SNMP can be a hidden gem that seems to be overlooked sometimes during penetration testing. It is really cool the information you can obtain just using snmpwalk from the command line however the information can be lengthy and unless you are an SNMP OID library or feel like googling a bunch of different stuff it really helps to have tools such as snmpcheck available. Below we describe what snmpcheck, which is written in Perl, will accomplish for you and we also provide a couple of examples against Ubuntu and a Cisco router.
Information snmpcheck Will Provide:
The snmpcheck.pl Perl script located under “Information Gathering > Network Analysis > SNMP Analysis” in the Backtrack menu will provide you a great summary of information about a device broken down into neatly formatted sections including system information, devices information, storage information, processes, network information, network interfaces, routing information, listening TCP ports and connections, and mount points. It will provide all of that information in a matter of seconds using SNMP.
snmpcheck Help Menu:
- root@bt:/pentest/enumeration/snmp/snmpcheck# perl snmpcheck-1.8.pl -h
- snmpcheck.pl v1.8 - SNMP enumerator
- Copyright (c) 2005-2011 by Matteo Cantoni (www.nothink.org)
- Usage ./snmpcheck.pl -t <IP address>
- -t : target host;
- -p : SNMP port; default port is 161;
- -c : SNMP community; default is public;
- -v : SNMP version (1,2); default is 1;
- -r : request retries; default is 0;
- -w : detect write access (separate action by enumeration);
- -d : disable 'TCP connections' enumeration!
- -T : force timeout in seconds; default is 20. Max is 60;
- -D : enable debug;
- -h : show help menu;
- root@bt:/pentest/enumeration/snmp/snmpcheck#
As you can see from the help menu output above the most basic version of the command would just use the -t switch followed by the IP address of the target device. I really like the fact that there are defaults for all of the settings which are set to the most common configurations however you can still change things like SNMP version, SNMP port, or SNMP community string easily. Typically you will find devices that have RO or Read Only access enabled however using the -w switch you can check to see if RW or Read/Write access is enabled. It should be noted for those that are not super familiar with SNMP when a community string is configured on a device you typically specify if it is RO or RW. Also public is the default RO community string while private is the default RW community string in most cases so always be sure to attempt those community strings before others. If you do not know of any community string that can access the device you can first try to brute force the SNMP community string using ADMsnmp or onesixtyone both located in the same sub menu as snmpcheck.
Below is an example of a failed SNMP connection either because of an incorrect community string, SNMP not listening, etc.
snmpcheck Failed SNMP Connection Example:
- root@bt:/pentest/enumeration/snmp/snmpcheck# ./snmpcheck-1.8.pl -c test -v 2 -t 192.168.1.77
- snmpcheck.pl v1.8 - SNMP enumerator
- Copyright (c) 2005-2011 by Matteo Cantoni (www.nothink.org)
- [*] Try to connect to 192.168.1.77
- [*] Connected to 192.168.1.77
- [*] Starting enumeration at 2012-12-25 01:20:32
- [*] Error: No response from remote host '192.168.1.77'.
- root@bt:/pentest/enumeration/snmp/snmpcheck#
When there is an issue snmpcheck will timeout. Now for some examples where there is success with snmpcheck.pl including verification of a RW (Read/Write) community string in the first example below.
Test Read/Write Community String Using snmpcheck On Backtrack:
- root@bt:/pentest/enumeration/snmp/snmpcheck# ./snmpcheck-1.8.pl -c private -w -t 192.168.1.22
- snmpcheck.pl v1.8 - SNMP enumerator
- Copyright (c) 2005-2011 by Matteo Cantoni (www.nothink.org)
- [*] Try to connect to 192.168.1.22
- [*] Connected to 192.168.1.22
- [*] Starting enumeration at 2012-12-25 01:51:43
- [*] Write access enabled!
- [*] Checked 192.168.1.22 in 0.01 seconds
- root@bt:/pentest/enumeration/snmp/snmpcheck#
Since snmpcheck is more of an information gathering tool the -w switch simply verifies that it has write access to the device and outputs a success message back to you. Do be careful though when you are testing with snmpcheck and the -w switch because of the target machine has logging configured it will throw a trap or warning message based on the fact that something has been updated. The below example is from the console of a Cisco router after it was scanned using snmpcheck with the -w switch.
