161 ) SNMP
Penetration Testing on SNMP
Scanning
## ------------------| Nmap
sudo nmap -sU --open -p 161 <IP>
## ------------------| onesixtyone
#### Crearte community string file
cat > com << EOF
public
internal
private
manager
EOF
#### Create IP address list
for i in $(seq 1 254); do echo 10.10.10.$ip; done > iplist
#### Run onesixtyone
onesixtyone -c com -i iplist
#### or
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt <IP>
### Download onesixtyone wordlist using following
wget https://raw.githubusercontent.com/trailofbits/onesixtyone/master/dict.txt
Basic enumerations
## ------------------| To read snmpwalk output as human readable
apt-get install snmp-mibs-downloader -y
cat /etc/snmp/snmp.conf
## Comment 👉mibs :👈 this
## ------------------| Basic checks
snmpenum <IP> public linux.txt # Use this for Linux, then move in to snmpwalk !!
snmpenum <IP> public windows.txt # Use this for Windows, then move in to snmpwalk !!
snmp-check <IP> -c public
snmpwalk -c public -v1 <IP>
snmpwalk -c public -v2c <IP>
snmpwalk -c internal -v2c <IP> | tee snmpwalk.out
snmpbulkwalk -c public -v2c <IP> | tee snmpbulkwalk.out
snmpbulkwalk -Cr1000 -c public -v2c <IP> | tee snmpbulkwalk.out
## ------------------| Special for Windows/Linux
snmpwalk -c public -v1 <IP> -Ovq HOST-RESOURCES-MIB::hrSWRunParameters ## Get runnning services with args
snmpwalk -c public -v1 <IP> 1.3.6.1.4.1.77.1.2.25 ## Get Users
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.4.2.1.2 ## Get Running Process
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.1.6.0 ## Get System Processes
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.4.2.1.4 ## Get Processes Path
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.2.3.1.4 ## Get Storage Units
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.6.13.1.3 ## Get Open TCP Ports
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.6.3.1.2 ## Get Installed Software
## ------------------| Analyze / Grep
grep -oP '::.*?\.' snmpwalk.out | sort | uniq -c | sort -n
Best tools
## ------------------| SNMP-Brute
wget https://raw.githubusercontent.com/SECFORCE/SNMP-Brute/master/snmpbrute.py
python3 snmpbrute.py -t <IP>
python3 snmpbrute.py -a -t <IP>
python3 snmpbrute.py --sploitego -t <IP>
python3 snmpbrute.py -f /usr/share/seclists/Discovery/SNMP/snmp.txt -t <IP>
python3 snmpbrute.py -f /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt -t <IP>
## ------------------| Hydra
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt -v <IP> snmp
Get
ipAddressTable
## ------------------| Get all ip address
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.4.34.1.3
snmpwalk -c public -v2c <IP> 1.3.6.1.2.1.4.34.1.3
## ------------------| Get ipv6 address
snmpwalk -v2c -c public <IP> ipAddressIfIndex.ipv6 | cut -d'"' -f2 | grep 'de:ad' | sed -E 's/(.{2}):(.{2})/\1\2/g'
## ------------------| Using Enyx
wget https://raw.githubusercontent.com/trickster0/Enyx/master/enyx.py
cat /etc/snmp/snmp.conf
## Unomment 👉mibs :👈 this
python enyx.py 2c public 10.10.10.20
Last updated