SNMP is based on UDP, a simple, stateless protocol, and is therefore susceptible to IP spoofing and replay attacks. Additionally, the commonly used SNMP protocols 1, 2, and 2c offer no traffic encryption, meaning that SNMP information and credentials can be easily intercepted over a local network. Traditional SNMP protocols also have weak authentication schemes and are commonly left configured with default public and private community strings.

Until recently, SNMPv3, which provides authentication and encryption, has been shipped to support only DES-56, proven to be a weak encryption scheme that can be easily brute-forced. A more recent SNMPv3 implementation supports the AES-256 encryption scheme.

MIB (SNMP Management Information Base)

The SNMP Management Information Base (MIB) is a database containing information usually related to network management. The database is organized like a tree, with branches that represent different organizations or network functions. The leaves of the tree (or final endpoints) correspond to specific variable values that can then be accessed and probed by an external user. The IBM Knowledge Center1 contains a wealth of information about the MIB tree.

For example, the following MIB values correspond to specific Microsoft Windows SNMP parameters and contain much more than network-based information:

scan for SNMP

nmap tool: sudo nmap -sU --open -p 161 192.168.50.1-254 -oG open-snmp.txt
onesixtyone tool Alternative, onesixtyone,2 will attempt a brute force attack against a list of IP addresses. First, we must build text files containing community strings and the IP addresses we wish to scan.
```
kali@kali:~$ echo public > community
kali@kali:~$ echo private >> community
kali@kali:~$ echo manager >> community
```

kali@kali:~$ for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips

kali@kali:~$ onesixtyone -c community -i ips Scanning 254 hosts, 3 communities 192.168.50.151 [public] Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free) ...


3. snmpwalk tool
Once we find SNMP services, we can start querying them for specific MIB data that might be interesting.

This command enumerates the entire MIB tree using the -c option to specify the community string, and -v to specify the SNMP version number as well as the -t 10 option to increase the timeout period to 10 seconds:

Using snmpwalk to enumerate the entire MIB tree of Windows

kali@kali:~$ snmpwalk -c public -v1 -t 10 192.168.50.151 iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free)" iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.3 iso.3.6.1.2.1.1.3.0 = Timeticks: (78235) 0:13:02.35 iso.3.6.1.2.1.1.4.0 = STRING: "admin@megacorptwo.com" iso.3.6.1.2.1.1.5.0 = STRING: "dc01.megacorptwo.com" iso.3.6.1.2.1.1.6.0 = "" iso.3.6.1.2.1.1.7.0 = INTEGER: 79 iso.3.6.1.2.1.2.1.0 = INTEGER: 24 ...


The following example enumerates the Windows users on the dc01 machine.

kali@kali:~$ snmpwalk -c public -v1 192.168.50.151 1.3.6.1.4.1.77.1.2.25 iso.3.6.1.4.1.77.1.2.25.1.1.5.71.117.101.115.116 = STRING: "Guest" iso.3.6.1.4.1.77.1.2.25.1.1.6.107.114.98.116.103.116 = STRING: "krbtgt" iso.3.6.1.4.1.77.1.2.25.1.1.7.115.116.117.100.101.110.116 = STRING: "student" iso.3.6.1.4.1.77.1.2.25.1.1.13.65.100.109.105.110.105.115.116.114.97.116.111.114 = STRING: "Administrator"

As another example, we can enumerate all the currently running processes:

kali@kali:~$ snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.4.2.1.2 iso.3.6.1.2.1.25.4.2.1.2.1 = STRING: "System Idle Process" iso.3.6.1.2.1.25.4.2.1.2.4 = STRING: "System" iso.3.6.1.2.1.25.4.2.1.2.88 = STRING: "Registry" iso.3.6.1.2.1.25.4.2.1.2.260 = STRING: "smss.exe" iso.3.6.1.2.1.25.4.2.1.2.316 = STRING: "svchost.exe" iso.3.6.1.2.1.25.4.2.1.2.372 = STRING: "csrss.exe" iso.3.6.1.2.1.25.4.2.1.2.472 = STRING: "svchost.exe" iso.3.6.1.2.1.25.4.2.1.2.476 = STRING: "wininit.exe" iso.3.6.1.2.1.25.4.2.1.2.484 = STRING: "csrss.exe" iso.3.6.1.2.1.25.4.2.1.2.540 = STRING: "winlogon.exe" iso.3.6.1.2.1.25.4.2.1.2.616 = STRING: "services.exe" iso.3.6.1.2.1.25.4.2.1.2.632 = STRING: "lsass.exe" iso.3.6.1.2.1.25.4.2.1.2.680 = STRING: "svchost.exe" ...


we can query all the software that is installed on the machine:

kali@kali:~$ snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.6.3.1.2 iso.3.6.1.2.1.25.6.3.1.2.1 = STRING: "Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.27.29016" iso.3.6.1.2.1.25.6.3.1.2.2 = STRING: "VMware Tools" iso.3.6.1.2.1.25.6.3.1.2.3 = STRING: "Microsoft Visual C++ 2019 X64 Additional Runtime - 14.27.29016" iso.3.6.1.2.1.25.6.3.1.2.4 = STRING: "Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.27.290" iso.3.6.1.2.1.25.6.3.1.2.5 = STRING: "Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.27.290" iso.3.6.1.2.1.25.6.3.1.2.6 = STRING: "Microsoft Visual C++ 2019 X86 Additional Runtime - 14.27.29016" iso.3.6.1.2.1.25.6.3.1.2.7 = STRING: "Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.27.29016" ...


Another SNMP enumeration technique is to list all the current TCP listening ports:

kali@kali:~$ snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.6.13.1.3 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.88.0.0.0.0.0 = INTEGER: 88 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.135.0.0.0.0.0 = INTEGER: 135 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.389.0.0.0.0.0 = INTEGER: 389 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.445.0.0.0.0.0 = INTEGER: 445 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.464.0.0.0.0.0 = INTEGER: 464 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.593.0.0.0.0.0 = INTEGER: 593 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.636.0.0.0.0.0 = INTEGER: 636 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.3268.0.0.0.0.0 = INTEGER: 3268 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.3269.0.0.0.0.0 = INTEGER: 3269 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.5357.0.0.0.0.0 = INTEGER: 5357 iso.3.6.1.2.1.6.13.1.3.0.0.0.0.5985.0.0.0.0.0 = INTEGER: 5985 ...



### Tool: snmpcheck (from THM)
https://github.com/WDavid404/Note_tryhackme/issues/9#issuecomment-1786722311
`/opt/snmpcheck/snmpcheck.rb 10.10.64.128 -c COMMUNITY_STRING 
`
Case: Knowing that the community string used by the SNMP service is public, use snmpcheck to collect information about the MS Windows Server of IP 10.10.64.128
`./snmpcheck.rb 10.10.64.128 -c public|more`

WDavid404 / OSCP

Information Gathering #7

Passive Information Gathering

Whois enumeration

Google Hacking

Netcraft

OpenSource Code --> Gitlab search

Shodan

Security header and SSL/TLS

Active information gathering

DNS enumeration

Port Scanning with Nmap

SMB Enumeration

SMTP Enumeration

Active information gathering

SNMP (Simple Network Management Protocol)

MIB (SNMP Management Information Base)

scan for SNMP