Console Output Of Cisco 861 Router When Queried With snmpcheck -w:
- Dec 25 12:57:52.903: %SYS-5-CONFIG_I: Configured from 192.168.1.88 by snmp
- Dec 25 12:57:52.907: %SYS-5-CONFIG_I: Configured from 192.168.1.88 by snmp
The above output is just something to keep in mind if you are attempting to gather information in stealth mode you will not want to use the -w switch just in case the target machine is being heavily monitored for changes. The next two examples are of the basic snmpcheck command using the -t switch only and querying first a Cisco 861 router followed by a query to a Backtrack Linux server running snmpd.
snmpcheck Example Against Cisco 861:
- root@bt:/pentest/enumeration/snmp/snmpcheck# ./snmpcheck-1.8.pl -t 192.168.1.22
- snmpcheck.pl v1.8 - SNMP enumerator
- Copyright (c) 2005-2011 by Matteo Cantoni (www.nothink.org)
- [*] Try to connect to 192.168.1.22
- [*] Connected to 192.168.1.22
- [*] Starting enumeration at 2012-12-25 01:08:55
- [*] System information
- -----------------------------------------------------------------------------------------------
- Hostname : router1.example.com
- Description : Cisco IOS Software, C860 Software (C860-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2012 by Cisco Systems, Inc.Compiled Wed 21-Mar-12 00:50 by prod_rel_team
- Uptime system : 0.00 seconds
- Uptime SNMP daemon : 23 hours, 19:10.83
- Contact : HASH(0x9323b78)
- Motd : noSuchObject
- [*] Network information
- -----------------------------------------------------------------------------------------------
- IP forwarding enabled : 1
- Default TTL : 255
- TCP segments received : 0
- TCP segments sent : 0
- TCP segments retrans. : 0
- Input datagrams : 1977
- Delivered datagrams : 1978
- Output datagrams : 1287
- [*] Network interfaces
- -----------------------------------------------------------------------------------------------
- Interface : [ up ] FastEthernet0
- Hardware Address : 60:73:5c:66:66:dc
- Interface Speed : 100 Mbps
- IP Address : 10.10.10.1
- Netmask : 255.255.255.248
- MTU : 1500
- Interface : [ up ] FastEthernet1
- Hardware Address : 60:73:5c:66:66:dd
- Interface Speed : 100 Mbps
- IP Address : 192.168.1.22
- Netmask : 255.255.255.0
- MTU : 1500
- Interface : [ up ] FastEthernet2
- Hardware Address : 60:73:5c:66:66:de
- Interface Speed : 100 Mbps
- MTU : 1500
- Interface : [ up ] FastEthernet3
- Hardware Address : 60:73:5c:66:66:df
- Interface Speed : 100 Mbps
- MTU : 1500
- Interface : [ up ] FastEthernet4
- Hardware Address : 60:73:5c:66:66:e0
- Interface Speed : 100 Mbps
- MTU : 1500
- Bytes In : 187476 (184K)
- Bytes Out : 181824 (178K)
- Interface : [ up ] Null0
- Interface Speed : 4294.967295 Mbps
- MTU : 1500
- Interface : [ up ] Vlan1
- Hardware Address : 60:73:5c:66:66:dc
- Interface Speed : 100 Mbps
- MTU : 1500
- [*] Listening UDP ports
- -----------------------------------------------------------------------------------------------
- Local Address Port
- 192.168.1.22 161
- 192.168.1.22 162
- 192.168.1.22 60812
- [*] Enumerated 192.168.1.22 in 0.23 seconds
- root@bt:/pentest/enumeration/snmp/snmpcheck#
snmpcheck Example Against Backtrack Linux Server:
- root@bt:/pentest/enumeration/snmp/snmpcheck# ./snmpcheck-1.8.pl -t 192.168.1.77
- snmpcheck.pl v1.8 - SNMP enumerator
- Copyright (c) 2005-2011 by Matteo Cantoni (www.nothink.org)
- [*] Try to connect to 192.168.1.77
- [*] Connected to 192.168.1.77
- [*] Starting enumeration at 2012-12-25 01:08:57
- [*] System information
- -----------------------------------------------------------------------------------------------
- Hostname : zotac
- Description : Linux zotac 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64
- Uptime system : 7 days, 03:30:27.51
- Uptime SNMP daemon : 27 minutes, 58.10
- Contact : root
- Location : Unknown
- Motd : noSuchObject
