Friday, April 26, 2019

Enumerating SNMP Servers with NMAP

NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be using NMAP scripts against a remote host running the SNMP service.

snmp-info

To return basic information about the SNMP server user the 'snmp-info' script against the host. 

root@asus:~/unix% nmap -sU -p 161 --script=snmp-info 192.168.0.25

Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-26 17:32 MDT
Nmap scan report for mgmt.acme.com (192.168.0.25)
Host is up (0.00042s latency).
PORT    STATE SERVICE
161/udp open  snmp
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 5fd4fd7eafbcbf5c00000000
|   snmpEngineBoots: 4
|_  snmpEngineTime: 2d21h31m42s

Nmap done: 1 IP address (1 host up) scanned in 2.29 seconds
root@asus:~/unix%

snmp-interfaces

To return Network Information about the remote host run the 'snmp-interfaces' 

root@asus:~/unix% nmap -sU -p 161 --script=snmp-interfaces 192.168.0.25

Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-26 17:33 MDT
Nmap scan report for mgmt.acme.com (192.168.0.25)
Host is up (0.00053s latency).
PORT    STATE SERVICE
161/udp open  snmp
| snmp-interfaces: 
|   lo
|     IP address: 192.168.0.25  Netmask: 255.0.0.0
|     Type: softwareLoopback  Speed: 10 Mbps
|     Status: up
|     Traffic stats: 33.45 Mb sent, 33.45 Mb received
|   Intel Corporation Wireless 7265
|     IP address: 10.228.100.110  Netmask: 255.224.0.0
|     MAC address: f8:94:c2:f6:72:64 (Unknown)
|     Type: ethernetCsmacd  Speed: 0 Kbps
|     Status: up
|_    Traffic stats: 1.55 Gb sent, 1.41 Gb received

Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds
root@asus:~/unix%

snmp-netstat

You can also gather active netstat output from a remote host running SNMP with the 'snmp-netstat' script. 

root@asus:~/unix% nmap -sU -p 161 --script=snmp-netstat 192.168.0.25

Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-26 17:33 MDT
Nmap scan report for mgmt.acme.com (192.168.0.25)
Host is up (0.00044s latency).
PORT    STATE SERVICE
161/udp open  snmp
| snmp-netstat: 
|   TCP  0.0.0.0:389          0.0.0.0:0
|   TCP  0.0.0.0:4433         0.0.0.0:0
|   TCP  0.0.0.0:58210        0.0.0.0:0
|   TCP  10.228.100.110:39722 184.25.204.33:80
|   TCP  10.228.100.110:47888 172.217.1.206:443
|   TCP  10.228.100.110:48270 172.217.1.206:443
|   TCP  10.228.100.110:53402 74.125.201.188:5228
|   TCP  10.228.100.110:58136 173.194.162.170:443
|   TCP  10.228.100.110:59808 74.125.1.169:443
|   TCP  10.228.100.110:59814 74.125.1.169:443
|   TCP  192.168.0.25:631        0.0.0.0:0
|   TCP  192.168.0.25:3306       0.0.0.0:0
|   TCP  192.168.0.25:6667       0.0.0.0:0
|   UDP  0.0.0.0:68           *:*
|   UDP  0.0.0.0:123          *:*
|   UDP  0.0.0.0:161          *:*
|   UDP  0.0.0.0:631          *:*
|   UDP  0.0.0.0:5353         *:*
|   UDP  0.0.0.0:6771         *:*
|   UDP  0.0.0.0:35616        *:*
|   UDP  0.0.0.0:35686        *:*
|   UDP  0.0.0.0:42840        *:*
|   UDP  0.0.0.0:58210        *:*
|   UDP  0.0.0.0:58338        *:*
|   UDP  10.228.100.110:123   *:*
|   UDP  10.228.100.110:6771  *:*
|   UDP  10.228.100.110:37725 *:*
|   UDP  192.168.0.25:123        *:*
|   UDP  192.168.0.25:6771       *:*
|   UDP  192.168.0.25:55301      *:*
|_  UDP  224.0.0.251:5353     *:*

Nmap done: 1 IP address (1 host up) scanned in 1.10 seconds
root@asus:~/unix%

snmp-sysdescr

Reterive the SNMP Server type and Operating system with the 'snmp-sysdescr' script. 

