SNMP Enumeration

I know SNMP enumeration is not really a hot topic as per today but still I think we must cover it for educational purpose. So before we proceed lets have our look on some basic terminologies related to SNMP.

What is SNMP?:
Simple Network Management Protocol i.e SNMP is an application layer protocol used to manage TCP/IP based networks.

SNMP Agent:
A device that can communicate with SNMP protocol.

SNMP Manager:
It is an entity which sends requests via SMNP to its SNMP agents.

MIB:
Management Information Base (MIB) provides a standard representation of SNMP agents available information and where it is stored.

Traps:
Traps let the SNMP manager know about activities at SNMP agent. Activity might be reboot, device failure or any other suspicious activity.
SNMP requests/response are sent over UDP port number 161 and notifications are sent over port number 162.

What is SNMP Enumeration?:
It is process of using SNMP to enumerate user accounts and devices on a target system. SNMP has two passwords to access and configure the SNMP agent from the management station. The first is called a read community string. This password lets you view the configuration of the device or system. The second is called the read/write community string, its for changing or editing the configuration on the device.
By default read community string is public and read/write community string is private. If these passwords are not changed they can be used by an attacker to enumerate SNMP as SNMP Manager. If the default password is not as above other default passwords can be found on www.defaultpassword.com.

SNMP Enumeration Tools:

SNMP Util:
SNMPUtil is a command line tool which gathers Windows user accounts information via SNMP in Windows system. Information such as routing tables, ARP tables, IP Addresses, MAC Addresses, TCP/UDP open ports, user accounts and shares can be obtained using this tool.

Syntax:
C:\>snmputil {get|walk|getnext} {machine name} {Object Identifier}
get: This command gets the value of the requested object identifier.
getnext: This command gets the value of the next object that follows the specified object identifier.
walk: You use this command is used to step through (walk) the Management Information Base (MIB) branch that is specified by the object identifier.

Object Identifier: It specifies branch of MIB as defined in SNMP protocol. They are long, clumsy number which are really very difficult to remember. They all have their string equivalent but even they are hard to remember. Following is list of sting values,

Aren’t they hard to remember therefore I would not recommend this tool to anyone because remembering all those stuff is damn difficult. We have an excellent graphical tool instead of this tool I’ll better advise you to opt it.
Example:
C:\>snmputil.exe walk 192.22.0.24 .server.svSvcTable.svSvcEntry.svSvcName
This will list services.
IP Network Browser:
IP Network Browser is tool from Solar Winds Engineers Tool Set. It is graphical tool and can be easily used for SNMP enumeration.
Solar Winds                               Solar Winds Engineers Toolset
                           
IP Network Browser
I think there is no need to explain working of IP Network Browser because it is damn easy to use.
In upcoming post we will cover defenses against SMNP enumeration. Till then don’t forget to let us know about your views on this post and ask if you have any difficulty.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s