This protocol has a weak authentication system: public and private community strings.
- Public community string can read information from a SNMP enabled device
- Private community string can often reconfigure a device
Scanning machines with snmp enabled can give interesting results if improperly configured. Many tools exist, but the one I was exposed to during my Offensive Security course was snmpwalk.
Scanning a Windows system running snmp.
From our linux machine's shell, we'd would type the following command to scan a single machine.
linux~#snmpwalk -c public -v1 -target IP
This can return information such as running services, and/or installed applications. Also somewhere in the output, we could find the operating system's version. It can be a very long output, so using grep is a good idea.
linux~#snmpwalk -c public -v1 -target IP
One can also enumerate users with snmpwalk:
linux~#snmpwalk -c public -v1 -target IP
Enumerating services with snmpwalk:
linux~#snmpwalk -c public -v1 -target IP
Enumerating TCP ports:
linux~#snmpwalk -c public -v1 -target IP
And enumerating installed applications:
linux~#snmpwalk -c public -v1 -target IP
The above syntax, the switches -c & -v are used. The first -c is to indicate which community string: public or private. The second, -v tells the script which version of snmp to use. In this case version 1. We also inform the script to add the root of the mib tree with "1" after the target's IP address. See top of the this post for a wiki link on the mib tree.
Of course, one can use the following script "snmpcheck" to gather most or all information availible in a more human readable format.
No comments:
Post a Comment