SNMP

SNMP

Simple Network Management Protocol

A widely used network management tool for monitoring that exposes data in variable form in a hierarchical tree-like structure. These variables can be queried and potentially manipulated.

• SNMP is a component of IP Suite defined by IETF

  • it includes: An app layer protocol, a database schema and a set of data objects

  • managers: administrative computers that monitor/manage groups of hosts

  • agents: systems that execute and report information through SNMP to managers

Consists of 3 key components:

1. Managed devices

2. Agents

3. NMS: Network Management Station: Software that runs the manager

SNMP can handle configuration tasks and settings remotely, so it's enabled on hardware a lot

• This includes: routers, switches, servers, IoT devices, etc...

• Cmds are transmitted over UDP port 161, but enables use of traps on 162

  • Clients can set specific values in devices/change settings with cmds

  • The client requests info from the server

  • Packets are sent from the SNMP server to clients without explicit requests

  SNMP Trap: Sent to a client once a specific event occurs server-side

  • Traps are for security monitoring purposes

MIB

Management Information Base

• MIB's are an independent format for storing device info in a text file that can be queried

• Files are written in ASN 1. Abstract Syntax Notation 1: Based on ASCII

• No data contained, but explain where to find info/what it looks like

  • It returns the values for specific OID's

OID

OID: Object Identifier: necessary unique address/names

• Represents a node in the hierarchical namespace

• Sequences of numbers uniquely ID each node, allowing its position to be determined

• The longer the chain, the more specific the information in it

• Example: OID: iso.3.6.1.6.3.11.3.1.1

  • Many nodes in the tree contain references to those below them

OIDs consist of integers: Usually concatenated by dot notation. We can look up many MIBs for the associated OIDs in the OID Registry

SNMPv1

• The first version of the protocol: Still used in many networks

• Supports retrieval of info from devices, allows for configuration, and provides traps

• No built-in authentication: Doesn't support encryption

  • Anyone accessing the network can read/modify data: Data is in plain textSNMPv2

SNMPv2

• Exists as v2c (c stands for community-based)

• Extended additional functions from party-based SNMP that's no longer in use

• Community strings provide security in plain text

• Same issues as version 1: No built-in encryption

SMPv3

• Security changes! More options!

• Authentication was added with usernames/passwords for transmission

• Encryption with pre-shared keys were also added

Community Strings

• Can be seen as passwords used to determine if requested info should be viewed or not

• The transition to snmpv3 is complicated, so a lot of orgs still use v2c

• The lack of encryption in previous versions is a serious issue

• Every time community strings are sent, they can be intercepted

# daemon config
cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d'

Dangerous Settings

# Access OID tree without authentication
rwuser noauth 
# Access OID tree irrespective of where requests came from
rwcommunity <comm str> <ipv4> #ipv4
rwcommunity6 <comm str> <ipv6> #ipv6

Footprinting

• snmpwalk: queries OID's and info

• onesixtyone: brute-forces names of community strings

• braa: brute-forces individual OIDs/enumerates information behind them

snmpwalk -v2c -c public 10.129.14.128 # query oid's/info with community string -c
snmpwalk -v2c -c public 10.129.14.128 | grep 'objectName' # look for specific objects
onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt IP # brute-force with wordlist 
braa public@IP:.1.3.6.* # brute-force OID 

#handy OID's to know
1.3.6.1.2.1.1.1.0 # system description
1.3.6.1.4.1.77.1.2.25 # win usrs
1.3.6.1.2.1.25.4.2.1.2 # running procs
1.3.6.1.2.1.2.2.1.2 # int name
1.3.6.1.2.1.6.13.1.3 # open tcp ports
1.3.6.1.2.1.25.6.3.1.2 # software
1.3.6.1.2.1.25.2.3.1.4 # storage units
1.3.6.1.2.1.4.35 # nat table
1.3.6.1.2.1.4.21 # ip route table
1.3.6.1.2.1.31.1.1.1 # wireless table

# p.moo snmpwalk script: a small script I wrote to iterate IP's through 
# a host.txt file with snmpwalk 

#!/bin/bash

# check hosts file given as first arg
if [ $# -eq 0 ]; then
    echo "Usage: $0 -h <hosts_file> [-o <output_file>]"
    exit 1
fi

while getopts "h:o:" opt; do
    case $opt in
        h) hosts_file="$OPTARG" ;;
        o) output_file="$OPTARG" ;;
        \?) echo "Invalid option: -$OPTARG"; exit 1 ;;
        :) echo "Option -$OPTARG requires an argument."; exit 1 ;;
    esac
done

# check if host file provided
[ -z "$hosts_file" ] && { echo "Error: Hosts file not provided. Use -h <hosts_file>."; exit 1; }

# check if file exists
[ ! -f "$hosts_file" ] && { echo "Error: File '$hosts_file' not found."; exit 1; }

# set output file/use default 
output_file="${output_file:-snmpwalk_results.txt}"

# run snmpwalk
run_snmpwalk() {
    host=$1; oid=$2; title=$3
    echo -e "\n[-] $title\n-----------------------------\n$(snmpwalk -c public -v2c "$host" "$oid")"
}

# OIDs and corresponding values
declare -A oids=(
    ["1.3.6.1.4.1.77.1.2.25"]="Windows Users"
    ["1.3.6.1.2.1.25.4.2.1.2"]="Running Windows Processes"
    ["1.3.6.1.2.1.6.13.1.3"]="Open TCP Ports"
    ["1.3.6.1.2.1.25.6.3.1.2"]="Installed Software"
    ["1.3.6.1.2.1.25.2.3.1.4"]="Storage Units"
)

# iterate through each address in file and output results
cat "$hosts_file" | while read -r host; do
    echo -e "[+] Testing $host\n-----------------------------"
    for oid in "${!oids[@]}"; do
        run_snmpwalk "$host" "$oid" "${oids[$oid]}"
    done
done > "$output_file"

echo "Results have been saved to $output_file"