PRIMARY CATEGORY β PROTOCOLS AND SERVICES
| REFERENCES | |
|---|---|
| Object Identifiers | See here |
| Search for OIDs I | See here |
| Search for OIDs II | See here |
| OIDs Meaning | See here |
| SNMP Data Harvesting | See here |
SNMP β Simple Network Management Protocol
Ports
UDP Ports
161
Manager β Agent
It is used for active communication between the Manager and the Agent
This communication allows the data transfer via request-response from both sides
The Manager initiates the connection to Port 161 of the Agent
162
Agent β Manager
This port is used to notify events or alerts from the Agent to the Manager
There are several types of notifications such as TRAPS or INFORMS
Therefore, the Agent connects to Port 162 of the Manager to send the mentioned notifications to it
Elements
Manager
It is responsible for monitoring, consulting and managing network devices running SNMP Agents
It sends SNMP Commands to the Agents to obtain information or modify configurations
The Manager uses the MIBs as a dictionary to translate a specific OID into its name/description for better understanding
Agent
It is a process running in the network device that is being monitorized and It acts as a SNMP Server
It responds to requests send by the Manager and sends notifications about relevant items to the Manager
Thus, it retrieves, from its internal databases, the values associated with the elements requested by the Manager and send them to the Manager
MIB
It is a hierarchically structured database that defines and describes the OIDs available on a device
IMPORTANT
It does not contain the values of the OIDs, but their definition
In other words, it does not store data, Itβs only a definition structure
It is represented as a tree, with each OID being a different node
In the Manager, the MIB helps to interpret OIDs and translate incoming data into something readable
e.g. It translates the OID 1.3.6.1.2.1.1.1 into System Description thanks to the MIB
In the Agent, the MIB helps to structure and organise how values are stored and exposed by the Agent when it receives a request from the Manager
OID
An Object Identifier is a unique reference within a MIB that represents a specific piece of data that can be measured or configured via SNMP
e.g. For a given object β 1.3.6.1.2.1.1
Hierarchical Structure
1: ISO βββ 3: Org βββ 6: Dod βββ 1: Internet βββ 2: Management βββ 1: MIB-2 βββ 1: System βββ 1: sysDescr (System Description)
Therefore, an OID is simply an entry within a MIB
The MIB defines aspects of the OID such as β
- What the OID represents
- How to interpret its Value
- How it relates to others in the hierarchy
Versions
SNMPv1
NoAuthNoEnc
It uses a simple Community String as a Authentication Method
It has a basic support command β GET, SET, GETNEXT and TRAP
The information is transmited in plain text between both sides
SNMPv2c
NoAuthNoEnc
It remains insecure due to the lack of encryption of communications and the use of community strings as a Auth Method
Although, it adds new functionalities such as GETBULK and INFORM, which improves efficiency and introduces reliable notifications, respectively
SNMPv3
Authentication & Encryption
This versions focuses mainly on Security
New improvements such as β
- User-based Authentication
- Encrypted Communication
- Integrity
- Access Control
Different Security Levels β
- NoAuthNoPriv
- AuthNoPriv
- AuthPriv
SNMP Commands
| Command | Description | Direction |
|---|---|---|
GET | Request the value of a specific OID | Manager β Agent |
GETNEXT | Request the following OID in the MIB Tree | Manager β Agent |
GETBULK | Retrieve values of several OIDs in a single request | Manager β Agent |
SET | Modify an OID value | Manager β Agent |
TRAP | Send an event nofication without confirmation | Agent β Manager |
INFORM | Same as TRAP but with confirmation | Agent β Manager |
Enumeration
Download MIBS to OIDs translation
sudo apt install -y -- snmp-mibs-downloader && download-mibsThis line must be commented in order to load all the available MIBS β
mibs :Get SNMP Version
There are different versions of SNMP
- SNMPv1
- SNMPv2c
- SNMPv3
Nmap
nmap -p161,162 -sU -sV -sC -n -Pn --disable-arp-ping <TARGET>nmap -sV --script "snmp* and not snmp-brute" <TARGET>Community String Bruteforce
SNMPv1 & SNMPv2c
A frecuently used community string is public
OneSixtyOne
onesixtyone -c <WORDLIST> <TARGET>Hydra
hydra -P <WORDLIST> <TARGET> snmpDictionaries/Wordlists
Seclist IΒ Β Β Β β’Β Β Β Β Seclist IIΒ Β Β Β β’Β Β Β Β Seclist IIIΒ Β Β Β β’Β Β Β Β Seclist IV
Retrieve OIDs Values
To retrieve OIDs and their values from an SNMP Agent once the community string is known β
Snmpwalk
snmpwalk -v <SNMP_VERSION> -c <COMM_STRING> <TARGET>Snmpbulkwalk
snmpbulkwalk -v <SNMP_VERSION> -c <COMM_STRING> <TARGET> .- SNMP Extended Query
snmpwalk -v <SNMP_VERSION> -c <COMM_STRING> <IP_ADDRESS> NET-SNMP-EXTEND-MIB::nsExtendOutputFullSnmp-check
snmp-check <IP_ADDRESS> -p <PORT> -c <COMM_STRING>Braa
braa <COMM_STRING>@<TARGET>:1.3.6.*Relevant Information Extraction
Once all the information related to SNMP Agents has been extracted, just proceed as follows to filter out the most interesting one
Devices
SysDesc MIB data β
1.3.6.1.2.1.1.1.0
grep ".1.3.6.1.2.1.1.1.0" <SNMP_DUMP>Private Community String
grep -i -- 'trap' <SNMP_DUMP>Usernames/Passwords
grep -iP -- 'login|fail' <SNMP_DUMP>Emails
grep -iPo -- '\b[\w\.%\+\-]+@[\w\.\-]+\.[a-zA-Z]{2,6}\b' <SNMP_DUMP>