carnal0wnage [Shared Reader]

Saturday, July 21, 2007

SNMP enumeration with snmpenum and snmpwalk

Over in LSO-Chat we were talking about SNMP Enumeration and why you would want to do that and what kind of information you could pull from a SNMP service even with only READ permissions available.

So let's run snmpenum.pl (one of many snmp enumeration utilities) against a Windows 2000 server with the SNMP installed (not installed by default)

[root@localhost snmpenum]# perl snmpenum.pl
Usage: perl enum.pl

[root@localhost snmpenum]# perl snmpenum.pl 192.168.38.200 public windows.txt

----------------------------------------
INSTALLED SOFTWARE
----------------------------------------

freeSSHd 1.0.9
freeFTPd 1.0.8
CesarFTP 0.99g
Microsoft SQL Server 2000
PeerCast (remove only)
TFTP Server TFTPDWIN version 0.4.2
Bitvise WinSSHD 4.19 (remove only)
VMware Tools
WebFldrs
UltraVNC v1.0.2

----------------------------------------
UPTIME
----------------------------------------

2 hours, 19:02.87

----------------------------------------
HOSTNAME
----------------------------------------

LSO-DEV

----------------------------------------
USERS
----------------------------------------

Guest
Asmith
Bsmith
Dsmith
Esmith
Fsmith
Gsmith
Hsmith
Jsmith
Ksmith
Lsmith
Msmith
Nsmith
Osmith
Psmith
Qsmith
Rsmith
Ssmith
Tsmith
Usmith
Vsmith
Wsmith
Xsmith
Ysmith
Zsmith
csmith
meanie
linneag
Administrator
TsInternetUser
IUSR_VICTIM-W2K
IWAM_VICTIM-W2K

----------------------------------------
DISKS
----------------------------------------

A:\
C:\ Label: Serial Number 20e619b8
D:\ Label:WIN2000_EN Serial Number f1a3fc3
Virtual Memory

----------------------------------------
RUNNING PROCESSES
----------------------------------------

System Idle Process
System
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
sqlmangr.exe
svchost.exe
SPOOLSV.EXE
VMwareTray.exe
llssrv.exe
FreeSSHDService
explorer.exe
FreeFTPDService
svchost.exe
sqlservr.exe
regsvc.exe
mstask.exe
svchost.exe
snmp.exe
VMwareService.e
winmgmt.exe
WinSSHD.exe
winvnc.exe
dfssvc.exe
inetinfo.exe
mssearch.exe
IEXPLORE.EXE
badblue.exe
sshdctrl.exe
tftpd.exe
VMwareUser.exe

----------------------------------------
LISTENING UDP PORTS
----------------------------------------

135
161
445
1029
1034
1434
3456

----------------------------------------
SYSTEM INFO
----------------------------------------

Hardware: x86 Family 15 Model 2 Stepping 8 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)

----------------------------------------
SHARES
----------------------------------------

----------------------------------------
LISTENING TCP PORTS
----------------------------------------

21
22
25
80
135
443
445
1030
1032
1035
2121
5800
5900
6941
8080
55555

----------------------------------------
SERVICES
----------------------------------------

Server
Alerter
WinSSHD
Event Log
Messenger
Net Logon
Telephony
DNS Client
VNC Server
DHCP Client
MSSQLSERVER
Workstation
SNMP Service
Windows Time
Plug and Play
Print Spooler
RunAs Service
Task Scheduler
FreeSSHDService
freeFTPdService
Computer Browser
Microsoft Search
COM+ Event System
IIS Admin Service
Protected Storage
Removable Storage
IPSEC Policy Agent
Network Connections
Logical Disk Manager
VMware Tools Service
FTP Publishing Service
Distributed File System
License Logging Service
Remote Registry Service
Security Accounts Manager
System Event Notification
Remote Procedure Call (RPC)
TCP/IP NetBIOS Helper Service
NT LM Security Support Provider
Distributed Link Tracking Client
World Wide Web Publishing Service
Windows Management Instrumentation
Simple Mail Transport Protocol (SMTP)
Windows Management Instrumentation Driver Extensions

----------------------------------------
DOMAIN
----------------------------------------

LSOCORP

[root@localhost snmpenum]#

Not a bad little bit of info. Now, realistically would you see this from outside the firewall, I hope not. But on an internal assessment you may be able to use SNMP to pull off a list of username to try some password attacks, verify patch level, check out what ports are listening, and see running services. All kinds of fun stuff.

another fun tool is snmpwalk. its not for the faint of heart, you need to know what MIB you are looking for otherwise you can get information overload.

