SNMP Lab Setup and Penetration Testing

What is SNMP?

Simple Network Management Protocol (SNMP) is a protocol for network management. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network. It usually run on UDP port 161.

Download Vyos Link: https://downloads.vyos.io/?dir=release/1.1.8

Create New Virtual Machine using the VMware and change the Network Adapter to Bridged as shown in the given screenshot.

After completing the initial setup in the VMware Boot the Newly created Virtual Machine by clicking on the Power on the Virtual Machine.

The Default Login Credentials for Vyos are

Username: vyos

Password: vyos

The Initial Boot of Vyos will be as shown below:

This is a Live Boot of the vyos, so we will install the vyos to use it properly.

We will use the iso image to install vyos. Type the following command:

Command: install image

Enter “Yes” where it asks to continue.

Next it will ask about the partition management.

Enter “Auto” where it asks about Partition.

It will detect the drives in the Virtual System and ask you to select the particular drive in which you want to install vyos.

Enter “sda” where it asks about the location for installation.

Next it will ask about the size for the root partition for the vyos.

You can enter any size from 1000MB to 21474MB. But it is recommended to keep it maximum i.e. 21474MB.

Next it will ask about the name for the image.

By default the name is set to the version number that is 1.1.8. You can either give a personalised name or you can leave it default.

Next it will ask about the location to copy the sda.

It is recommended to keep it default.

After that it will ask for the password to be kept for the administrator account.

By default it is kept vyos. But from security point of view it is recommended to change it to something complex which is difficult to guess or brute force.

Now it will ask for the drive on which you want to setup GRUB Boot-loader? Again leave it default to “sda”.

After that we have completed the vyos setup. Reboot using the command

Command: reboot

After reboot it will ask for login credentials, Enter the credential that you entered during the installation.

Now we will configure the Network Interface. To do that, we will have to enter configuration mode.

Command: configure

After entering into configuration mode set up Network interface

Syntax: set interface ethernet [network interface] address [Static IPv4 Address]

Command: set interface ethernet eth0 address 192.168.1.125/24

Now Commit and Save the Configuration

Command: commit

Command: save

After that type “exit” to get out of configuration mode and then reboot the machine using “reboot” command

We are rebooting because the configuration changes come in effect only after a reboot.

You can the view interface which we configured by using the command

Command: show interfaces

Note: Above command will run in configuration mode.

Start SNMP service

Now we will set up the snmp service in the Vyos.

For that we will enter configuration mode using command

Command: configure

Now to set up a snmp service we will need to add a community string and give it an authorization. To do that:

Syntax: set service snmp community [community-string] authorization [auth-mode]

[community-string]: It can be anything but normally it is either public or private. But from a security point of view it is recommended to keep it that cannot be easily guessed or bruteforced.

[auth-mode]: It is the Authorization Mode. We have two options

1.       [ro]: Read Only Authorization (It can only be used to read or extract data, we can change it using    this string)

2.       [rw]: Read Write Authorization (It can be used to change the data using the string)

Command: set service snmp community ignite123 authorization ro

Command: set service snmp community ignite123 authorization rw

Now let’s set a user for the system.

Firstly Enter the Configuration Mode.

Command: configure

Now to add a user we will use the following command,

Syntax: set system login user [username] authentication plaintext-password [password]

Command: set system login user ignite authentication plaintext-password ignite123

After this commit the configuration and save it. Also reboot the machine so that changes may take effect.

We have successfully completed snmp Lab in Vyos.

SNMP Enumeration using Kali Linux

Now that we have setup a snmp service let’s pentest it through kali linux inbuilt tools one by one, where We can read and extract information using the community string that have the authorization of reading only but to change the information we will have to use the community string with the read and write authorization.

