SNMP Enumeration

00:00

S and M. P. Enumeration

00:02

are learning objectives are to understand what S N M P is used for and then demonstrate how to enumerate S NMP. If your mind is going crazy where all these acronyms, I I can understand that uh all these protocols, we're learning about all these different things and me working for the government. I can appreciate and understand

00:21

why we use acronyms, but we just learned about SMTP and now we're learning about S and M P. Uh they're different though, so S and M P

00:31

is simple network management protocol and like its name,

00:35

it is used for network management. So we're gonna get a whole lot of configuration information and services that are running and users and and just a treasure trove of valuable information as Attackers from this protocol.

00:50

Um and basically what this is is it's stored in a database called a MIB or a Master Information Base. And then the mid is further comprised of these long strings of numbers called object identifiers. Now, no one's asking you to memorize specific. Oh I D s if you could. That's pretty impressive.

01:07

But certain slides refer to certain things like maybe the host name or user names or certain services that are running.

01:15

So a google is worth it if you're looking for for specific. Oh, I. D. Strings,

01:22

S and M. P is based on UdP. Some of the other protocols were looking at were based on TCP, but this is UdP based and is found on port 1 61. In fact, there's a tool look at called 1 61.

01:34

It also uses community strings,

01:37

the most popular one being public, which is usually read only some of these other strings like private or secret. You might be able to read and write to it. That's not to say you couldn't read and write to public. But most machines are configured where public is readable only and sometimes a guessing game to figure out which community string is on that machine.

01:57

Like S. And B. There's three versions of S and M. P. There's version one and version to see charlie which have no encryption, so it's transmitted in the Clear and then version three which is the most secure because it has encryption.

02:13

So N Map is our trusty friend yet again for enumerating S. N. M. P. And you can see here we're using N Map. S. You I'm the root user so I don't have to use Sudo. But if you are the Cali user or a non root user, you need a pseudo uh with the S. U. Flag on port 1 61 and the script that we're using, his S and M. P. Win 32 users. So I'm trying to figure out all the users that are on this machine,

02:36

of course S and M. P. Can enumerate other services that are running, can do things like Net stat and processes and shares. So you can do the S and M. P. With the asterix afterwards and and possibly get a whole lot of other valuable information from this from the script.

02:53

And here's our 1 61 tool. And what that's used for is enumerating these community strings and it has a dictionary in it.

03:00

And you can see it's looking at 51 communities here from that text file for enumeration and it did find one community string which is secret.

03:09

So I found the secret.

03:12

We also have S and M. P. Check,

03:15

There's S and M. P. Check and S and M. P. Walk. I prefer S and M. P check. Just because I think the output is a whole lot cleaner than SNP Walk, which sometimes it looks like the terminal window just throw up on you and and it's kind of not very nice to look at S and M. P. Check I think is a lot easier on the eyes

03:31

so you can see here. I use S and M. P. Check. I didn't have to use what version I'm looking at. I didn't have to use which string I'm looking at.

03:38

Um It has some defaults built in but here we can see, you know, the system information, the user account information, network information and so on, nicely organized.

03:49

On the other hand, there S. And M. P. Walk.

03:52

As you can see here with S&M. P. Walk, I had to specify the version version one. The community string is public

03:58

and after the after 1921681231 Or target. I put an O. I. D. Uh string in there which are to enumerate all the users on this machine. Of course I had to google that oh I. D. Number because I don't know it off the top of my head but you can see here it enumerated all the different users on the machine. S. S. H. D. Guest

04:17

uh The user S. S. H. D. Server and administrator

04:21

so the output again is not as nice as S an mp check.

04:30

Also. Um here you can see I did attack W option for S and M. P. Check

04:35

and uh

04:38

we can see that there. That right access is permitted.

04:41

Um That's good if it's a Lennox machine because it is a Lennox machine, you can actually try to get a shell on that with a medicine module.

04:49

Lennox, S and M. P. Net S. And M. P. D. R. W. Sensor read, write access.

04:57

And that's to say that S. And M. P. Isn't a windows specific uh protocol. We can also have it in Lennox as well.

05:04

So here's writings, S. And M. P. There's a meta split auxiliary module where you can see here where I set the oh I. D. Which is the host name. Um I set that from a change from Debian to Sai Buri Rocks.

05:19

So in the lab environment, um I encourage you to see if you can enumerate S. And M. P. And if if it's readable and writable and if it's readable, then try to write uh one of the oh I. D. Values and change it.