pirate.moo's gitbook
  • 🏴‍☠️pirate.moo's gitbook
  • WEB
    • OWASP TOP 10
    • Notes
    • Lab Write-Ups
      • SQLi in WHERE clause
  • PENTESTING
    • CHECKLIST
    • REPORTING
    • SCRIPTS
  • EXPLOITATION
    • reverse shells
    • dns/subdomain
    • ssl
    • Handy cmds
    • VULNERABILITIES
      • Log4Shell
      • Dirty Pipe
      • Pwnkit
  • CTF
    • CTF Tools
  • CERTIFICATIONS
    • PNPT
    • CPTS
      • 1. Process
      • 2. Getting Started
      • 3. NMAP
      • 4. Footprinting
        • FTP
        • SNMP
        • SMB
        • NFS
        • MySQL/MSSQL
        • Oracle TNS
    • CPTS Machines
      • Nibbles
    • OSCP
    • ISC2-cc
      • 1. Security Principles
      • 2. Incident Response
      • 3. Access Control
      • 4. Network Security
      • 5. Security Operations
  • MOBILE
    • History
    • Forensics
  • MOOSINT
Powered by GitBook
On this page
  1. CERTIFICATIONS
  2. CPTS
  3. 4. Footprinting

SNMP

Simple Network Management Protocol

A widely used network management tool for monitoring that exposes data in variable form in a hierarchical tree-like structure. These variables can be queried and potentially manipulated.

  • SNMP is a component of IP Suite defined by IETF

    • it includes: An app layer protocol, a database schema and a set of data objects

    • managers: administrative computers that monitor/manage groups of hosts

    • agents: systems that execute and report information through SNMP to managers

Consists of 3 key components:

  1. Managed devices

  2. Agents

  3. NMS: Network Management Station: Software that runs the manager

SNMP can handle configuration tasks and settings remotely, so it's enabled on hardware a lot

  • This includes: routers, switches, servers, IoT devices, etc...

  • Cmds are transmitted over UDP port 161, but enables use of traps on 162

    • Clients can set specific values in devices/change settings with cmds

    • The client requests info from the server

    • Packets are sent from the SNMP server to clients without explicit requests

    SNMP Trap: Sent to a client once a specific event occurs server-side

    • Traps are for security monitoring purposes

Management Information Base

  • MIB's are an independent format for storing device info in a text file that can be queried

  • Files are written in ASN 1. Abstract Syntax Notation 1: Based on ASCII

  • No data contained, but explain where to find info/what it looks like

    • It returns the values for specific OID's

OID: Object Identifier: necessary unique address/names

  • Represents a node in the hierarchical namespace

  • Sequences of numbers uniquely ID each node, allowing its position to be determined

  • The longer the chain, the more specific the information in it

  • Example: OID: iso.3.6.1.6.3.11.3.1.1

    • Many nodes in the tree contain references to those below them

  • The first version of the protocol: Still used in many networks

  • Supports retrieval of info from devices, allows for configuration, and provides traps

  • No built-in authentication: Doesn't support encryption

    • Anyone accessing the network can read/modify data: Data is in plain textSNMPv2

  • Exists as v2c (c stands for community-based)

  • Extended additional functions from party-based SNMP that's no longer in use

  • Community strings provide security in plain text

  • Same issues as version 1: No built-in encryption

  • Security changes! More options!

  • Authentication was added with usernames/passwords for transmission

  • Encryption with pre-shared keys were also added

  • Can be seen as passwords used to determine if requested info should be viewed or not

  • The transition to snmpv3 is complicated, so a lot of orgs still use v2c

  • The lack of encryption in previous versions is a serious issue

  • Every time community strings are sent, they can be intercepted

# daemon config
cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d'
# Access OID tree without authentication
rwuser noauth 
# Access OID tree irrespective of where requests came from
rwcommunity <comm str> <ipv4> #ipv4
rwcommunity6 <comm str> <ipv6> #ipv6

  • snmpwalk: queries OID's and info

  • onesixtyone: brute-forces names of community strings

  • braa: brute-forces individual OIDs/enumerates information behind them

snmpwalk -v2c -c public 10.129.14.128 # query oid's/info with community string -c
snmpwalk -v2c -c public 10.129.14.128 | grep 'objectName' # look for specific objects
onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt IP # brute-force with wordlist 
braa public@IP:.1.3.6.* # brute-force OID 

#handy OID's to know
1.3.6.1.2.1.1.1.0 # system description
1.3.6.1.4.1.77.1.2.25 # win usrs
1.3.6.1.2.1.25.4.2.1.2 # running procs
1.3.6.1.2.1.2.2.1.2 # int name
1.3.6.1.2.1.6.13.1.3 # open tcp ports
1.3.6.1.2.1.25.6.3.1.2 # software
1.3.6.1.2.1.25.2.3.1.4 # storage units
1.3.6.1.2.1.4.35 # nat table
1.3.6.1.2.1.4.21 # ip route table
1.3.6.1.2.1.31.1.1.1 # wireless table
# p.moo snmpwalk script: a small script I wrote to iterate IP's through 
# a host.txt file with snmpwalk 

#!/bin/bash

# check hosts file given as first arg
if [ $# -eq 0 ]; then
    echo "Usage: $0 -h <hosts_file> [-o <output_file>]"
    exit 1
fi

while getopts "h:o:" opt; do
    case $opt in
        h) hosts_file="$OPTARG" ;;
        o) output_file="$OPTARG" ;;
        \?) echo "Invalid option: -$OPTARG"; exit 1 ;;
        :) echo "Option -$OPTARG requires an argument."; exit 1 ;;
    esac
done

# check if host file provided
[ -z "$hosts_file" ] && { echo "Error: Hosts file not provided. Use -h <hosts_file>."; exit 1; }

# check if file exists
[ ! -f "$hosts_file" ] && { echo "Error: File '$hosts_file' not found."; exit 1; }

# set output file/use default 
output_file="${output_file:-snmpwalk_results.txt}"

# run snmpwalk
run_snmpwalk() {
    host=$1; oid=$2; title=$3
    echo -e "\n[-] $title\n-----------------------------\n$(snmpwalk -c public -v2c "$host" "$oid")"
}

# OIDs and corresponding values
declare -A oids=(
    ["1.3.6.1.4.1.77.1.2.25"]="Windows Users"
    ["1.3.6.1.2.1.25.4.2.1.2"]="Running Windows Processes"
    ["1.3.6.1.2.1.6.13.1.3"]="Open TCP Ports"
    ["1.3.6.1.2.1.25.6.3.1.2"]="Installed Software"
    ["1.3.6.1.2.1.25.2.3.1.4"]="Storage Units"
)

# iterate through each address in file and output results
cat "$hosts_file" | while read -r host; do
    echo -e "[+] Testing $host\n-----------------------------"
    for oid in "${!oids[@]}"; do
        run_snmpwalk "$host" "$oid" "${oids[$oid]}"
    done
done > "$output_file"

echo "Results have been saved to $output_file"
PreviousFTPNextSMB

Last updated 1 year ago

OIDs consist of integers: Usually concatenated by dot notation. We can look up many MIBs for the associated OIDs in the

OID Registry