Nmap

Let’s check using nmap in Kali Linux Machine which is running on the same network.

nmap –sU –p161, 162 192.168.1.125

[-sU]: UDP Ports as SNMP service runs on UDP port

[-p]: Specify Port Number; SNMP service runs on port 161 and 162

From given below image you can observed that it has also shown port 161 is open.

Snmpwalk

snmpwalk is an SNMP application that uses SNMP GETNEXT requests to query a network entity for a tree of information.

Command: snmpwalk -v1 –c ignite321 192.168.1.125

Here

[-v1]: Level of verbose mode

[-c]: Community String

From given below image you can observe all details that are specified for “STRING”

Snmpset

We can manipulate these details using the iso id, using another tool snmpset. Here we are renaming the host string from vyos to hacked

Command: snmpset –v1 –c ignite321 192.168.1.125 iso.3.6.1.2.1.1.5.0.s Hacked

Let’s check if the changes we implemented had an effect using snmpwalk

Command: snmpwalk –v1 –c ignite321 192.168.1.125

As you can see that the we have successfully change the host name from vyos to hacked.

We can extract a number of information using snmpwalk

Command: snmpwalk –v1 –c ignite321 192.168.1.125 1.3.6.1.2.1.25.4.2.1.2

Command: snmpwalk –v1 -c ignite321 192.168.1.125 1.3.6.1.2.1.6.13.1.3

Command: snmpwalk –v1 –c ignite321 192.168.1.125 1.3.6.1.2.1.25.6.3.1.2

As the data extracted by snmp walk is quite large we can extract that into a text file by using command below

Command: snmpwalk –v1 -c ignite321 192.168.1.125 > snmpout.txt

We can use gedit to view the extracted information

Command: gedit snmpout.txt 

SNMP-Check

Like to snmpwalk, snmp-check allows you to enumerate the SNMP devices and places the output in a very human readable friendly format. It could be useful for penetration testing or systems monitoring.

Command: snmp-check 192.168.1.125 -p 161 -c ignite123

Here,

[-p]: To specify port

[-c]: To specify Community String

Braa

Braa is a mass snmp scanner. The intended usage of such a tool is of course making SNMP queries – but unlike snmpwalk from net-snmp, it is able to query dozens or hundreds of hosts simultaneously, and in a single process. Thus, it consumes very few system resources and does the scanning VERY fast.

Braa implements its OWN snmp stack, so it does NOT need any SNMP libraries like net-snmp.

Syntax: braa [Community-string]@[IP of SNMP server]:[iso id]

Command: braa ignite123@192.168.1.125:.1.3.6.*

Metasploit

We can enumerate SNMP using a Metasploit module called snmp_enum.

use auxiliary/scanner/snmp/snmp_enum

msf auxiliary(scanner/snmp/snmp_enum) > set rhosts 192.168.1.125

msf auxiliary(scanner/snmp/snmp_enum) > set community ignite123

msf auxiliary(scanner/snmp/snmp_enum) > run

We have fetched same result from metasploit as above.

6 Ways to Hack SNMP Password

In this article, we will learn how to gain control over our victim’s SNMP service. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

hydra -P /root/Desktop/pass.txt 192.168.1.125 snmp

-P:  denotes path for password list

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the SNMP password as ignite123.

xHydra

This is the graphical version to apply dictionary attack via SNMP port to hack a system. For this method to work:

Open xHydra in your kali. And select Single Target option and their give the IP of your victim PC. And select SNMP in box against Protocol option and give the port number 161 against the port option.

Now, go to Passwords tab and in Username section check the box adjacent to Protocol doesn’t require username.

Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

Now go to the specific Tab and in the SNMP and clear the data written in the text box below the SNMP as shown in the given screenshot.

When you will clear all entries it will look like as shown in next image given below.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the password of your victim.

