Today we are going to talk about everything related to SNMP (Simple Network Management Protocol) security. This is a network management service that runs on port 161 (UDP). The default version of SNMP is v2c. It has some complexity, so before moving on to vulnerabilities, let’s make a brief summary of how this protocol works.
It is composed of three parts:
– Network Management Stations (NMS): run applications that monitor and control managed devices.
– Managed Devices: Device that contains an SNMP agent. It collects management information and makes it available to administrators. They are routers, printers, switches, hosts….
– Agent: Network management software module that resides on a managed device. It has local device information that is translated into a format compatible with SNMP and organized in hierarchies. This information can be free memory, received ip packets or routes.
Through this protocol it is possible to remotely manage and modify variables of managed devices.
The hierarchies, type and description of the variables are described in MIB (Management Information Base). MIBs are databases containing tree-structured hierarchical information on all managed devices in a network.
The identifiers of the objects located at the top of the tree belong to standard organizations, and the identifiers at the bottom are placed by the partner organizations.
Nmap
As I mentioned before, this protocol runs on port 161 UDP, so as it is not on TCP, in a normal port scan we will not detect it. We must therefore do a UDP scan to discover it:
Community String
SNMP uses what is known as a “Community string”. This is a word that serves as a key to access the device. The default community string is “public”.
If the community string is not public, then we can try to brute force it with a tool called onesixtyone:
Snmpwalk
SNMP object identifiers are all numbers, so we need a MIBS to be able to read it.
Now you have to edit the file /etc/snmp/snmp.conf and comment out the first line, where it says “mibs :”
If we run smpwalk again, the numbers are now translated:
One of the things that SNMP shows us is the running processes, so if we have saved the output in a file, we can do searches.
For example, in this case the SimpleHTTP process is running:
So we can look at the output of snmpwalk for more information about this process:
Indeed, it not only exists but is running with a parameter indicating the user and password (loki:godofmischiefisloki).
This allows us to access via HTTP:
In this other example snmpwalk only shows us a serial number, which is used as a password on the web:
Another hash here:
Even using an online tool it is easy to crack the hash and get the password in the clear:
Snmp-check
Another tool to obtain more detailed information:
We can obtain information such as:
– Subnets that may tell us that there is another machine we can pivot to (not the case).
– Open ports in TCP and UDP:
– All network services running on the machine
Processes running:
IPv6 in SNMP
Having installed SNMP MIBS, we can see the IPv6 address of the server:
But you have to split by 4 to make it an IPv6 address:
If we look at the output, we can actually save the 0’s and express this IPv6 address as dead:beef::250:56ff:fe8f:f4a3.
Now we can do an nmap using IPv6, and we may get info that we didn’t get before, because the firewall is only acting on IPv4.
For example, port 80 is open running Apache, which in IPv4 it was not.
(To connect with the browser to an IPv6 address, we have to enter http://[IPv6address]).
There is another way to get the IPv6 using SNMP: with a tool called Enyx (https://github.com/trickster0/Enyx).
To use it, you have to disable MIBS again by editing the /etc/snmp/snmp.conf file and uncommenting the “snmp :” that you commented in the first line.
This is all about SNMP. As you can see, being a network management protocol, we can obtain a lot of sensitive information by taking advantage of the protocol’s vulnerabilities.
If you liked the article, I recommend you to visit the rest of the infrastructure hacking articles.
Lethani.