Hack Like a Pro: How to Exploit SNMP for Reconnaissance

How to Exploit SNMP for Reconnaissance

Hack Like a Pro: How to Exploit SNMP for Reconnaissance

Welcome back, my rookie hackers!

The more we know about a system or network, the better our chances of owning it and not leaving a trace for investigators to follow. One of the often overlooked sources for information is the Simple Network Management Protocol (SNMP). Many rookie hackers are not even aware of it, but it can prove to be a treasure trove of information, if you understand how it works and how to hack it.

How SNMP Can Help You Access Network Devices

SNMP runs on UDP (connectionless and efficient) on port 161 and enables a network administrator to gather information on and manage network devices. Each networked device responds with information about its make, model, etc. when queried by the master.

All this information is then stored in a database called the Master Information Base (MIB). If we can access the MIB and know how to read and interpret the info, we can then know each and every device on the network. If we can crack the password on SNMP, we may be able to control each networked device. This would allow us to change configurations, take devices offline, etc.

The Different Versions of SNMP

There are at least three versions of SNMP. The first, SNMPv1 or just SNMP, was not secure. SNMPv2 was developed to be more secure, but was not backwardly compatible to v1. SNMPv3 is secure and backwardly compatible, but very often, not implemented.

SNMPv1 has a default community string (similar to a password) for the admin of "private" and a default community string for everyone and everything else of "public". The admin password permits the admin to change configurations of devices remotely, while the public password only allows us to view the info in the MIB. Many times, system admins leave these passwords in the default configuration due to lack of knowledge or laziness. Before you try any hack on SNMP, make certain you try these default passwords first.

Even if the system admin does change the default passwords, they often change them to a variation of public/private or something else very simple. Generally, these passwords are relatively easy to brute-force with a dictionary attack.

Exploiting SNMP for Recon

In this hack, we will look at what info we can harvest from the SNMP MIB if the network is using SNMPv1 and we know the community string. In a future tutorial, I'll show you how to break the community string.

Step 1: Open BackTrack

All of the tools we need for this hack are built into BackTrack, so we have no need to download or install any new software.

Step 2: Open Snmpenum

In this hack, we will use a tool called snmpenum. It gathers information from the MIB over SNMP for any IP address, if we know the community string.

To start, go to BackTrack -> Information Gathering -> Network Analysis -> SNMP, and finally, snmpenum.

Image via wonderhowto.com

Step 3: Run Snmpenum

When you click on snmpenum, it will open a terminal that will look like this.

Note that the syntax for running snmpenum is fairly straightforward. All you need is the IP address, the community string, and the config file. If we do a long listing on this directory:

  • ls -l

We can see that there are three text files that are our configuration files for snmpenum. We have one for Windows, one for Linux, and one for Cisco.

In this case, we will be running snmpenum against a Windows machine that still has its default SNMP community string (password) set to "public" that is on our internal IP address of 192.168.1.101. Note that snmpenum is a Perl script, so it ends with .pl. To run it, we must precede it with the "./".

Simply enter this information as follows:

  • ./snmpenum.pl 192.168.1.101 public windows.txt

Step 4: Make Sense of It All

When we run snmpenum, it gathers all the information in the MIB database on the target machine and displays it on the screen. The amount of information covers several screens, but it will return users, installed software (see below), hostname, OS, uptime, services, open TCP ports, open UDP ports, and more!

Here we see the listening ports:

Here we can see all the running services:

Now that we have gathered all this information on the system, we can better develop a strategy for exploiting it. We simply need to then find the known vulnerabilities for that OS, those services, those ports, etc.

In addition, with the uptime, we can gauge when the system was last patched. If the the uptime is say, three months, we know that the system is vulnerable to any new vulnerabilities discovered in the last three months as a patch would require a reboot of the system.

Keep coming back, my rookie hackers, for more adventures in hackerland!

19 Comments

What happens if the password is not "public"? How would one use a brute-force attack with a word list against it?

Eight:

I'll be doing a tutorial on how to break the SNMP password soon.

OTW

is it possible to reconnaisance Windows 7/8?
+ it's undetectable right?

Dragon:

This technique is OS independent. As long as you can get access to SNMP, you can gather all this info on EVERY device on the network. The key, of course, is getting access to SNMP.

OTW

MASTER OTW:
how can we reog. tht network is using SNMP V1 or not......and the ip you given is target machine's ip or its our ip???

last question is ...first we have to connect the with the same network i.e. victims network???

Master Occupy the Web:

I know this sounds a little off-topic but, in case I am to set up a pen-testing lab to develop my skills and I have set up an Ubuntu machine, how do I use/start a SNMP server?

~Funest~

Funest:

There is no such thing as an SNMP server. To install SNMP on Ubuntu, you can simply type;

apt-get install snmpd

OTW:
Sorry, I am kind of a newbie at this, thanks. Keep up the good work!

~Funest~

Master OTW,

Sorry to bother you once again, but I am currently using Kali linux, and there is no such script as Snmpenum. Is there an alternative of that script in Kali?

sorry i don't fully understand it.

Here are my questions:
1.what is snmp?
2.How can i identify it?(is port scanning with nmap enough?)
3.is snmp installed on all computers or only in servers?

i got this error:

" is expected in dotted decimal notation..1.4.1.77.1.2.3.1.1

Here is the screenshot:

Is that IP address on your network?

no. it's a websites ip address

That's the problem. You must be on the same network .SNMP is a network management protocol.

my mistake. thank you, master

What should I do if there is always a prompt: ! xx.xx.xx.xx SNMP request timeout ? I have tried to add the request retries times and timeout, but there is still no working response.

Share Your Thoughts

  • Hot
  • Latest