As you can see that we have the password ignite123 cracked.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, SNMP, and VNC to name a few

Run the following command

medusa -M snmp –h 192.168.1.125 –u ignite –P /root/Desktop/pass.txt 

 Here

-h: denotes host IP

-u: denote a particular user

But Brute forcing SNMP doesn’t require username but medusa doesn’t work without a proper syntax, you can use any username of your choice

-P:  denotes path for password list

As you can observe that we had successfully grabbed the SNMP password as ignite123.

Metasploit

This module will test SNMP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Open Kali terminal type msfconsole

Now type use auxiliary/scanner/snmp/snmp_login

msf auxiliary(scanner/snmp/snmp_login)> set rhosts 192.168.1.125 (IP of Remote Host)

msf auxiliary(scanner/snmp/snmp_login)> set pass_file  /root/Desktop/pass.txt

msf auxiliary(scanner/snmp/snmp_login)> set stop_on_success true

msf auxiliary(scanner/snmp/snmp_login)> run

 From given below image you can observe that we had successfully grabbed the SNMP password.

Nmap

We can also crack the snmp password using nmap, execute given below command.

nmap –sU –p 161 –n --script snmp-brute 192.168.1.125 --script-args snmp-brute.communitiesdb=/root/Desktop/pass.txt

As you can see above that we have the password cracked as ignite123.

Onesixtyone

Onesixtyone is an SNMP scanner that sends multiple SNMP requests to multiple IP addresses, trying different community strings and waiting for replies.

onesixtyone 192.168.1.125 –c /root/Desktop/pass.txt 

As you can see above that we have the password cracked as ignite123 using onesixtyone

Comprehensive Guide to SSH Tunnelling

Basically tunneling is process which allows data sharing or communication between two different networks privately. Tunneling is normally perform through encapsulating the private network data and protocol information inside the public network broadcast units so that the private network protocol information visible to the public network as data. 

SSH Tunnel:  Tunneling is the concept to encapsulate the network protocol to another protocol here we put into SSH, so all network communication are encrypted. Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, a third use is to hide the nature of the traffic that is run through the tunnels.

Types of SSH Tunneling:     

1.      Dynamic SSH tunneling

2.      Local SSH tunneling

3.      Remote SSH tunneling

Let’s Begin!!

Objective:  To establish SSH connection between remote PC and local system of different network.

Here I have set my own lab which consist three systems in following network:

SSH server (two Ethernet interface) 

IP 192.168.1.104 connected with remote system

IP 192.168.10.1 connected to local network system 192.168.10.2

SSH client (local network) holds IP 192.168.10.2

Remote system (outside network)

In following image we are trying to explain SSH tunneling process where a remote PC is trying to connect to 192.168.10.2 which is on INTRANET of another network. To establish connection with SSH client (raj), remote PC will create SSH tunnel which will connect with the local system via SSH server (Ignite).

NOTE: Service SSH must be activated on server as well as client machine.

Given below image is describing the network configuration for SSH server where it is showing two IP 192.168.1.104 and another 192.168.10.1

Another image given below is describing network configuration for SSH client which is showing IP 192.168.10.2

Dynamic SSH Tunneling through Windows

Remote Pc is trying to connect to SSH server (192.168.1.104) via port 22 and get successful login inside server. Here we had used putty for establishing connection between SSH server (Ubuntu) and remote user (Windows).

Similarly now Remote PC trying to connect with Client PC (192.168.10.2) via port 22, since they belongs to different network therefore he receive network error.

Step for Dynamic SSH tunneling

• Choose option SSH >Tunnel given in the left column of category.
• Give new port forwarded as 7000 and connection type as dynamic and click on ADD at last.

Now connect to SSH server 192.168.1.104 via port 22 and then click on open when all things get set.

First it will connect to SSH server as you can see we are connected with SSH server (Ignite).

Now login into putty again and give IP of client system as Host Name 192.168.10.2 and Port 22 for SSH then click on open.

Open previous running window of putty choose Proxy option from category and follow given below step:

• Select proxy type as SOCKS 5
• Give proxy hostname as 127.0.0.1 and port 7000
• Click on open to establish connection.