root@asus:~/unix% nmap -sU -p 161 --script=snmp-sysdescr 192.168.0.25

Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-26 17:34 MDT
Nmap scan report for mgmt.acme.com (192.168.0.25)
Host is up (0.00045s latency).
PORT    STATE SERVICE
161/udp open  snmp
| snmp-sysdescr: Linux asus 4.9.4-galliumos-braswell #1 SMP PREEMPT galliumos2 Thu Feb 23 01:58:04 UTC 2017 x86_64
|_  System uptime: 2d21h33m34.15s (25041415 timeticks)

Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds
root@asus:~/unix%

snmp-processes

List all processes on the target machine with the 'snmp-processes' script. Be careful this will generate quit a lot of output on the screen so it is better to log it to a file. 

root@asus:~/unix% nmap -sU -p 161 --script=snmp-processes 192.168.0.25
Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-26 17:43 MDT
Nmap scan report for mgmt.acme.com (192.168.0.25)
Host is up (0.027s latency).
PORT    STATE SERVICE
161/udp open  snmp
| snmp-processes: 
|   1: 
|     Name: systemd
|     Path: /sbin/init
|     Params: splash
|   2: 
|     Name: kthreadd
|   3: 
|     Name: ksoftirqd/0
...

Nmap done: 1 IP address (1 host up) scanned in 4.16 seconds
root@asus:~/unix%

snmp-w32-software

List all software on the remote machine with the 'snmp-win32-software'. This will also generate a lot of output. 

root@asus:~/unix% nmap -sU -p 161 --script=snmp-win32-software 192.168.0.25

Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-26 17:43 MDT
Nmap scan report for mgmt.acme.com (192.168.0.25)
Host is up (0.00049s latency).
PORT    STATE SERVICE
161/udp open  snmp
| snmp-win32-software: 
|   accountsservice-0.6.40-2ubuntu11.3; 0-01-01T00:00:00
|   acl-2.2.52-3; 0-01-01T00:00:00
|   adduser-3.113+nmu3ubuntu4; 0-01-01T00:00:00
|   adwaita-icon-theme-3.18.0-2ubuntu3.1; 0-01-01T00:00:00
|   alsa-base-1.0.25+dfsg-0ubuntu5; 0-01-01T00:00:00
|   alsa-utils-1.1.0-0ubuntu5; 0-01-01T00:00:00
|   anacron-2.3-23; 0-01-01T00:00:00
|   apache2-2.4.18-2ubuntu3.10; 0-01-01T00:00:00
|   apache2-bin-2.4.18-2ubuntu3.10; 0-01-01T00:00:00
|   apache2-data-2.4.18-2ubuntu3.10; 0-01-01T00:00:00
|   apache2-utils-2.4.18-2ubuntu3.10; 0-01-01T00:00:00
|   app-install-data-15.10; 0-01-01T00:00:00
|   apparmor-2.10.95-0ubuntu2.10; 0-01-01T00:00:00
|   apt-1.2.29ubuntu0.1; 0-01-01T00:00:00
|   apt-utils-1.2.29ubuntu0.1; 0-01-01T00:00:00
|   aptdaemon-1.1.1+bzr982-0ubuntu14; 0-01-01T00:00:00
|   aptdaemon-data-1.1.1+bzr982-0ubuntu14; 0-01-01T00:00:00
|   arc-theme-galliumos-0git20160407.46a232e-galliumos4; 0-01-01T00:00:00
|   aspell-0.60.7~20110707-3build1; 0-01-01T00:00:00
|   aspell-en-7.1-0-1.1; 0-01-01T00:00:00
|   at-spi2-core-2.18.3-4ubuntu1; 0-01-01T00:00:00
|   audacity-2.1.2-1; 0-01-01T00:00:00
|   audacity-data-2.1.2-1; 0-01-01T00:00:00
|   avahi-autoipd-0.6.32~rc+dfsg-1ubuntu2.3; 0-01-01T00:00:00
|   avahi-daemon-0.6.32~rc+dfsg-1ubuntu2.3; 0-01-01T00:00:00
|   avahi-utils-0.6.32~rc+dfsg-1ubuntu2.3; 0-01-01T00:00:00
...