- [*] Devices information
- -----------------------------------------------------------------------------------------------
- Id Type Status Description
- 1025 Network Running network interface lo
- 1026 Network Running network interface eth0
- 1027 Network Running network interface wlan0
- 3072 Coprocessor Running Guessing that there's a floating point co-processor
- 768 Processor Running AuthenticAMD: AMD E-350 Processor
- 769 Processor Unknown AuthenticAMD: AMD E-350 Processor
- [*] Storage information
- -----------------------------------------------------------------------------------------------
- Physical memory
- Device id : 1
- Device type : Ram
- Filesystem type : Other
- Device units : 1024
- Memory size : 7.5G
- Memory used : 1.8G
- Memory free : 5.7G
- Swap space
- Device id : 10
- Device type : Virtual Memory
- Filesystem type : Other
- Device units : 1024
- Memory size : 22G
- Virtual memory
- Device id : 3
- Device type : Virtual Memory
- Filesystem type : Unknown
- Device units : 1024
- Memory size : 30G
- Memory used : 1.8G
- Memory free : 28G
- /
- Device id : 31
- Device type : Fixed Disk
- Filesystem type : Unknown
- Device units : 4096
- Memory size : 677G
- Memory used : 23G
- Memory free : 654G
- /sys/fs/fuse/connections
- Device id : 32
- Device type : Fixed Disk
- Filesystem type : Unknown
- Device units : 4096
- Memory buffers
- Device id : 6
- Device type : Other
- Filesystem type : Unknown
- Device units : 1024
- Memory size : 7.5G
- Memory used : 561M
- Memory free : 6.9G
- Cached memory
- Device id : 7
- Device type : Other
- Filesystem type : Unknown
- Device units : 1024
- Memory size : 344M
- Memory used : 344M
- Memory free : 0
- Shared memory
- Device id : 8
- Device type : Other
- Filesystem type : Unknown
- Device units : 1024
- [*] Processes
- -----------------------------------------------------------------------------------------------
- Total processes : 131
- Process type : 1 unknown, 2 operating system, 3 device driver, 4 application
- Process status : 1 running, 2 runnable, 3 not runnable, 4 invalid
- Process id Process name Process type Process status Process path
- 1 init 4 2 /sbin/init
- 10 ksoftirqd/1 4 2
- 1018 console-kit-dae 4 2
- 1090 postgres 4 2
- 1099 postgres 4 2
- 11 kworker/0:1 4 2
- 1100 postgres 4 2
- 1101 postgres 4 2
- 1102 postgres 4 2
- 1196 master 4 2
- 12 watchdog/1 4 2
- 1200 qmgr 4 2
- 1243 sshd 4 2
- 1256 wicd 4 2
- 1272 winbindd 4 2
- 1280 winbindd 4 2
- 1295 wicd-monitor 4 2
- 1297 udevd 4 2
- 13 cpuset 4 2
- 1300 udevd 4 2
- 1356 getty 4 2
- 13681 sshd 4 2
- 13709 bash 4 2
- 14 khelper 4 2
- 14095 snmpd 4 1
- 14681 pickup 4 2
- 15 kdevtmpfs 4 2
- 15188 polkitd 4 2
- 15198 udisks-daemon 4 2
- 15202 upowerd 4 2
- 15205 udisks-daemon 4 2
- 15482 xrdp 4 2
- 15751 Xtightvnc 4 2
- 15755 ck-launch-sessi 4 2
- 15791 ssh-agent 4 2
- 15800 x-session-manag 4 2
- 15803 dbus-launch 4 2
- 15804 dbus-daemon 4 2
- 15808 gconfd-2 4 2
- 15814 gnome-keyring-d 4 2
- 15817 gnome-settings- 4 2
- 15819 gvfsd 4 2
- 15822 polkit-gnome-au 4 2
- 15823 gnome-power-man 4 2
- 15824 vino-server 4 2
- 15826 metacity 4 2
- 15829 gvfs-gdu-volume 4 2
- 15830 gnome-panel 4 2
- 15831 nautilus 4 2
- 15837 gvfs-afc-volume 4 2
- 15840 gvfs-gphoto2-vo 4 2
- 15846 gvfsd-trash 4 2
- 15850 bonobo-activati 4 2
- 15857 wnck-applet 4 2
- 15859 trashapplet 4 2
- 15866 indicator-apple 4 2
- 15867 clock-applet 4 2
- 15868 notification-ar 4 2
- 15872 gvfsd-metadata 4 2
- 15875 indicator-sound 4 2
- 15877 indicator-messa 4 2
- 15879 indicator-appli 4 2
- 15884 gnome-screensav 4 2
- 15920 sesman 4 2
- 16 netns 4 2
- 16199 kworker/1:0 4 2
- 17 sync_supers 4 2
- 18 bdi-default 4 2
- 19 kintegrityd 4 2
- 2 kthreadd 4 2
- 20 kblockd 4 2
- 21 ata_sff 4 2
- 213 scsi_eh_4 4 2
- 22 khubd 4 2
- 23 md 4 2
- 23287 tlsmgr 4 2
- 235 scsi_eh_5 4 2
- 24 khungtaskd 4 2
