Simple Network Management Protocol (SNMP)
The Simple Network Management Protocol (SNMP) is an old protocol from 1990-2000 that is still quite used by companies to manage and monitor network devices (routers, switch, firewalls...).
The goal is to ensure that network devices are operating efficiently and effectively in real-time.
SNMP uses the following ports
- UDP/161 âĩ: to send and receive SNMP messages
- TCP/161 â´ī¸: sometimes used instead of UDP to send messages
- UDP/162 đĨī¸: to send trap messages (reports)
Knowledge
The Management Information Base (MIB) đ is a component used to store information about network devices. This is a tree-like structure with each node called an object đ° and carrying information such as:
- đ at least one Object Identifier (OID)
- âī¸ the number of packet that transited by this node
- đĻ the CPU utilization of a server
- ...
A agent đŽ is a module that runs on a network device and read/store information about the device inside the MIB. â ī¸ There is no data in the MIB, only definition of the types of objects and their location.
The SNMP manager đ is a software that retrieves data from the MIB by asking the agent associated with each device. It runs on a network management system (NMS).
The SNMP manager can also send instructions to the agent to set or change the values of objects. The agent will update its associated device to match the instruction.
Agents can send messages also known as "traps" without being requested, for instance, when a problem is detected đĨ.
Configuration
You can configure SNMP using commands, such as:
-
show snmp: display the current configuration -
snmp-server community [...]: configure a community -
no snmp-server community [...]: delete a community -
snmp-server location [...]: set the location (for humans) -
snmp-server host [...]: define the hosts (for traps...)
You can also configure it on a Windows Server as follows:
- Start the Server Manager
- Click on "Add roles and features"
- Press Next thrice
- In Features, select "SNMP Service"
Once installed, open "Services" and find the SNMP service. Right-click on edit, and edit the properties however you want.
SNMPv2c
SNMPv2c is the community-string based version of SNMPv2, and the only one that is still used by some companies. If it's advised to use SNMPv3 as the latter is more secure. SNMPv2c
- â is not scalable. Companies will experience performance problems that may lead to longer delays, and decrease the employees' efficiency.
- â is not reliable: error messages can be misinterpreted as they may be incomplete or incorrect.
- â is vulnerable: spoofing, tampering, sniffing...
- â Community strings can be set up. They are password-like string, that need to be complex and changed regularly. Only those with the correct community string can fetch data from a network device. By default, anyone can fetch data it. A community can be read-only (RO) or Read-Write (RW).
Commands: snmpget, snmpwalk, snmpset, snmptrap...
âĄī¸ A company can use both SNMPv2c and SNMPv3, it allows a softer migration, but it increases the complexity of the task.
SNMPv3
Migrating to SNMPv3 can be hard, but it may be required to comply with some regulations (PCI DSS, HIPAA). Overall it's more robust, performant, reliable and secure.
- â some device may not be compatible with SNMPv3
- â employees need to learn SNMPv3 (cost/...)
- â the provider (ex: CISCO, IBM, SolarWinds...) can provide some seamless support to upgrade from SNMPv2c
- â SNMPv3 has a more reliable error-management system
- â SNMPv3 has a more secure (integrity checks, encryption, access management with USM/VACM, authentication...)
- â SNMPv3 is more performant
Commands: snmpget, snmpwalk, snmpset, snmpinform...
SNMP vulnerabilities â ī¸
Common SNMPv2c community strings
You can use snmpwalk to list SNMP variables from SNMP devices. Two common community strings are public and private.
$ snmpwalk -v 2c -c community_string IP
$ snmpwalk -v 2c -c community_string IP OID
âĄī¸ The OID for sysName is 1.3.6.1.2.1.1.5.0.
Explore SNMP MIB
Once you found a community string, you can use braa to list information. Without providing a pattern, the output is quite long.
$ sudo apt install braa
$ braa community_string@IP:.1.3.6.*
You may find emails, and other useful information.
Brute force SNMPv2c community strings
Common wordlists:
(common) /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt
(full) /usr/share/seclists/Discovery/SNMP/snmp.txt
You can brute force community strings with onesixtyone (0.4k â):
$ onesixtyone -c wordlist IP
IP [string_found] <info>
đģ To-do đģ
Stuff that I found, but never read/used yet.
- SNMP ACLs (SNMP tcp/161): separate ACLs specifically for SNMP, they are more granular than the generic ACLs
- ip/range of ips
- a version of SNMP
- a community (SNMPv2c?)