background image

30

Chapter 3

Simple Network Management Protocol Sweeping

The Simple Network Management Protocol (SNMP) is typically used in net-
work devices to report information such as bandwidth utilization, collision 
rates, and other information. However, some operating systems also have 
SNMP servers that can provide information such as CPU utilization, free 
memory, and other system-specific details.

Convenience for the system administrator can be a gold mine for the 

penetration tester, and accessible SNMP servers can offer considerable infor-
mation about a specific system or even make it possible to compromise a 
remote device. If, for instance, you can get the read/write SNMP community 
string for a Cisco router, you can download the router’s entire configuration, 
modify it, and upload it back to the router.

The Metasploit Framework includes a built-in auxiliary module called 

scanner/snmp/snmp_enum

 that is designed specifically for SNMP sweeps. Before 

you start the scan, keep in mind that the read-only (RO) and read/write (RW) 
community strings will play an important role in the type of information you 
will be able to extract from a given device. On Windows-based devices con-
figured with SNMP, you can often use the RO or RW community strings to 
extract patch levels, running services, usernames, uptime, routes, and other 
information that can make things much easier for you during a pen test. 
(

Community strings

 are essentially passwords used to query a device for infor-

mation or to write configuration information to the device.)

After you guess the community strings, SNMP itself (depending on the 

version) can allow anything from excessive information disclosure to full sys-
tem compromise. SNMPv1 and v2 are inherently flawed protocols. SNMPv3, 
which incorporates encryption and better check mechanisms, is significantly 
more secure. To gain access to a switch, you’ll first need to attempt to find its 
community strings. The Framework’s 

use scanner/snmp/snmp_login 

module 

will try a word list against one or a range of IP addresses.

msf > 

use use scanner/snmp/snmp_login

msf auxiliary(snmp_login) > 

set RHOSTS 192.168.1.0/24

RHOSTS => 192.168.1.0/24
msf auxiliary(snmp_login) > 

set THREADS 50

THREADS => 50
msf auxiliary(snmp_login) > 

run

[*] >> progress (192.168.1.0-192.168.1.255) 0/30208...

 [*] 192.168.1.2 'public' '

GSM7224

 L2 Managed Gigabit Switch'

 [*] 192.168.1.2 'private' 'GSM7224 L2 Managed Gigabit Switch'

[*] Auxiliary module execution completed
msf auxiliary(snmp_login) >

A quick Google search for 

GSM7224

 from the output tells us that the 

scanner has found both the public   and private   community strings for a 
Netgear switch. This result, believe it or not, has not been staged for this book. 
These are the default factory settings for this switch.