- 24056 apache2 4 2
- 24058 PassengerWatchd 4 2
- 24061 PassengerHelper 4 2
- 24063 ruby1.8 4 2
- 24066 PassengerLoggin 4 2
- 24073 apache2 4 2
- 24074 apache2 4 2
- 24075 apache2 4 2
- 24076 apache2 4 2
- 24077 apache2 4 2
- 24672 mysqld 4 2
- 24831 apache2 4 2
- 25 kswapd0 4 2
- 25190 vsftpd 4 2
- 25201 kworker/u:0 4 2
- 26 ksmd 4 2
- 27 khugepaged 4 2
- 28 fsnotify_mark 4 2
- 28232 apache2 4 2
- 29 ecryptfs-kthrea 4 2
- 297 jbd2/sda1-8 4 2
- 298 ext4-dio-unwrit 4 2
- 3 ksoftirqd/0 4 2
- 30 crypto 4 2
- 336 upstart-udev-br 4 2
- 341 udevd 4 2
- 38 kthrotld 4 2
- 39 kworker/u:1 4 2
- 4 kworker/0:0 4 2
- 40 scsi_eh_0 4 2
- 41 scsi_eh_1 4 2
- 42 scsi_eh_2 4 2
- 43 scsi_eh_3 4 2
- 47 kworker/1:1 4 2
- 6 migration/0 4 2
- 658 kpsmoused 4 2
- 660 cfg80211 4 2
- 67 devfreq_wq 4 2
- 7 watchdog/0 4 2
- 755 hd-audio0 4 2
- 773 hd-audio1 4 2
- 8 migration/1 4 2
- 860 rsyslogd 4 2
- 861 dbus-daemon 4 2
- 909 flush-8:0 4 2
- 950 getty 4 2
- 957 getty 4 2
- 963 getty 4 2
- 964 getty 4 2
- 966 getty 4 2
- 976 irqbalance 4 2
- 978 cron 4 2
- [*] Network information
- -----------------------------------------------------------------------------------------------
- IP forwarding enabled : no
- Default TTL : 64
- TCP segments received : 28780
- TCP segments sent : 25231
- TCP segments retrans. : 19
- Input datagrams : 263423
- Delivered datagrams : 242329
- Output datagrams : 28381
- [*] Network interfaces
- -----------------------------------------------------------------------------------------------
- Interface : [ up ] lo
- Interface Speed : 10 Mbps
- IP Address : 127.0.0.1
- Netmask : 255.0.0.0
- MTU : 16436
- Bytes In : 9718804 (9.3M)
- Bytes Out : 9718804 (9.3M)
- Interface : [ up ] eth0
- Hardware Address : 00:01:2e:66:66:b0
- Interface Speed : 1000 Mbps
- IP Address : 192.168.1.77
- Netmask : 255.255.255.0
- MTU : 1500
- Bytes In : 30266943 (29M)
- Bytes Out : 3456915 (3.3M)
- Interface : [ up ] wlan0
- Hardware Address : e0:b9:a5:66:66:0a
- Interface Speed : 10 Mbps
- MTU : 1500
- [*] Routing information
- -----------------------------------------------------------------------------------------------
- Destination Next Hop Mask Metric
- 0.0.0.0 - - -
- [*] Listening TCP ports and connections
- -----------------------------------------------------------------------------------------------
- Local Address Port Remote Address Port State
- 0.0.0.0 21 0.0.0.0 - Listening
- 0.0.0.0 22 0.0.0.0 - Listening
- 0.0.0.0 25 0.0.0.0 - Listening
- 0.0.0.0 3306 0.0.0.0 - Listening
- 0.0.0.0 3389 0.0.0.0 - Listening
- 0.0.0.0 5903 0.0.0.0 - Listening
- 0.0.0.0 6003 0.0.0.0 - Listening
- 0.0.0.0 80 0.0.0.0 - Listening
- 127.0.0.1 3350 0.0.0.0 - Listening
- 127.0.0.1 42080 127.0.0.1 6003 Established
- 127.0.0.1 6003 127.0.0.1 42080 Established
- 127.0.0.1 7337 0.0.0.0 - Listening
- 192.168.1.77 22 192.168.1.199 52079 Established
- [*] Mountpoints
- -----------------------------------------------------------------------------------------------
- /
- /sys/fs/fuse/connections
- [*] Enumerated 192.168.1.77 in 0.71 seconds
- root@bt:/pentest/enumeration/snmp/snmpcheck#
In the last example above you would have to clean up the output unless you have implemented the fix I mention in this article because when running snmpcheck against Backtrack or Ubuntu servers the runpath is not available for all of the processes and snmpcheck will output a warning message following each process line. Also notice that on the Linux server in the second example there is a lot more information available. I really like the output of snmpcheck and believe it can provide a great little copy/paste in a report to a client to show them how much information they are making available if they do not lock down SNMP traffic to only the necessary hosts so thanks to Matteo Cantoni for making an awesome Perl script.