SNMP
Simple Network Management Protocol
A widely used network management tool for monitoring that exposes data in variable form in a hierarchical tree-like structure. These variables can be queried and potentially manipulated.
SNMP is a component of IP Suite defined by IETF
it includes: An app layer protocol, a database schema and a set of data objects
managers: administrative computers that monitor/manage groups of hosts
agents: systems that execute and report information through SNMP to managers
Consists of 3 key components:
Managed devices
Agents
NMS: Network Management Station: Software that runs the manager
SNMP can handle configuration tasks and settings remotely, so it's enabled on hardware a lot
This includes: routers, switches, servers, IoT devices, etc...
Cmds are transmitted over UDP port 161, but enables use of traps on 162
Clients can set specific values in devices/change settings with cmds
The client requests info from the server
Packets are sent from the SNMP server to clients without explicit requests
SNMP Trap: Sent to a client once a specific event occurs server-side
Traps are for security monitoring purposes
The first version of the protocol: Still used in many networks
Supports retrieval of info from devices, allows for configuration, and provides traps
No built-in authentication: Doesn't support encryption
Anyone accessing the network can read/modify data: Data is in plain textSNMPv2
# daemon config
cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d'
# Access OID tree without authentication
rwuser noauth
# Access OID tree irrespective of where requests came from
rwcommunity <comm str> <ipv4> #ipv4
rwcommunity6 <comm str> <ipv6> #ipv6
snmpwalk -v2c -c public 10.129.14.128 # query oid's/info with community string -c
snmpwalk -v2c -c public 10.129.14.128 | grep 'objectName' # look for specific objects
onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt IP # brute-force with wordlist
braa public@IP:.1.3.6.* # brute-force OID
#handy OID's to know
1.3.6.1.2.1.1.1.0 # system description
1.3.6.1.4.1.77.1.2.25 # win usrs
1.3.6.1.2.1.25.4.2.1.2 # running procs
1.3.6.1.2.1.2.2.1.2 # int name
1.3.6.1.2.1.6.13.1.3 # open tcp ports
1.3.6.1.2.1.25.6.3.1.2 # software
1.3.6.1.2.1.25.2.3.1.4 # storage units
1.3.6.1.2.1.4.35 # nat table
1.3.6.1.2.1.4.21 # ip route table
1.3.6.1.2.1.31.1.1.1 # wireless table
# p.moo snmpwalk script: a small script I wrote to iterate IP's through
# a host.txt file with snmpwalk
#!/bin/bash
# check hosts file given as first arg
if [ $# -eq 0 ]; then
echo "Usage: $0 -h <hosts_file> [-o <output_file>]"
exit 1
fi
while getopts "h:o:" opt; do
case $opt in
h) hosts_file="$OPTARG" ;;
o) output_file="$OPTARG" ;;
\?) echo "Invalid option: -$OPTARG"; exit 1 ;;
:) echo "Option -$OPTARG requires an argument."; exit 1 ;;
esac
done
# check if host file provided
[ -z "$hosts_file" ] && { echo "Error: Hosts file not provided. Use -h <hosts_file>."; exit 1; }
# check if file exists
[ ! -f "$hosts_file" ] && { echo "Error: File '$hosts_file' not found."; exit 1; }
# set output file/use default
output_file="${output_file:-snmpwalk_results.txt}"
# run snmpwalk
run_snmpwalk() {
host=$1; oid=$2; title=$3
echo -e "\n[-] $title\n-----------------------------\n$(snmpwalk -c public -v2c "$host" "$oid")"
}
# OIDs and corresponding values
declare -A oids=(
["1.3.6.1.4.1.77.1.2.25"]="Windows Users"
["1.3.6.1.2.1.25.4.2.1.2"]="Running Windows Processes"
["1.3.6.1.2.1.6.13.1.3"]="Open TCP Ports"
["1.3.6.1.2.1.25.6.3.1.2"]="Installed Software"
["1.3.6.1.2.1.25.2.3.1.4"]="Storage Units"
)
# iterate through each address in file and output results
cat "$hosts_file" | while read -r host; do
echo -e "[+] Testing $host\n-----------------------------"
for oid in "${!oids[@]}"; do
run_snmpwalk "$host" "$oid" "${oids[$oid]}"
done
done > "$output_file"
echo "Results have been saved to $output_file"
Last updated