> For the complete documentation index, see [llms.txt](https://docs.wehost.co.in/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.wehost.co.in/cybersecurity/snmp-attack.md). # SNMP Attack * Ports used * \[\[UDP]] 161 * \[\[UDP]] 162 * `traps` * These are data packets sent from the SNMP server to the client without being explicitly requested. * If a device is configured accordingly * An SNMP trap is sent to the client once a specific event occurs on the server-side ### MIB * To ensure that SNMP access works across manufacturers and with different client-server combinations, the `Management Information Base` (`MIB`) was created. * A MIB is a text file in which all queryable SNMP objects of a device are listed in a standardized tree hierarchy * do not contain data * link to the data * returns a specific OID ### OID * represents a node in a hierarchical namespace. * A sequence of numbers uniquely identifies each node, allowing the node's position in the tree to be determined. ## SNMP ### SNMPv1 * provides traps, * `no built-in authentication` mechanism * does not support encryption ### SNMPv2 * similar to SNMPv1 * `community string` that provides security is only transmitted in plain text, meaning it has no built-in encryption. ### SNMPv3 * has `authentication` using username and password and transmission `encryption` (via `pre-shared key`) of the data ### Default Configuration ```shell-session cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d' ``` ```shell-session sysLocation Sitting on the Dock of the Bay sysContact Me sysServices 72 master agentx agentaddress 127.0.0.1,[::1] view systemonly included .1.3.6.1.2.1.1 view systemonly included .1.3.6.1.2.1.25.1 rocommunity public default -V systemonly rocommunity6 public default -V systemonly rouser authPrivUser authpriv -V systemonly ``` #### Dangerous Settings | **Settings** | **Description** | | ------------------------------------------------ | ------------------------------------------------------------------------------------- | | `rwuser noauth` | Provides access to the full OID tree without authentication. | | `rwcommunity ` | Provides access to the full OID tree regardless of where the requests were sent from. | | `rwcommunity6 ` | Same access as with `rwcommunity` with the difference of using IPv6. | *** ## Footprinting the Service ### snmpwalk * snmpwalk ``` snmpwalk -v 2c -c public monitored.htb -m all| tee snmp_data ``` ```shell-session snmpwalk -v2c -c public 10.129.14.128 ``` ```shell-session iso.3.6.1.2.1.1.1.0 = STRING: "Linux htb 5.11.0-34-generic #36~20.04.1-Ubuntu SMP Fri Aug 27 08:06:32 UTC 2021 x86_64" iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10 iso.3.6.1.2.1.1.3.0 = Timeticks: (5134) 0:00:51.34 iso.3.6.1.2.1.1.4.0 = STRING: "mrb3n@inlanefreight.htb" iso.3.6.1.2.1.1.5.0 = STRING: "htb" iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay" iso.3.6.1.2.1.1.7.0 = INTEGER: 72 iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1 iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1 iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1 iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1 iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1 iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49 iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.4 iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.50 iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3 iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92 iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB." iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching." iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model." iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities" iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP." iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations" iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing IP and ICMP implementations" iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing UDP implementations" iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering." iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications." iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (0) 0:00:00.00 iso.3.6.1.2.1.25.1.1.0 = Timeticks: (3676678) 10:12:46.78 iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E5 09 14 0E 2B 2D 00 2B 02 00 iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216 iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/boot/vmlinuz-5.11.0-34-generic root=UUID=9a6a5c52-f92a-42ea-8ddf-940d7e0f4223 ro quiet splash" iso.3.6.1.2.1.25.1.5.0 = Gauge32: 3 iso.3.6.1.2.1.25.1.6.0 = Gauge32: 411 iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0 iso.3.6.1.2.1.25.1.7.0 = No more variables left in this MIB View (It is past the end of the MIB tree) ...SNIP... iso.3.6.1.2.1.25.6.3.1.2.1232 = STRING: "printer-driver-sag-gdi_0.1-7_all" iso.3.6.1.2.1.25.6.3.1.2.1233 = STRING: "printer-driver-splix_2.0.0+svn315-7fakesync1build1_amd64" iso.3.6.1.2.1.25.6.3.1.2.1234 = STRING: "procps_2:3.3.16-1ubuntu2.3_amd64" iso.3.6.1.2.1.25.6.3.1.2.1235 = STRING: "proftpd-basic_1.3.6c-2_amd64" iso.3.6.1.2.1.25.6.3.1.2.1236 = STRING: "proftpd-doc_1.3.6c-2_all" iso.3.6.1.2.1.25.6.3.1.2.1237 = STRING: "psmisc_23.3-1_amd64" iso.3.6.1.2.1.25.6.3.1.2.1238 = STRING: "publicsuffix_20200303.0012-1_all" iso.3.6.1.2.1.25.6.3.1.2.1239 = STRING: "pulseaudio_1:13.99.1-1ubuntu3.12_amd64" iso.3.6.1.2.1.25.6.3.1.2.1240 = STRING: "pulseaudio-module-bluetooth_1:13.99.1-1ubuntu3.12_amd64" iso.3.6.1.2.1.25.6.3.1.2.1241 = STRING: "pulseaudio-utils_1:13.99.1-1ubuntu3.12_amd64" iso.3.6.1.2.1.25.6.3.1.2.1242 = STRING: "python-apt-common_2.0.0ubuntu0.20.04.6_all" iso.3.6.1.2.1.25.6.3.1.2.1243 = STRING: "python3_3.8.2-0ubuntu2_amd64" iso.3.6.1.2.1.25.6.3.1.2.1244 = STRING: "python3-acme_1.1.0-1_all" iso.3.6.1.2.1.25.6.3.1.2.1245 = STRING: "python3-apport_2.20.11-0ubuntu27.21_all" iso.3.6.1.2.1.25.6.3.1.2.1246 = STRING: "python3-apt_2.0.0ubuntu0.20.04.6_amd64" ``` ### snmpbulkwalk * faster than snmp walk ``` snmpbulkwalk -v 2c -c public monitored.htb -m all| tee snmp_data ``` ### OneSixtyOne * can be used to get community string * ```shell-session sudo apt install onesixtyone ``` ```shell-session onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt 10.129.14.128 ``` ```shell-session Scanning 1 hosts, 3220 communities 10.129.14.128 [public] Linux htb 5.11.0-37-generic #41~20.04.2-Ubuntu SMP Fri Sep 24 09:06:38 UTC 2021 x86_64 ``` * Once we know a community string, we can use it with [braa](https://github.com/mteg/braa) to brute-force the individual OIDs and enumerate the information behind them. ### Braa ```shell-session sudo apt install braa ``` ```shell-session braa @:.1.3.6.* ``` ```shell-session braa public@10.129.14.128:.1.3.6.* ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.wehost.co.in/cybersecurity/snmp-attack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.