Skip to content

SNMP - 161

  • SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMPv3 - Current) | UDP Port 161
  • created to monitor network devices, Handle config tasks and make changes remotely
  • SNMP-enabled hardware includes routers, switches, servers, IoT devices, and many other devices that can also be queried and controlled using this standard protocol.
  • client can change server's device ka information
  • enables use of traps over UDP port 162
  • The SNMP objects must have unique addresses known on both the sides

MIB:

  • Management Information Base allows SNMP to work with different manufacturers and is independent
  • MIB is a text file in all query able SNMP objects of a device are listed in a standardized tree hierarchy with atleast 1 Object Identifier.
  • MIB files are written in Abstract Syntax Notation One (ASN.1)

SNMP v1:

  • no auth/encryption

SNMPv2:

  • v2c - community string which is used in security sent in plaintext

SNMPv3:

  • auth with username and pass + encryption

Community strings can be seen as passwords that are used to determine whether the requested information can be viewed or not

Default Config:

  • cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d'

Dangerous Settings:

Commands:

  • tools like snmpwalk, onesixtyone, and braa
  • Snmpwalk is used to query the OIDs with their information.
  • Onesixtyone can be used to brute-force the names of the community strings since they can be named arbitrarily by the administrator.

Process:

  • onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt 10.129.14.128
  • brute force the community string using seclists dict
  • snmpwalk -v2c -c public 10.129.14.128
  • -c public is the identified community string from the above command
  • Use Crunch to generate a custom wordlist

  • Once we get the community string using 1Sixty1, we use braa to find individual OIDs and enumerate

    \

  • braa <community string>@<IP>:\.1\.3\.6\.\*