Running it with no options will give you usage info:

[root@localhost snmpenum]# snmpwalk
No hostname specified.
USAGE: snmpwalk [OPTIONS] AGENT [OID]

Version: 5.2.1.2
Web: http://www.net-snmp.org/
Email: net-snmp-coders@lists.sourceforge.net

OPTIONS:
-h, --help display this help message
-H display configuration file directives understood
-v 1|2c|3 specifies SNMP version to use
-V, --version display package version number
SNMP Version 1 or 2c specific
-c COMMUNITY set the community string
SNMP Version 3 specific
-a PROTOCOL set authentication protocol (MD5|SHA)
-A PASSPHRASE set authentication protocol pass phrase
-e ENGINE-ID set security engine ID (e.g. 800000020109840301)
-E ENGINE-ID set context engine ID (e.g. 800000020109840301)
-l LEVEL set security level (noAuthNoPriv|authNoPriv|authPriv)
-n CONTEXT set context name (e.g. bridge1)
-u USER-NAME set security name (e.g. bert)
-x PROTOCOL set privacy protocol (DES|AES)
-X PASSPHRASE set privacy protocol pass phrase
-Z BOOTS,TIME set destination engine boots/time
General communication options
-r RETRIES set the number of retries
-t TIMEOUT set the request timeout (in seconds)
Debugging
-d dump input/output packets in hexadecimal
-D TOKEN[,...] turn on debugging output for the specified TOKENs
(ALL gives extremely verbose debugging output)
General options
-m MIB[:...] load given list of MIBs (ALL loads everything)
-M DIR[:...] look in given list of directories for MIBs
-P MIBOPTS Toggle various defaults controlling MIB parsing:
u: allow the use of underlines in MIB symbols
c: disallow the use of "--" to terminate comments
d: save the DESCRIPTIONs of the MIB objects
e: disable errors when MIB symbols conflict
w: enable warnings when MIB symbols conflict
W: enable detailed warnings when MIB symbols conflict
R: replace MIB symbols from latest module
-O OUTOPTS Toggle various defaults controlling output display:
0: print leading 0 for single-digit hex characters
a: print all strings in ascii format
b: do not break OID indexes down
e: print enums numerically
E: escape quotes in string indices
f: print full OIDs on output
n: print OIDs numerically
q: quick print for easier parsing
Q: quick print with equal-signs
s: print only last symbolic element of OID
S: print MIB module-id plus last element
t: print timeticks unparsed as numeric integers
T: print human-readable text along with hex strings
u: print OIDs using UCD-style prefix suppression
U: don't print units
v: print values only (not OID = value)
x: print all strings in hex format
X: extended index format
-I INOPTS Toggle various defaults controlling input parsing:
b: do best/regex matching to find a MIB node
h: don't apply DISPLAY-HINTs
r: do not check values for range/type legality
R: do random access to OID labels
u: top-level OIDs must have '.' prefix (UCD-style)
s SUFFIX: Append all textual OIDs with SUFFIX before parsing
S PREFIX: Prepend all textual OIDs with PREFIX before parsing
-L LOGOPTS Toggle various defaults controlling logging:
e: log to standard error
o: log to standard output
n: don't log at all
f file: log to the specified file
s facility: log to syslog (via the specified facility)