Nmap done: 1 IP address (1 host up) scanned in 26.03 seconds
root@asus:~/unix%

Run All Scripts Against a Host

Finally, to run all SNMP enumeration nmap scripts against a host use the '-sC' option. 

root@asus:~/unix% nmap -sU -p 161 -sV -sC 192.168.0.25

Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-26 17:21 MDT
Nmap scan report for mgmt.acme.com (192.168.0.25)
Host is up (0.012s latency).
PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-hh3c-logins: 
|_  baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 5fd4fd7eafbcbf5c00000000
|   snmpEngineBoots: 4
|_  snmpEngineTime: 2d21h20m48s
| snmp-interfaces: 
|   lo
|     IP address: 192.168.0.25  Netmask: 255.0.0.0
|     Type: softwareLoopback  Speed: 10 Mbps
|     Traffic stats: 31.58 Mb sent, 31.58 Mb received
|   Intel Corporation Wireless 7265
|     IP address: 10.228.100.110  Netmask: 255.224.0.0
|     MAC address: f8:94:c2:f6:72:64 (Unknown)
|     Type: ethernetCsmacd  Speed: 0 Kbps
|_    Traffic stats: 1.55 Gb sent, 1.40 Gb received
| snmp-netstat: 
|   TCP  0.0.0.0:389          0.0.0.0:0
|   TCP  0.0.0.0:4433         0.0.0.0:0
|   TCP  0.0.0.0:58210        0.0.0.0:0
|   TCP  10.228.100.110:34344 172.217.2.14:443
|   TCP  10.228.100.110:34346 172.217.2.14:443
|   TCP  10.228.100.110:34572 172.217.12.3:443
|   TCP  10.228.100.110:36808 172.217.13.163:443
|   TCP  10.228.100.110:37260 151.139.128.14:80
|   TCP  10.228.100.110:37584 172.217.11.244:443
|   TCP  10.228.100.110:39722 184.25.204.33:80
|   TCP  10.228.100.110:44244 172.217.1.201:443
|   TCP  10.228.100.110:45064 172.217.2.3:443
|   TCP  10.228.100.110:45082 172.217.2.3:443
|   TCP  10.228.100.110:47888 172.217.1.206:443
|   TCP  10.228.100.110:49920 144.76.137.80:443
|   TCP  10.228.100.110:50016 72.21.91.29:80
|   TCP  10.228.100.110:51460 185.199.111.154:443
|   TCP  10.228.100.110:51466 185.199.111.154:443
|   TCP  10.228.100.110:51906 172.217.2.10:443
|   TCP  10.228.100.110:53402 74.125.201.188:5228
|   TCP  10.228.100.110:53712 107.154.108.145:443
|   TCP  10.228.100.110:54540 172.217.1.196:443
|   TCP  10.228.100.110:58072 173.194.162.170:443
|   TCP  10.228.100.110:58250 172.217.2.1:443
|   TCP  10.228.100.110:59750 74.125.1.169:443
|   TCP  10.228.100.110:60384 172.217.11.225:443
|   TCP  192.168.0.25:631        0.0.0.0:0
|   TCP  192.168.0.25:3306       0.0.0.0:0
|   TCP  192.168.0.25:6667       0.0.0.0:0
|   UDP  0.0.0.0:68           *:*
|   UDP  0.0.0.0:123          *:*
|   UDP  0.0.0.0:161          *:*
|   UDP  0.0.0.0:631          *:*
|   UDP  0.0.0.0:5353         *:*
|   UDP  0.0.0.0:6771         *:*
|   UDP  0.0.0.0:35616        *:*
|   UDP  0.0.0.0:35686        *:*
|   UDP  0.0.0.0:42840        *:*
|   UDP  0.0.0.0:58210        *:*
|   UDP  0.0.0.0:58338        *:*
|   UDP  10.228.100.110:123   *:*
|   UDP  10.228.100.110:6771  *:*
|   UDP  10.228.100.110:37725 *:*
|   UDP  192.168.0.25:123        *:*
|   UDP  192.168.0.25:6771       *:*
|   UDP  192.168.0.25:55301      *:*
|_  UDP  224.0.0.251:5353     *:*
| snmp-processes: 
|   1: 
|     Name: systemd
|     Path: /sbin/init
|     Params: splash
|   2: 
|     Name: kthreadd
|   3: 
|     Name: ksoftirqd/0
|   5: 
|     Name: kworker/0:0H
|   7: 
|     Name: rcu_preempt
|   8: 
|     Name: rcu_sched
|   9: 
|
| snmp-sysdescr: Linux asus 4.9.4-galliumos-braswell #1 SMP PREEMPT galliumos2 Thu Feb 23 01:58:04 UTC 2017 x86_64
|_  System uptime: 2d21h20m47.87s (24964787 timeticks)
| snmp-win32-software: 
|   accountsservice-0.6.40-2ubuntu11.3; 0-01-01T00:00:00
|   acl-2.2.52-3; 0-01-01T00:00:00
|   adduser-3.113+nmu3ubuntu4; 0-01-01T00:00:00
|   adwaita-icon-theme-3.18.0-2ubuntu3.1; 0-01-01T00:00:00
|   alsa-base-1.0.25+dfsg-0ubuntu5; 0-01-01T00:00:00
|   alsa-utils-1.1.0-0ubuntu5; 0-01-01T00:00:00
|   anacron-2.3-23; 0-01-01T00:00:00
|   apache2-2.4.18-2ubuntu3.10; 0-01-01T00:00:00
|   apache2-bin-2.4.18-2ubuntu3.10; 0-01-01T00:00:00
|   apache2-data-2.4.18-2ubuntu3.10; 0-01-01T00:00:00
|   apache2-utils-2.4.18-2ubuntu3.10; 0-01-01T00:00:00
|   app-install-data-15.10; 0-01-01T00:00:00
|   apparmor-2.10.95-0ubuntu2.10; 0-01-01T00:00:00
|   apt-1.2.29ubuntu0.1; 0-01-01T00:00:00
|   apt-utils-1.2.29ubuntu0.1; 0-01-01T00:00:00
|   aptdaemon-1.1.1+bzr982-0ubuntu14; 0-01-01T00:00:00
|   aptdaemon-data-1.1.1+bzr982-0ubuntu14; 0-01-01T00:00:00
|   arc-theme-galliumos-0git20160407.46a232e-galliumos4; 0-01-01T00:00:00
|   aspell-0.60.7~20110707-3build1; 0-01-01T00:00:00
|   aspell-en-7.1-0-1.1; 0-01-01T00:00:00
|   zenity-3.18.1.1-1ubuntu2; 0-01-01T00:00:00
|   zenity-common-3.18.1.1-1ubuntu2; 0-01-01T00:00:00
|   zip-3.0-11; 0-01-01T00:00:00
|   zlib1g-1:1.2.8.dfsg-2ubuntu4.1; 0-01-01T00:00:00
|   zlib1g-dev-1:1.2.8.dfsg-2ubuntu4.1; 0-01-01T00:00:00
|_  zram-config-0.5-galliumos1; 0-01-01T00:00:00
Service Info: Host: asus

