SNMP (10161, UDP 161)

Theory

SNMPv1 has no built-in authentication mechanism, meaning anyone accessing the network can read and modify network data. Another main flaw of SNMPv1 is that it does not support encryption, meaning that all data is sent in plain text and can be easily intercepted.

SNMPv2 protocol is that the community string that provides security is only transmitted in plain text, meaning it has no built-in encryption.

Community strings can be seen as passwords that are used to determine whether the requested information can be viewed or not.

Nmap

sudo nmap -sU 10.129.19.122 -p 161 --script=snmp-brute -Pn --script-args snmp-brute.communitiesdb=/home/kali/Downloads/htb/academy/resources/snmpcommunities.txt

SecLists/Discovery/SNMP/common-snmp-community-strings.txt at master · danielmiessler/SecListsGitHub

SecLists/Discovery/SNMP/snmp.txt at master · danielmiessler/SecListsGitHub

Community strings

0xss0rz@htb[/htb]$ snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0

iso.3.6.1.2.1.1.5.0 = STRING: "gs-svcscan"

snmpwalk -v 2c -c private  10.129.42.253 

Timeout: No Response from 10.129.42.253

snmpwalk -v2c -c public 10.129.14.128

Bruteforce Community strings

Tool

GitHub - trailofbits/onesixtyone: Fast SNMP ScannerGitHub

Wordlists

/usr/share/wordlists/seclists/Discovery/SNMP/snmp.txt

/opt/tools/metasploit-framework/data/wordlists/snmp_default_pass.txt

Bruteforce

0xss0rz@htb[/htb]$ onesixtyone -c dict.txt 10.129.42.254

Scanning 1 hosts, 51 communities
10.129.42.254 [public] Linux gs-svcscan 5.4.0-66-generic #74-Ubuntu SMP Wed Jan 27 22:54:38 UTC 2021 x86_64

onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt 10.129.14.128

Bruteforce OIDs

Braa

Once we know a community string, we can use it with braa to brute-force the individual OIDs and enumerate the information behind them.

0xss0rz@htb[/htb]$ sudo apt install braa
0xss0rz@htb[/htb]$ braa <community string>@<IP>:.1.3.6.*   # Syntax
0xss0rz@htb[/htb]$ braa public@10.129.14.128:.1.3.6.*

10.129.14.128:20ms:.1.3.6.1.2.1.1.1.0:Linux htb 5.11.0-34-generic #36~20.04.1-Ubuntu SMP Fri Aug 27 08:06:32 UTC 2021 x86_64
10.129.14.128:20ms:.1.3.6.1.2.1.1.2.0:.1.3.6.1.4.1.8072.3.2.10
10.129.14.128:20ms:.1.3.6.1.2.1.1.3.0:548
10.129.14.128:20ms:.1.3.6.1.2.1.1.4.0:mrb3n@inlanefreight.htb
10.129.14.128:20ms:.1.3.6.1.2.1.1.5.0:htb
10.129.14.128:20ms:.1.3.6.1.2.1.1.6.0:US
10.129.14.128:20ms:.1.3.6.1.2.1.1.7.0:78
...SNIP...

Default pass

cat /opt/tools/metasploit-framework/data/wordlists/snmp_default_pass.txt

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Nmap Network Scanning The official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals.
The Art of Network Penetration Testing A guide to simulating an internal security breach. You’ll take on the role of the attacker and work through every stage of a professional pentest, from information gathering to seizing control of a system and owning the network.
Network Basics for Hackers The book offers one of the most complete and in-depth analyses of Wi-Fi and Bluetooth networks, then progresses through the various protocols such as DNS, ARP, SMTP, and others.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousSMTP (25, 465)NextSQLite

Last updated 6 months ago