Awesome!! We have successfully access SSH client (raj) via port 7000

Dynamic SSH Tunneling through Kali Linux

Now we are employing Kali Linux for SSH tunneling and demonstrating how an attacker or Linux user can take privilege of Tunneling and can established SSH connection with client systems.

ssh -D 7000 ignite@192.168.1.104

Enter user’s password for login and get access of SSH server as shown below.

Next we need to set network proxy for enabling socksv5 and for that follow below steps.

·         In your web browser “Firefox” go to option for general setting tab and open Network Proxy.

·         Choose Manual Proxy option.

·         Enable socksv5 option.

·         Add localhost, 127.0.0.1 as No proxy

So from given below image you can perceive that now we able to connect with client: 192.168.10.2 via port 80.

Now connect to client machine through given below command:

ssh -D 7000 ignite@192.168.1.104

Install tsocks through apt repository using command: apt install tsocks.

tsocks - Library for intercepting outgoing network connections and redirecting them through a SOCKS server. 

Open the tsocks.conf file for editing socks server IP and port, in our case we need to mention below two lines and then save it.

Server = 127.0.0.1

Server_port = 7000

Now connect to SSH client with the help tsocks using given below command.

tscoks ssh raj@192.168.1.10.2

Enter the password and enjoy the access of SSH client.

Local SSH Tunneling through Windows

Local tunneling is a process to access a specific SSH client machine for communication. It let you establish the connection on a specific machine which is not connected from internet.

The only difference between dynamic tunneling and local tunneling is that, dynamic tunneling requires socks proxy for tunneling all TCP traffic and local tunneling only required destination IP address.

Step for SSH Local tunneling

·         Use putty to connect SSH server (192.168.1.104) via port 22 and choose option SSH >Tunnel given in the left column of category.

·         Give new port forwarded as 7000 and connection type as local 

·         Destination address as 198.168.10.2:22 for establishing connection with specific client and click on ADD at last.

·         Click on open when all things get set.

First this will establish connection between remote pc and SSH server.

Open new window of putty and follow given below step:

·         Give hostname as localhost and port 7000 and connection type SSH.

·         Click on open to establish connection.

Awesome!! We have successfully access SSH client via port 7000 

Local SSH Tunneling through Kali Linux

Now again we switch into Kali Linux for local tunneling which is quite easy as compare to dynamic. Execute given below command for forwarding port to local machine.

ssh -L 7000:192.168.1.10.2:22 ignite@192.168.1.104  

Now open a new terminal and type below command for connecting to SSH client.

ssh raj@127.0.0.1 -p 7000

Awesome!! We have successfully access SSH client via port 7000 

Remote SSH Tunneling through Putty

Remote tunneling is functional when a client machine wants to access a remote system which is outward from its network.

First need to install putty in our SSH server (ignite) and then follow given steps.

Step for remote tunneling

·         Enter remote system IP 192.168.1.108

·         Mention port 22

·         Go to SSH>tunnel options

Give new port forwarded as 7000 and connection type as Remote

·         Destination address as 198.168.10.2:22 for establishing connection with specific client and click on ADD at last.

·         Click on open when all things get set.

Now server will get connected to Remote system as shown in below image.

Come back to remote system and enter following command to with SSH client machine.

ssh raj@127.0.0.1 -p 7000

From given below image you can observed that we had successfully connected with SSH client machine via port 7000.

Remote SSH Tunneling through Command-Line

If you are not willing to use putty for remote tunneling then you can execute following command

ssh -R 7000:192.168.1.10.2 root@192.168.1.108

Here 192.168.1.10.2 is our local client (raj) IP and 192.168.1.108 is our remote system IP.

Come back to remote system and enter following command to with SSH client machine.

ssh raj@127.0.0.1 -p 7000

From given below image you can observed that we had successfully connected with SSH client machine via port 7000.