We have learnt many information gathering concepts in our
last posts like DNS Enumeration, Netcraft, Recon-ng, Email Harvesting etc. Let’s
continue it with SNMP enumeration.
But first, here is a small and quick introduction to SNMP
Protocol.
What is SNMP ?
SNMP stand for Simple Network Management Protocol. As its
name suggests it is a network management protocol used by network managers to
manage and retrieve information of devices on network. So, you can also call it
a Network Management System. Mostly Devices that supports SNMP are cable
modems, routers etc.
Three versions of SNMP that has been developed are SNMPv1,
SNMPv2c and SNMPv3.
SNMP Working
It retrieves management data in the form of its own managed
systems organized in MIB(Management Information Base) variables and its values.
Every specific variable describes specific system status and configuration.
Yup, SNMP uses MIB variables to retrieve information. Every
status and configuration of system that SNMP manage has its MIB Variable Value.
Moreover, SNMP Network Management System usually consists of
three key components.
- Managed Device
- Agent
- NMS (Network Management Station) software which resides on managers.
Managed Device: - Managed
device is a computer or node on network, having SNMP interface implemented that
allows access to its system specific information either in format of read only
or in some cases its read and write, so called Bidirectional or Unidirectional
respectively. In other words, it is device on network which managers used to
manage using SNMP Interface.
Agent: - An agent
is management software that resides in a managed device.
NMS :- So called
Network Management Station, is a software used by managers to monitor and
control Managed Device using SNMP.
SNMP Community
SNMP uses some community strings while management process. Default
is public or private. Now in some cases, these default community strings or
these SNMP protocol versions are vulnerable.
SNMP uses some community strings while management process. Default
is public or private. Now in some cases, these default community strings or
these SNMP protocol versions are vulnerable.
Here is the list of some Windows MIB variable values and
their corresponding system status or configuration.
|
1.3.6.1.2.1.25.1.6.0
|
System Processes
|
|
1.3.6.1.2.1.25.4.2.1.2
|
Running Programs
|
|
1.3.6.1.4.1.77.1.2.25
|
User Accounts
|
|
1.3.6.1.2.1.25.2.3.1.4
|
Storage Units
|
|
1.3.6.1.2.1.6.13.1.3
|
TCP Ports
|
NMap Port Scanning Tutorial
SNMP Agent service receives requests on UDP port 161. So we
will use Nmap to know whether SNMP port 161 is open or not along with its
version. Use below command for this task.
nmap –v –sU –sV –p161 192.168.12.50
In above command, I used -sU and –sV for UDP port
scan and version detection respectively. It will scan only for port 161.
Look, In above image we discovered that port 161 is open and
it is using first version of SNMP.
Now let’s move to our enumeration process.
SNMP Walk
SNMPwalk is very cool and handy tool for SNMP enumeration
and information gathering. It is free and available in Kali Linux.
Boot in Kali Linux, open terminal and use this command to
use snmpwalk.
snmp –c public –v1 192.168.12.50
-c is used to
specify community. Default is public.
-v1 is used to
specify first version.
Now use MIB values to enumerate specific system status and
configuration.
I am going to gather user accounts available on my target
system.
snmp –c public –v1
192.168.12.50 1.3.6.1.4.1.77.1.2.25
In the end of command I used MIB
value from above table to get list of available users in target system. Here is
the output of command.
Now to move step further, all you
have to do is use below command syntax.
snmp -c public -version target_ip mib_value
In above command, replace version with your target’s SNMP
version, target_ip with your
targeted system’s ip address and replace mib_value
with mib value corresponding to specific system status or configuration
If you have any suggestions related to topic then comment
and Share this post with your friends.
0 comments:
Post a Comment