30
Chapter 3
Simple Network Management Protocol Sweeping
The Simple Network Management Protocol (SNMP) is typically used in net-
work devices to report information such as bandwidth utilization, collision
rates, and other information. However, some operating systems also have
SNMP servers that can provide information such as CPU utilization, free
memory, and other system-specific details.
Convenience for the system administrator can be a gold mine for the
penetration tester, and accessible SNMP servers can offer considerable infor-
mation about a specific system or even make it possible to compromise a
remote device. If, for instance, you can get the read/write SNMP community
string for a Cisco router, you can download the router’s entire configuration,
modify it, and upload it back to the router.
The Metasploit Framework includes a built-in auxiliary module called
scanner/snmp/snmp_enum
that is designed specifically for SNMP sweeps. Before
you start the scan, keep in mind that the read-only (RO) and read/write (RW)
community strings will play an important role in the type of information you
will be able to extract from a given device. On Windows-based devices con-
figured with SNMP, you can often use the RO or RW community strings to
extract patch levels, running services, usernames, uptime, routes, and other
information that can make things much easier for you during a pen test.
(
Community strings
are essentially passwords used to query a device for infor-
mation or to write configuration information to the device.)
After you guess the community strings, SNMP itself (depending on the
version) can allow anything from excessive information disclosure to full sys-
tem compromise. SNMPv1 and v2 are inherently flawed protocols. SNMPv3,
which incorporates encryption and better check mechanisms, is significantly
more secure. To gain access to a switch, you’ll first need to attempt to find its
community strings. The Framework’s
use scanner/snmp/snmp_login
module
will try a word list against one or a range of IP addresses.
msf >
use use scanner/snmp/snmp_login
msf auxiliary(snmp_login) >
set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(snmp_login) >
set THREADS 50
THREADS => 50
msf auxiliary(snmp_login) >
run
[*] >> progress (192.168.1.0-192.168.1.255) 0/30208...
[*] 192.168.1.2 'public' '
GSM7224
L2 Managed Gigabit Switch'
[*] 192.168.1.2 'private' 'GSM7224 L2 Managed Gigabit Switch'
[*] Auxiliary module execution completed
msf auxiliary(snmp_login) >
A quick Google search for
GSM7224
from the output tells us that the
scanner has found both the public and private community strings for a
Netgear switch. This result, believe it or not, has not been staged for this book.
These are the default factory settings for this switch.