SNMP (10161, UDP 161)

Theory

SNMPv1 has no built-in authentication mechanism, meaning anyone accessing the network can read and modify network data. Another main flaw of SNMPv1 is that it does not support encryption, meaning that all data is sent in plain text and can be easily intercepted.

SNMPv2 protocol is that the community string that provides security is only transmitted in plain text, meaning it has no built-in encryption.

Community strings can be seen as passwords that are used to determine whether the requested information can be viewed or not.

Nmap

sudo nmap -sU 10.129.19.122 -p 161 --script=snmp-brute -Pn --script-args snmp-brute.communitiesdb=/home/kali/Downloads/htb/academy/resources/snmpcommunities.txt

SecLists/common-snmp-community-strings.txt at master · danielmiessler/SecListsGitHub

SecLists/Discovery/SNMP/snmp.txt at master · danielmiessler/SecListsGitHub

Community strings

0xss0rz@htb[/htb]$ snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0

iso.3.6.1.2.1.1.5.0 = STRING: "gs-svcscan"

snmpwalk -v 2c -c private  10.129.42.253 

Timeout: No Response from 10.129.42.253

snmpwalk -v2c -c public 10.129.14.128

Bruteforce Community strings

Tool

GitHub - trailofbits/onesixtyone: Fast SNMP ScannerGitHub

Wordlists

/usr/share/wordlists/seclists/Discovery/SNMP/snmp.txt

/opt/tools/metasploit-framework/data/wordlists/snmp_default_pass.txt

Bruteforce

0xss0rz@htb[/htb]$ onesixtyone -c dict.txt 10.129.42.254

Scanning 1 hosts, 51 communities
10.129.42.254 [public] Linux gs-svcscan 5.4.0-66-generic #74-Ubuntu SMP Wed Jan 27 22:54:38 UTC 2021 x86_64

onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt 10.129.14.128

Bruteforce OIDs

Braa

Once we know a community string, we can use it with braa to brute-force the individual OIDs and enumerate the information behind them.

0xss0rz@htb[/htb]$ sudo apt install braa
0xss0rz@htb[/htb]$ braa <community string>@<IP>:.1.3.6.*   # Syntax
0xss0rz@htb[/htb]$ braa public@10.129.14.128:.1.3.6.*

10.129.14.128:20ms:.1.3.6.1.2.1.1.1.0:Linux htb 5.11.0-34-generic #36~20.04.1-Ubuntu SMP Fri Aug 27 08:06:32 UTC 2021 x86_64
10.129.14.128:20ms:.1.3.6.1.2.1.1.2.0:.1.3.6.1.4.1.8072.3.2.10
10.129.14.128:20ms:.1.3.6.1.2.1.1.3.0:548
10.129.14.128:20ms:.1.3.6.1.2.1.1.4.0:mrb3n@inlanefreight.htb
10.129.14.128:20ms:.1.3.6.1.2.1.1.5.0:htb
10.129.14.128:20ms:.1.3.6.1.2.1.1.6.0:US
10.129.14.128:20ms:.1.3.6.1.2.1.1.7.0:78
...SNIP...

Default pass

cat /opt/tools/metasploit-framework/data/wordlists/snmp_default_pass.txt