A widely used network management tool for monitoring that exposes data in variable form in a hierarchical tree-like structure. These variables can be queried and potentially manipulated.
SNMP is a component of IP Suite defined by IETF
it includes: An app layer protocol, a database schema and a set of data objects
managers:administrative computers that monitor/manage groups of hosts
agents:systems that execute and report information through SNMP to managers
Consists of 3 key components:
Managed devices
Agents
NMS: Network Management Station:Software that runs the manager
SNMP can handle configuration tasks and settings remotely, so it's enabled on hardware a lot
This includes: routers, switches, servers, IoT devices, etc...
Cmds are transmitted over UDP port 161, but enables use of traps on 162
Clients can set specific values in devices/change settings with cmds
The client requests info from the server
Packets are sent from the SNMP server to clients without explicit requests
SNMP Trap:Sent to a client once a specific event occurs server-side
Traps are for security monitoring purposes
Management Information Base
MIB's are an independent format for storing device info in a text file that can be queried
Files are written in ASN 1. Abstract Syntax Notation 1: Based on ASCII
No data contained, but explain where to find info/what it looks like
# Access OID tree without authenticationrwusernoauth# Access OID tree irrespective of where requests came fromrwcommunity<commstr><ipv4>#ipv4rwcommunity6<commstr><ipv6>#ipv6
snmpwalk: queries OID's and info
onesixtyone: brute-forces names of community strings
braa: brute-forces individual OIDs/enumerates information behind them
snmpwalk-v2c-cpublic10.129.14.128# query oid's/info with community string -csnmpwalk-v2c-cpublic10.129.14.128|grep'objectName'# look for specific objectsonesixtyone-c/opt/useful/SecLists/Discovery/SNMP/snmp.txtIP# brute-force with wordlist braapublic@IP:.1.3.6.*# brute-force OID #handy OID's to know1.3.6.1.2.1.1.1.0# system description1.3.6.1.4.1.77.1.2.25# win usrs1.3.6.1.2.1.25.4.2.1.2# running procs1.3.6.1.2.1.2.2.1.2# int name1.3.6.1.2.1.6.13.1.3# open tcp ports1.3.6.1.2.1.25.6.3.1.2# software1.3.6.1.2.1.25.2.3.1.4# storage units1.3.6.1.2.1.4.35# nat table1.3.6.1.2.1.4.21# ip route table1.3.6.1.2.1.31.1.1.1# wireless table
# p.moo snmpwalk script: a small script I wrote to iterate IP's through # a host.txt file with snmpwalk #!/bin/bash# check hosts file given as first argif [ $# -eq0 ]; thenecho"Usage: $0 -h <hosts_file> [-o <output_file>]"exit1fiwhilegetopts"h:o:"opt; docase $opt in h) hosts_file="$OPTARG" ;; o) output_file="$OPTARG" ;; \?) echo "Invalid option: -$OPTARG"; exit1 ;; :) echo "Option -$OPTARG requires an argument."; exit1 ;;esacdone# check if host file provided[ -z"$hosts_file" ] && { echo"Error: Hosts file not provided. Use -h <hosts_file>."; exit1; }# check if file exists[ !-f"$hosts_file" ] && { echo"Error: File '$hosts_file' not found."; exit1; }# set output file/use default output_file="${output_file:-snmpwalk_results.txt}"# run snmpwalkrun_snmpwalk() { host=$1; oid=$2; title=$3echo-e"\n[-] $title\n-----------------------------\n$(snmpwalk-cpublic-v2c "$host" "$oid")"}# OIDs and corresponding valuesdeclare-Aoids=( ["1.3.6.1.4.1.77.1.2.25"]="Windows Users" ["1.3.6.1.2.1.25.4.2.1.2"]="Running Windows Processes" ["1.3.6.1.2.1.6.13.1.3"]="Open TCP Ports" ["1.3.6.1.2.1.25.6.3.1.2"]="Installed Software" ["1.3.6.1.2.1.25.2.3.1.4"]="Storage Units")# iterate through each address in file and output resultscat"$hosts_file"|whileread-rhost; doecho-e"[+] Testing $host\n-----------------------------"for oid in"${!oids[@]}"; dorun_snmpwalk"$host""$oid""${oids[$oid]}"donedone>"$output_file"echo"Results have been saved to $output_file"