Gathering More Data: SNMP

So let's say we run Nessus (a vulnerability scanner available in BT) against some machines and we see SNMP running. Now lets say Nessus comes back with "SNMP Agent Default Community Name".. you just got yourself another treasure trove of information :)

Hang on, what is SNMP anyways? SNMP is Simple Network Management Protocol. This is used to help monitor network devices, including routers, switches, workstations (pretty much anything which can get SNMP installed on it) From Microsoft:

You can use SNMP in environments that include large networks with hundreds or thousands of nodes that would otherwise be difficult and costly to monitor. SNMP allows monitoring of network devices such as servers, workstations, printers, routers, bridges, and hubs, as well as services such as Dynamic Host Configuration Protocol (DHCP) or Windows Internet Name Service (WINS).

So it definitely is useful in a network environment, however when in the wrong hands and not locked down properly, it can be used against you.  Maybe its better to show you what I mean :) To the Backtrack cave!

I will show you two tools on BT5 which we can use to enumerate devices on the network via SNMP.  The first one is SNMPEnum. Its parameters are:

snmpenum.pl

Well if Nessus returned telling us SNMP is running with default community name, we know that is 'public' (Nessus tells you that too, but so would Google). The tool comes with three config files: cisco.txt, windows.txt and linux.txt, choose whichever device you are scanning. Let's fire up wireshark and see what is going across the wire....This will fire up a lot of traffic. Lets focus on the first two packets.

How I Ran the command

SNMP packets are also called PDUs (Protocol Data Units)

What the heck are those numbers?! Those are object identifiers (OID), which is used to call an object in a predefined structure, which in this case is called Management Information Base (MIB). You can do a search of OID's here. So what is this one? Well lets follow it on the website. The first number (top level) is 1... which is ISO (International Organization for Standardization). Ok, click that... next number is:

• 3 - ISO Identified Organization
• 6 - US Department of Defense
• 1 - Internet 
• 2 - Management Section
• 1 - MIB 2 (not the movie)
• 25 - Host Resources

Blast we ran out of lookups, luckily, this site lists all the OIDs in the MIB-2 schema. Which a quick ctrl-f gives us: hrSWInstalledName.... all of that to get the name of installed software :) Or we could have looked at the windows.txt file too, which lays it out in plain english for us (phew).

Windows config file

Luckily the get-response is a bit easier to decipher than the request:

Part of the SNMP Response

So we see here we have 10 responses in this packet. We have our base number (1.3.6.1.2.1.25.6.3.1.2.n, where n is 1 and is incremented with every answer for that question. We also see the answers are in readable text (well wireshark converts them from hex for us). Here is a screen shot of te UDP stream for us, the RED is our BT instance (request) and BLUE is the intended victim (response).

UDP Stream in Raw

I know slightly confusing, just think of it as a very complicated way (for us) of checking whats running on machines  :)

SNMPenum shows us the following:

• running processess
• installed software
• system info
• hostname
• domain
• uptime
• users
• shares
• disks
• services
• listening TCP ports
• listening UDP ports

Pretty awesome considering we have not even pwned the box yet!  All of this for free-- and can be used to increase your attacks on a machine.

SNMPwalk is similar to SNMPenum, however its output is much more verbose and not formatted to look pretty like SNMPenum. However this one is a bit better if you are trying to follow the requests/responses in wireshark. For example, I was confused when I looked at the PDU why it went up to n=108, there definitely are not 108 programs installed on my machine. However looking at the output of SNMPWalk showed me it was returning multiple attributes of the installed software, such as installed dates, what type of software it is, etc. If you want generalities, go for SNMPenum- you want as much information as possible? SNMPwalk. The basic usage is:

snmpwalk -c   -v

If you know the OID you want to look up (like the one above), SNMPwalk can only run that one.  Below is a quick screenshot of snmpwalk in action.

SNMPwalk output snippet

I should also say here that SNMP version 3 does not have its community name in the clear, so unless you know (or *cough* bruteforce *cough*) the community name these will not work. You should also not be able to do this from outside the internal network.... should.

You can do a whole lotta stuff with SNMP, check out  SecurityProNews for more information.Its especially good if you find a router, as seen with Viveks videos.

I will post my findings from snmpenum on pastebin (here it is!) so you see what output can look like, but I suggest you guys go out there and try it yourselves! How do you think this could be used against the victim?