SNMP Notes

From Rory.wiki

SNMP Testing Notes

onesixtyone does a good job at identifying SNMP v1 and v2 servers based on community strings. However it doesn't identify SNMP v3 servers. It'll just return no results for any that it encounters.

Interestingly unlike older versions of SNMP , v3 servers will return data without the correct credentials. It's possible to start footprinting the server based on the information returned.

This testing is based on a net-snmp server, installed on Ubuntu 9.04 (instructions on configuration here ). Different implementation make work differently!

Sending an unauthenticated message to the server

snmpwalk -v 3 -l noAuthNoPriv <ip_address> sysUpTime.0

Provokes an error snmpwalk: Unknown user name .

Interestingly if we then use a valid user with an invalid password

snmpwalk -v 3 -l noAuthNoPriv -u "<username>" <ip_address> sysUpTime.0

we get a different error Error in packet. Reason: authorizationError (access denied to that object). This means that there's potential for user enumeration by cycling through usernames, and also password brute-forcing as the message will change again when the correct password is delivered. The format of a command to pull the sysUpTime.0 OID back is

snmpwalk -v 3 -l AuthPriv -u "<username>" -A "<password>" -X "<password>" <ip_address> sysUpTime.0

Note that the two password parameters should contain the same password.

Even where the command itself returns no information at all there is some information leakage in the packets that it returns, which is visable through wireshark.

Any get request formatted as a SNMPv3 style request will get a reply packet from the server. In this there is an Engine Enterprise ID field which seems to have the product version in it (in this case net-snmp)