLocation.0 s "building 1 - 2nd floor"