SNMP

Simple Network Management Protocol

A widely used network management tool for monitoring that exposes data in variable form in a hierarchical tree-like structure. These variables can be queried and potentially manipulated.

SNMP is a component of IP Suite defined by IETF
- it includes: An app layer protocol, a database schema and a set of data objects
- managers: administrative computers that monitor/manage groups of hosts
- agents: systems that execute and report information through SNMP to managers

Consists of 3 key components:

Managed devices
Agents
NMS: Network Management Station: Software that runs the manager

SNMP can handle configuration tasks and settings remotely, so it's enabled on hardware a lot

This includes: routers, switches, servers, IoT devices, etc...
Cmds are transmitted over UDP port 161, but enables use of traps on 162
- Clients can set specific values in devices/change settings with cmds
- The client requests info from the server
- Packets are sent from the SNMP server to clients without explicit requests
SNMP Trap: Sent to a client once a specific event occurs server-side
- Traps are for security monitoring purposes

OID: Object Identifier: necessary unique address/names

Represents a node in the hierarchical namespace
Sequences of numbers uniquely ID each node, allowing its position to be determined
The longer the chain, the more specific the information in it
Example: OID: iso.3.6.1.6.3.11.3.1.1
- Many nodes in the tree contain references to those below them

OIDs consist of integers: Usually concatenated by dot notation. We can look up many MIBs for the associated OIDs in the OID Registry

The first version of the protocol: Still used in many networks
Supports retrieval of info from devices, allows for configuration, and provides traps
No built-in authentication: Doesn't support encryption
- Anyone accessing the network can read/modify data: Data is in plain textSNMPv2

# daemon config
cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d'

# Access OID tree without authentication
rwuser noauth 
# Access OID tree irrespective of where requests came from
rwcommunity <comm str> <ipv4> #ipv4
rwcommunity6 <comm str> <ipv6> #ipv6

snmpwalk -v2c -c public 10.129.14.128 # query oid's/info with community string -c
snmpwalk -v2c -c public 10.129.14.128 | grep 'objectName' # look for specific objects
onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt IP # brute-force with wordlist 
braa public@IP:.1.3.6.* # brute-force OID 

#handy OID's to know
1.3.6.1.2.1.1.1.0 # system description
1.3.6.1.4.1.77.1.2.25 # win usrs
1.3.6.1.2.1.25.4.2.1.2 # running procs
1.3.6.1.2.1.2.2.1.2 # int name
1.3.6.1.2.1.6.13.1.3 # open tcp ports
1.3.6.1.2.1.25.6.3.1.2 # software
1.3.6.1.2.1.25.2.3.1.4 # storage units
1.3.6.1.2.1.4.35 # nat table
1.3.6.1.2.1.4.21 # ip route table
1.3.6.1.2.1.31.1.1.1 # wireless table

# p.moo snmpwalk script: a small script I wrote to iterate IP's through 
# a host.txt file with snmpwalk 

#!/bin/bash

# check hosts file given as first arg
if [ $# -eq 0 ]; then
    echo "Usage: $0 -h <hosts_file> [-o <output_file>]"
    exit 1
fi

while getopts "h:o:" opt; do
    case $opt in
        h) hosts_file="$OPTARG" ;;
        o) output_file="$OPTARG" ;;
        \?) echo "Invalid option: -$OPTARG"; exit 1 ;;
        :) echo "Option -$OPTARG requires an argument."; exit 1 ;;
    esac
done

# check if host file provided
[ -z "$hosts_file" ] && { echo "Error: Hosts file not provided. Use -h <hosts_file>."; exit 1; }

# check if file exists
[ ! -f "$hosts_file" ] && { echo "Error: File '$hosts_file' not found."; exit 1; }

# set output file/use default 
output_file="${output_file:-snmpwalk_results.txt}"

# run snmpwalk
run_snmpwalk() {
    host=$1; oid=$2; title=$3
    echo -e "\n[-] $title\n-----------------------------\n$(snmpwalk -c public -v2c "$host" "$oid")"
}

# OIDs and corresponding values
declare -A oids=(
    ["1.3.6.1.4.1.77.1.2.25"]="Windows Users"
    ["1.3.6.1.2.1.25.4.2.1.2"]="Running Windows Processes"
    ["1.3.6.1.2.1.6.13.1.3"]="Open TCP Ports"
    ["1.3.6.1.2.1.25.6.3.1.2"]="Installed Software"
    ["1.3.6.1.2.1.25.2.3.1.4"]="Storage Units"
)

# iterate through each address in file and output results
cat "$hosts_file" | while read -r host; do
    echo -e "[+] Testing $host\n-----------------------------"
    for oid in "${!oids[@]}"; do
        run_snmpwalk "$host" "$oid" "${oids[$oid]}"
    done
done > "$output_file"

echo "Results have been saved to $output_file"

PreviousFTP NextSMB

Last updated 8 months ago