|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | + Installation instructions for SNMP server can be found for every operating system. |
| 4 | + The [Ubuntu 14.04](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-an-snmp-daemon-and-client-on-ubuntu-14-04) instructions can be used as an example for installing and configuring NFS. The |
| 5 | + following was done on Kali linux: |
| 6 | + |
| 7 | + 1. `sudo apt-get install snmpd` |
| 8 | + 2. Set SNMP to listen on non-localhost: `nano /etc/snmp/snmpd.conf` |
| 9 | + ``` |
| 10 | + # Listen for connections from the local system only |
| 11 | + #agentAddress udp:127.0.0.1:161 |
| 12 | + # Listen for connections on all interfaces (both IPv4 *and* IPv6) |
| 13 | + agentAddress udp:161,udp6:[::1]:161 |
| 14 | + ``` |
| 15 | + 3. Restart the service: `service snmpd restart` |
| 16 | + |
| 17 | +### SNMP Versions |
| 18 | + |
| 19 | +SNMP has 3 main versions. |
| 20 | +* ***1**, ***2c**: both use simple password protection (string), and are often defaulted to `public` (read only), and `private` (read/write). Version 2 is backwards compatible with version 1. This is a plaintext protocol and is vulenrable to being intercepted. |
| 21 | +* ***3**: has several security levels and is significantly more complex, but also not covered in this module. |
| 22 | + |
| 23 | +## Verification Steps |
| 24 | + |
| 25 | + 1. Install and configure SNMP |
| 26 | + 2. Start msfconsole |
| 27 | + 3. Do: `use auxiliary/scanner/snmp/snmp_login` |
| 28 | + 4. Do: `run` |
| 29 | + |
| 30 | +## Scenarios |
| 31 | + |
| 32 | + A run against the configuration from these docs |
| 33 | + |
| 34 | + ``` |
| 35 | + msf > use auxiliary/scanner/snmp/snmp_login |
| 36 | + msf auxiliary(snmp_login) > set rhosts 127.0.0.1 |
| 37 | + rhosts => 127.0.0.1 |
| 38 | + msf auxiliary(snmp_login) > run |
| 39 | + |
| 40 | + [!] No active DB -- Credential data will not be saved! |
| 41 | + [+] 127.0.0.1:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): Linux hostname 4.9.0-kali1-amd64 #1 SMP Debian 4.9.6-3kali2 (2017-01-30) x86_64 |
| 42 | + [*] Scanned 1 of 1 hosts (100% complete) |
| 43 | + [*] Auxiliary module execution completed |
| 44 | + ``` |
| 45 | + |
| 46 | + Another example can be found at this [source](http://bitvijays.github.io/blog/2016/03/03/learning-from-the-field-basic-network-hygiene/): |
| 47 | + |
| 48 | + ``` |
| 49 | + [+] 10.4.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(10b)JA, RELEASE SOFTWARE (fc2) |
| 50 | + Technical Support: http://www.cisco.com/techsupport |
| 51 | + Copyright (c) 1986-2007 by Cisco Systems, Inc. |
| 52 | + Compiled Wed 24-Oct-07 15:17 by prod_rel_team |
| 53 | + [*] Scanned 12 of 58 hosts (20% complete) |
| 54 | + [*] Scanned 18 of 58 hosts (31% complete) |
| 55 | + [+] 10.10.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): Digi Connect ME Version 82000856_F6 07/21/2006 |
| 56 | + [+] 10.10.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): Digi Connect ME Version 82000856_F6 07/21/2006 |
| 57 | + [*] Scanned 24 of 58 hosts (41% complete) |
| 58 | + [+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: private (Access level: read-write); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009 |
| 59 | + [+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009 |
| 60 | + [+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: private (Access level: read-write); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009 |
| 61 | + [+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009 |
| 62 | + [+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: private (Access level: read-write); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009 |
| 63 | + [+] 10.11.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): ExtremeXOS version 12.2.2.11 v1222b11 by release-manager on Mon Mar 23 17:54:47 PDT 2009 |
| 64 | + [*] Scanned 29 of 58 hosts (50% complete) |
| 65 | + [*] Scanned 35 of 58 hosts (60% complete) |
| 66 | + [*] Scanned 41 of 58 hosts (70% complete) |
| 67 | + [*] Scanned 47 of 58 hosts (81% complete) |
| 68 | + [+] 10.25.xx.xx:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): Digi Connect ME Version 82000856_F6 07/21/2006 |
| 69 | + ``` |
| 70 | + |
| 71 | +## Confirming |
| 72 | + |
| 73 | +Since SNMP has been around for quite a while, there are many tools which can also be used to verify this configuration issue. |
| 74 | +The following are other industry tools which can also be used. |
| 75 | + |
| 76 | +### [nmap](https://nmap.org/nsedoc/scripts/snmp-info.html) |
| 77 | + |
| 78 | +``` |
| 79 | +nmap -p 161 -sU --script=snmp-info 127.0.0.1 |
| 80 | +
|
| 81 | +Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-12 23:00 EST |
| 82 | +Nmap scan report for localhost (127.0.0.1) |
| 83 | +Host is up (0.00017s latency). |
| 84 | +PORT STATE SERVICE |
| 85 | +161/udp open snmp |
| 86 | +| snmp-info: |
| 87 | +| enterprise: net-snmp |
| 88 | +| engineIDFormat: unknown |
| 89 | +| engineIDData: 54ad55664725a15800000000 |
| 90 | +| snmpEngineBoots: 2 |
| 91 | +|_ snmpEngineTime: 31m30s |
| 92 | +
|
| 93 | +Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds |
| 94 | +``` |
0 commit comments