(variants)
[EON] pri: log to standard error, output or /dev/null for level 'pri' and above
[EON] p1-p2: log to standard error, output or /dev/null for levels 'p1' to 'p2'
[FS] pri token: log to file/syslog for level 'pri' and above
[FS] p1-p2 token: log to file/syslog for levels 'p1' to 'p2'
-C APPOPTS Set various application specific behaviours:
p: print the number of variables found
i: include given OID in the search range
I: don't include the given OID, even if no results are returned
c: do not check returned OIDs are increasing
t: Display wall-clock time to complete the request
[root@localhost snmpenum]#

As you can see, its a stout program.

i'll run it against the same box as we did with snmpenum.pl

[root@localhost snmpenum]# snmpwalk -c public 192.168.38.200 -v 2c
SNMPv2-MIB::sysDescr.0 = STRING: Hardware: x86 Family 15 Model 2 Stepping 8 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.311.1.1.3.1.2
SNMPv2-MIB::sysUpTime.0 = Timeticks: (887110) 2:27:51.10
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: LSO-DEV
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 76
---BIG BIG SNIP--

we can use grep to narrow down some info. If you have grep kung fu you can use some "cuts" to get just the software name.

Installed Software:

[root@localhost snmpenum]# snmpwalk -c public 192.168.38.200 -v 1 | grep hrSWInstalledName
HOST-RESOURCES-MIB::hrSWInstalledName.1 = STRING: "freeSSHd 1.0.9"
HOST-RESOURCES-MIB::hrSWInstalledName.2 = STRING: "freeFTPd 1.0.8"
HOST-RESOURCES-MIB::hrSWInstalledName.3 = STRING: "CesarFTP 0.99g"
HOST-RESOURCES-MIB::hrSWInstalledName.4 = STRING: "Microsoft SQL Server 2000"
HOST-RESOURCES-MIB::hrSWInstalledName.5 = STRING: "PeerCast (remove only)"
HOST-RESOURCES-MIB::hrSWInstalledName.6 = STRING: "TFTP Server TFTPDWIN version 0.4.2"
HOST-RESOURCES-MIB::hrSWInstalledName.7 = STRING: "Bitvise WinSSHD 4.19 (remove only)"
HOST-RESOURCES-MIB::hrSWInstalledName.8 = STRING: "VMware Tools"
HOST-RESOURCES-MIB::hrSWInstalledName.9 = STRING: "WebFldrs"
HOST-RESOURCES-MIB::hrSWInstalledName.10 = STRING: "UltraVNC v1.0.2"
[root@localhost snmpenum]#

Listening UDP Ports:

[root@localhost snmpenum]# snmpwalk -c public 192.168.38.200 -v 1 | grep udpLocalPort
UDP-MIB::udpLocalPort.0.0.0.0.135 = INTEGER: 135
UDP-MIB::udpLocalPort.0.0.0.0.161 = INTEGER: 161
UDP-MIB::udpLocalPort.0.0.0.0.445 = INTEGER: 445
UDP-MIB::udpLocalPort.0.0.0.0.1029 = INTEGER: 1029
UDP-MIB::udpLocalPort.0.0.0.0.1034 = INTEGER: 1034
UDP-MIB::udpLocalPort.0.0.0.0.1434 = INTEGER: 1434
UDP-MIB::udpLocalPort.0.0.0.0.3456 = INTEGER: 3456
UDP-MIB::udpLocalPort.127.0.0.1.1053 = INTEGER: 1053
UDP-MIB::udpLocalPort.192.168.38.200.137 = INTEGER: 137
UDP-MIB::udpLocalPort.192.168.38.200.138 = INTEGER: 138
UDP-MIB::udpLocalPort.192.168.38.200.500 = INTEGER: 500
[root@localhost snmpenum]#

Enumerating users on the box:

