In this article, we will discuss various ethical hacking methods that can be used to perform SNMP probing. As you may know, SNMP exposes too much information about targets, which can lead to attackers compromising the target network. Today we will explore the tools available that can be used to query information about targets.
SNMP overview[Ethical hacking]
There are many protocols available today and SNMP is one of the least understood. SNMP allows us to manage computers and network devices.
SNMP is stateless and datagram oriented. It allows the management of computers in the network. Managed computers will have an agent that communicates with the administrator computer. These agents will send information to the manager that will be stored in a database known as the Management Information Base (MIB), which is a hierarchical organization of the information collected on each SNMP device in the network.
This juicy information is invaluable to hackers looking for SNMP information on the network. Hackers are able to target this database for information about hosts on the network, such as:
- Users: It may be able to describe the number of user accounts and their names. User groups and account creation information can also be retrieved using SNMP
- Installed Software: A list of installed software can be easily obtained from the target computer using SNMP. This can be extremely valuable in determining installed software versions for a more targeted attack
- Open ports: Hackers may be able to determine open ports with greater stealth by querying SNMP information instead of performing an active scan that could provide it to system administrators and others.
SNMP communication takes place with protocol data units (PDUs), of which there are several different types. These include:
- GetRequest: This PDU is sent by the SNMP manager to retrieve one or more requested MIB variables specified in the PDU.
- SetRequest: This PDU is sent by the SNMP manager to set one or more MIB variables specified in the PDU to the value specified in the PDU.
- GetNextRequest: This PDU is sent by the SNMP manager to retrieve the next MIB variable that is specified in the PDU. You can have multiple requests in a PDU. This PDU is primarily used by the SNMP manager to browse the SNMP agent MIB
- Trap: This is an unsolicited message sent by an SNMP agent to notify the SNMP manager of a significant event that has occurred in the agent.
There are several other PDUs that are beyond the scope of this article, such as GetBulkRequest, Response, and InformRequest.
There are mainly three versions of SNMP in use today. Their difference is in the implementation and security through the community chain. A community string is like a password, where authentication to an administrator is through a “private” community string.
- Below are the different versions of SNMP:
- SNMPv1: This version of SNMP is extremely weak in terms of security as it uses clear text authentication. The community string here defaults to “public”
- SNMPv2: This version of SNMP has improved performance and security over version 1. However, it was not backward compatible with v1 and thus was not widely adopted
- SNMPv3: This version of SNMP has greatly improved security and performance over v1 and v2. It implemented integrity checks and encryption. However, it is still not widely implemented in many organizations.
Using the “public” community string, it is possible to query the MIB for information about specific hosts on the network. We can also use the “private” community string to make configuration changes to systems on the network.
One of the common SNMP polling tools included with Kali Linux is snmp-check. This tool allows us to collect a lot of information from the target as mentioned above and much more. Metasploit also comes with a list of default MIBs in its database. It uses these to query the device for additional information depending on what level of access is obtained.
To run snmp-check, open a Kali Linux terminal and type “snmp-check”. A screen similar to the following will appear:
Once open, we get a basic usage manual that shows us how to use the tool.
We will now query some information from our target host. This information is queried from the MIB of the target host. It is important to note that this will only work for SNMPv1 and SNMPv2, not SNMPv3.
Obtaining information from a target
Now let’s see how we can collect juicy information from a target in our network. We decided to use our target printer within our local network to query for available information. The screenshot below shows what we could get after passing an snmp check of our printer’s IP address.
snmp-check is able to reveal the system information of the affected printer. The amount of information we have access to will depend on the MIB entries available and the type of device being accessed.
We also see below that we are able to read the network information:
The screenshot above shows network statistics of the target. We can also view network IP information, as shown below:
We are also able to view network interface information:
The tool also allows us to view device information:
As we can see above, we are able to pinpoint the exact series of printer that is in use and its current status. We can also view network routing information, as shown in the following screenshot:
The information accessed above can vary quite a lot. We accessed a door-unlocking device and received almost similar results. This is shown below:
Some of the other information that we can receive from other hosts include routing information, TCP connections and listening ports.
Let’s now briefly discuss how we can prevent SNMP-based attacks.
Defense against SNMP-based attacks
To prevent SNMP-based attacks, we need to ensure that devices that have SNMP enabled but do not require it must disable it. SNMP must also be blocked at the network perimeter if it is not required on the network.
In addition, the default SNMP community read string needs to be changed from public and the default community write string from private. These must be changed to various longer and more difficult to guess strings.
The final step is to upgrade to SNMP v3, which is much more secure than v1 and v2.
If SNMP is allowed to remain open, hackers are able to obtain information such as network ARP table information, usernames, and open TCP ports that may allow them to further attack the system.
SNMP can be quite beneficial for hackers who know the tools to use and the information to collect on the network. Knowing the right tools and approach can save you time in your research. In addition, we looked at snmp-check and a few commands that can be very useful when practicing hacking.