SNMP sweeps are often a good indicator in finding a ton of
information about a specific system or actually compromising the remote
device. If you can find a Cisco device running a private string for
example, you can actually download the entire device configuration,
modify it, and upload your own malicious config. Also a lot of times,
the passwords themselves are level 7 encoded which means they are
trivial to decode and obtain the enable or login password for the
specific device.
Metasploit comes with a built in auxiliary module specifically for sweeping SNMP devices. There are a couple of things to understand before we perform our attack. First, read only and read write community strings play an important role on what type of information can be extracted or modified on the devices themselves. If you can “guess” the read-only or read-write strings you can obtain quite a bit of access you would not normally have. In addition, if Windows based devices are configured with SNMP, often times with the RO/RW community strings you can extract patch levels, services running, last reboot times, usernames on the system, routes, and various other amounts of information that is valuable to an attacker.
When querying through SNMP, there is whats called an MIB API. The MIB
stands for the Management Information Base (MIB), this interface allows
you to query the device and extract information. Metasploit comes
loaded with a list of default MIBs that it has in its database, it uses
them to query the device for more information depending on what level of
access is obtained. Let’s take a peek at the auxiliary module.
Here is a video showing you a successful private string brute force:
Here is a video showing you a successful community string brute force:
Metasploit comes with a built in auxiliary module specifically for sweeping SNMP devices. There are a couple of things to understand before we perform our attack. First, read only and read write community strings play an important role on what type of information can be extracted or modified on the devices themselves. If you can “guess” the read-only or read-write strings you can obtain quite a bit of access you would not normally have. In addition, if Windows based devices are configured with SNMP, often times with the RO/RW community strings you can extract patch levels, services running, last reboot times, usernames on the system, routes, and various other amounts of information that is valuable to an attacker.
Here is a video showing you a successful private string brute force:
0 comments:
Post a Comment