BrainScope

Get interesting data by sniffing SNMP traffic

Author:
Published on:

An internal attacker can get valuable information from SNMP servers running in the network if these servers are not configured properly - and many are not.

André Eichhofer

SNMP (Simple Network Management Protocol) is a network protocol that allows network devices to exchange information. The SNMP server that is running on a device is called Agent. The machine that requests information from the Agent is called Manager.

SNMP allows the agent to provide simple information to the client (e.g. device temperature, hostname, IP addresses, users, etc.) SNMP may run on printers, routers, switches etc. to provide basic information about the system. Agents that are requesting the information are typically computers (e.g. to get printer status).

Before we dive deeper into the possibilities to exploit SNMP, let’s have a view how SNMP works.

How SNMP works

Data format

To ensure that all devices understand data from agents, a standardized data format is used. The data is stored as a text file on the SNMP server.

Management Information Base (MIB): Is an independend format for storing device information. It is a text file in which all queryable SNMP objects are listed in a tree hierarchy. MIB files are written in the Abstract Syntax Notation One (ASN.1) based ASCII text format. The MIBs do not contain data, but they explain where to find which information.

Object Identifiers (OID): Are numeric identifiers (objects) that store information of the device. OIDs are like parameters that hold device information. OIDs are standardized and organized in a tree structure.

Example

          ISO.   (1)
           |
          ORG    (3)
           |
          DOD    (6)
           |
       Internet  (1)  
          ...
          ...

A typical OID is the sysDesc (System Descripter) that hold information about the operating system of the device and is located at: .1.3.6.1.2.1.1.1.0

SNMP versions

SNMPv1,2: Most frequent version, authentication is based on a “community string” that travels in plain-text. There are 2 types of community strings:

  • public: mainly read only functions
  • private: Read/Write in general

In versions 1,2 if you use a bad community string the server wont respond. So, if it responds, a valid community strings was used.

SNMPv3: Uses more secure authentication, namely

  • user name
  • password (MD5, SHA) hashed
  • Encryption algorithm (DES or AES) to send the password encrypted to the SNMP server
  • Encryption key for the password

Ports

  • The SNMP agent receives requests on UDP port 161.
  • The manager receives on port 162
  • When used with Transport Layer or Datagram Transport Layer Security requests are received on port 10161 (Agent) and notifications are sent to port 10162 (Manager).

SNMP weaknesses

SNMP server are a valuable target as SNMP agents may provide information about target systems. SNMP listens on UDP port 161. Some of the weaknesses of SNMP are

  • SNMP v1,2c sends community strings and data over the network in cleartext
  • Many systems that use SNMP v1,2c use default community strings, like public or private

Reconnaissance

Enumerate SNMP server with

  • nmap -sU -p 161 <host>
  • snmpwalk.exe -r:<host> -v:<version> -c:<community_string>

SNMP attack vectors


SNMP traffic sniffing

SNMP v1,2 transmits data in cleartext what makes it possible to sniff the network traffic. This is useful if there are machines (Agents) within the network that send SNMP data to devices (Managers) or services that aggregate device data. For example, Scada, IoT, ICS devices that send data to other systems. If you’re within the network, you can capture SNMP data and SNMP community strings in cleartext.

Brute force SNMP community strings

Many SNMP agents have SNMP v1,2 enabled and use default community strings, like

  • public
  • private

You can perform a dictionary attack to brute force possible community strings:

  • msf> use auxiliary/scanner/snmp/snmp_login
  • nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
  • onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
  • hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <target.com> snmp

Exploiting SNMP


Extract information from SNMP data

Extracted SNMP data may be very large, therefore save it in a file and filter out specific patterns with grep command. You can find and extract data from SNMP agent by filtering out the specific OID, for example:

  • grep ".1.3.6.1.2.1.1.1.0" *.snmp

Some interesting search patterns are:

  • .1.3.6.1.2.1.1.1.0: SysDesc, shows information of the device
  • grep -i "trap" *.snmp: Try to find other community strings
  • grep -i "fail" *.snmp, grep -i "login\|fail" *.snmp: Try to find user passwords if the SNMP agent holds logs from unsuccessful logins
  • grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" *.snmp: Filter out email addresses

Interesting MIB for Windows systems: If the SNMP agent runs on a Windows system there are some interesting MIBs:

  • 1.3.6.1.2.1.25.1.6.0: System Processes, allows fmonitoring of active processes within the system
  • 1.3.6.1.2.1.25.4.2.1.2: Running Programs, track currently running programs
  • 1.3.6.1.2.1.25.4.2.1.4: Processes Path, determine where a process is running from
  • 1.3.6.1.2.1.25.2.3.1.4: Storage Units, monitoring of storage units
  • 1.3.6.1.2.1.25.6.3.1.2: Software Name, software installed on a system
  • 1.3.6.1.4.1.77.1.2.25: User Accounts
  • 1.3.6.1.2.1.6.13.1.3: TCP Local Ports, monitoring TCP local ports, providing insight into active network connections

Links:

book.hacktricks.xyz/network-services-pentesting/pentesting-snmp
rapid7.com/blog/post/2016/05/05/snmp-data-harvesting-during-penetration-testing