[root@localhost snmpenum]# snmpwalk -c public 192.168.38.200 -v 1 1.3 | grep 77.1.2.25
SNMPv2-SMI::enterprises.77.1.2.25.1.1.5.71.117.101.115.116 = STRING: "Guest"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.65.115.109.105.116.104 = STRING: "Asmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.66.115.109.105.116.104 = STRING: "Bsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.68.115.109.105.116.104 = STRING: "Dsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.69.115.109.105.116.104 = STRING: "Esmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.70.115.109.105.116.104 = STRING: "Fsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.71.115.109.105.116.104 = STRING: "Gsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.72.115.109.105.116.104 = STRING: "Hsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.74.115.109.105.116.104 = STRING: "Jsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.75.115.109.105.116.104 = STRING: "Ksmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.76.115.109.105.116.104 = STRING: "Lsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.77.115.109.105.116.104 = STRING: "Msmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.78.115.109.105.116.104 = STRING: "Nsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.79.115.109.105.116.104 = STRING: "Osmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.80.115.109.105.116.104 = STRING: "Psmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.81.115.109.105.116.104 = STRING: "Qsmith"
SNMPv2-SMI::d.77.1.2.25.1.1.6.82.115.109.105.116.104 = STRING: "Rsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.83.115.109.105.116.104 = STRING: "Ssmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.84.115.109.105.116.104 = STRING: "Tsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.85.115.109.105.116.104 = STRING: "Usmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.86.115.109.105.116.104 = STRING: "Vsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.87.115.109.105.116.104 = STRING: "Wsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.88.115.109.105.116.104 = STRING: "Xsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.89.115.109.105.116.104 = STRING: "Ysmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.90.115.109.105.116.104 = STRING: "Zsmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.99.115.109.105.116.104 = STRING: "csmith"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.6.109.101.97.110.105.101 = STRING: "meanie"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.7.108.105.110.110.101.97.103 = STRING: "linneag"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.13.65.100.109.105.110.105.115.116.114.97.116.111.114 = STRING: "Administrator"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.14.84.115.73.110.116.101.114.110.101.116.85.115.101.114 = STRING: "TsInternetUser"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.15.73.85.83.82.95.86.73.67.84.73.77.45.87.50.75 = STRING: "IUSR_VICTIM-W2K"
SNMPv2-SMI::enterprises.77.1.2.25.1.1.15.73.87.65.77.95.86.73.67.84.73.77.45.87.50.75 = STRING: "IWAM_VICTIM-W2K"
[root@localhost snmpenum]#

also works on linux but not quite as much info...

[root@localhost snmpenum]#
perl snmpenum.pl 192.168.38.201 public linux.txt

----------------------------------------
UPTIME
----------------------------------------
17 days, 19:00:39.53

----------------------------------------
RUNNING PROCESSES
----------------------------------------
ERROR: No response from remote host '192.168.38.201'

----------------------------------------
MOUNTPOINTS
---------------------------------------
/
/boot
/dev/shm
Real Memory
Swap Space
Memory Buffers

----------------------------------------
RUNNING SOFTWARE PATHS
----------------------------------------
init
keventd
kapmd
ksoftirqd_CPU0
kswapd
kscand/DMA
kscand/Normal
kscand/HighMem
bdflush

----------------------------------------
HOSTNAME
----------------------------------------
redhat.lso.com

----------------------------------------
LISTENING UDP PORTS
----------------------------------------
111
137
138
161
721
32768

----------------------------------------
SYSTEM INFO
----------------------------------------
Linux redhat.lso.com 2.4.20-8 #1 Sat Jul 21 17:54:28 EST 2003 i686

----------------------------------------
LISTENING TCP PORTS
----------------------------------------
21
22
25
80
111
139
143
199
443

LINKS

MS Technet "How SNMP works"

3 comments:

Matt Szafran said...

Cool man, I was jsut playing with SNMP and this was a help :)

Keep up the good work!

zouzou0 said...

not working with me i don't know whts wrong i have backtrack 4 pre final (vmware) and im pinging the other machine nd it's fine also tested if snmp is running on other machine and everything is ok
But when i do " perl snmpenum.pl xxx.xxx.x.x public windows.txt "
gives me no respone from remote host!!!

Anonymous said...

if anyone if having the same problem as zouzou0, this is SOLUTION:

dos2unix linux.txt
dos2unix windows.txt

all .txt need to be converted using dos2unix command

after that, all is well :)