161,162,10161,10162/udp - Pentesting SNMP

Resources :

Hacktricks.
auvik quickly explained.

Simple Network Management Protocol [SNMP]

All the settings that can be made for the SNMP daemon are defined and described in the manpage.

Default conf

cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d'
# Dangerous settings
rwuser noauth	# Provides access to the full OID tree without authentication.
rwcommunity <community string> <IPv4 address>	#Provides access to the full OID tree regardless of where the requests were sent from.
rwcommunity6 <community string> <IPv6 address>	#Same access as with rwcommunity with the difference of using IPv6.

Footprinting

For footprinting SNMP, we can use tools like snmpwalk, onesixtyone, and braa. Snmpwalk is used to query the OIDs with their information. Onesixtyone can be used to brute-force the names of the community strings since they can be named arbitrarily by the administrator.

SNMPwalk

snmpwalk -v2c -c public 10.129.14.128 . # dot  to crawl all

we can use onesixtyone and SecLists wordlists to identify community strings.

onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt <IP>

Once we know a community string, we can use it with braa to brute-force the individual OIDs and enumerate the information behind them.

braa <community string>@<IP>:.1.3.6.*   # Syntax

Previous143,993 - Pentesting IMAP Next623/UDP/TCP - IPMI

Last updated 3 years ago