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.07 seconds
root@asus:~/unix%

Enumerating SNMP Servers

NMAP give you the ability to brute force SNMP community strings to look for valid users on the remote machine. We can do this by using the NMAP Scripting Engine and the 'snmp-brute' script. 

root@asus:~/src% nmap -sU -p 161 --script snmp-brute 127.0.0.1 --script-args snmp-brute.communitiesdb=/home/sam/comstring.txt

Starting Nmap 7.01 ( https://nmap.org ) at 2019-10-05 15:33 MDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0010s latency).
PORT    STATE SERVICE
161/udp open  snmp
| snmp-brute: 
|   public - Valid credentials
|   router - Valid credentials
|   monitor - Valid credentials
|   adm - Valid credentials
|_  secret - Valid credentials

Nmap done: 1 IP address (1 host up) scanned in 7.02 seconds
root@asus:~/src%

As you can see we successfully enumerated valid community strings on the remote host.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • Attacking NFS
    This is our data set we will work from which was gathered during the OSINT phase from the company website: http://www.acme.com k.madden@m...
  • Exploring IMAP Servers
    Scanning the Remote Host We can use NMAP to scan the remote IMAP server and run enumeration scripts agaisnt it to see what all the server i...
  • Exploiting Weak WEBDAV Configurations
    The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...
  • bWAPP Arbitrary File Access (Samba)
    In bWAPP there is a module which allows for reading or writing of arbitrary files on a remote host running the samba sharing service. Our go...