SNMP (161-162)

Simple Network Management Protocol.

Protocol Information

SNMP is a protocol used in TCP/IP networks to collect and manage information about networked devices. The SNMP protocol is supported by many types of devices including routers, switches, servers, printers, Network Attached Storage (NAS), firewalls, WLAN controllers and more.

There are 3 versions si SNMP: - SNMPv1, does not natively support authentication or even encryption (spoofing, replay attack, sniffing). - SNMPv2 and SNMPv2c, similar to version 1 in terms of security. - SNMPv3, introduced username and password authentication and encryption (pre-shared key) by moving from DES-56 to AES-256.

SNMP managed networks have 3 components: - Managed Device : A managed device (also referred to as a ‘node’) is a network device with the SNMP service enabled allowing unidirectional (read) or bidirectional (read/write) communication. Managed devices can be any networked device including servers, firewalls and routers. - Agent : The agent is the software running on the managed device which is responsible for handling the communication. The agent translates device-specific configuration parameters into an SNMP format for the Network Management System. - Network Management System (NMS) : The Network Management System is the software that is actually managing and monitoring networked devices. An SNMP managed network will always contain at least one NMS.

The SNMP protocol uses several commands which are sent from the NMS to the managed device’s agent and back. These commands can be categorized as read, write, trap and traversal commands. - Read commands are sent by the NMS to nodes for monitoring purposes. - Write commands are used to control the nodes in the network. - Trap commands are used for unsolicited SNMP messages from a device’s agent to the NMS to inform the NMS about certain events such as errors. - Traversal commands are used to check what information is retained on a managed device and to retrieve it.

The SNMP Management Information Base (MIB) is a database that contains information about network devices. When the Network Management System (NMS) sends a “get” request to obtain information about a managed device on the network, the agent service returns a structured table with the data. This table is called the Management Information Base (MIB). each node has a unique identifier called an Object Identifier (OID). An OID is a sequence of numbers separated by periods that uniquely identifies a node in the MIB tree. For example, an OID might be 1.3.6.1.2.1.1. Each number in the sequence represents a level in the MIB tree. In addition to indicating the OID, the MIB also provides information about the type, access rights, and a description of the respective object.

The SNMP community string is like a username or password that allows access to the managed device. There are three different community strings that allow a user to set (1) read-only commands, (2) read and write commands and (3) traps. In SNMPv1 and SNMPv2 default community string: - ‘public’ read-only - ‘private’ read-write In SNMPv3, the community string was replaced by username and password authentication. It is good practice for security to replace all community strings with a hard-to-guess value since they can be seen as passwords.

Port

161 UDP	SNMP, commands
162 UDP	SNMP, traps sent from server to clients when certain events occur.

Config File

• /etc/snmp/snmpd.conf (LINK)

Interact

MIB Trees

1.3.6.1.2.1.25.1.6.0     System Processes
1.3.6.1.2.1.25.4.2.1.2   Running Programs
1.3.6.1.2.1.25.4.2.1.4   Processes Path
1.3.6.1.2.1.25.2.3.1.4   Storage Units
1.3.6.1.2.1.25.6.3.1.2   Software Name
1.3.6.1.4.1.77.1.2.25    User Accounts
1.3.6.1.2.1.6.13.1.3     TCP Local Ports

Tools	Details
snmpwalk	snmpwalk -c <COMUNITY_STRING> -v <1-2c-3> <IP> [<OID>]
snmp-check	snmpwalk -c <COMUNITY_STRING> -v <1-2c> <IP>

Attacks

Brute force Comunity Strings and OID

Tools

Tools	Details
onesixtyone	Brute force Comunity String. onesixtyone -c <WORDLIST> <IP>
braa	Brute force OID. braa <COMUNITY_STRING>@<IP>:.1.3.6.*

Wordlist

SecLists/Discovery/SNMP/snmp.txt

metasploit-framework/data/wordlists/snmp_default_pass.txt

If we imagine an extended network with more than 100 different servers managed through SNMP, the labels, in that case, will have some pattern. Therefore, we can use different rules to guess them. We can use the crunch tool to create custom word lists.