SNMP exploits

Attack tree

1 Sniff cleartext SNMP communications 
2 Pose as an SNMP manager
3 Passively or actively inject XSS data or other improperly formatted strings

Example

msf > search snmp
msf > search scanner name:snmp
msf > search exploit name:snmp -S great

Notes

The Simple Network Management Protocol (SNMP) is a protocol used to monitor and manage network devices. SNMP uses UDP port 161.

There are three basic categories of SNMP exploits:

• Sniffing cleartext SNMP communications between managers and agents to obtain the community string or information from the devices. This can include statistics about hardware, interface traffic, services, users, groups, route tables, listening ports, running processes, and much more.

• Posing as an SNMP manager, providing the correct community string, and enumerate information from SNMP agents.

• Exploiting the implicit trust SNMP managers have with the assets they manage. Most NMSs do not carefully validate the input from their agents. An adversary could passively or actively inject XSS data or other improperly formatted strings from the agent to the NMS. These could result in buffer overflows or arbitrary command injection.

Tools

• Nmap: snmp-brute.nse

• Nmap: snmp-win32-software.nse

• Nmap: snmp-win32-services.nse

• Metasploit: auxiliary/scanner/snmp/snmp_enum

• Metasploit: auxiliary/scanner/snmp/snmp_enumshares

• Metasploit: auxiliary/scanner/snmp/snmp_enumusers

• Metasploit: auxiliary/scanner/snmp/snmp_login

• Metasploit: exploit/multi/http/hp_sys_mgmt_exec

• Metasploit: exploit/windows/http/h_nnm_snmp

Resources

• Managed to Mangled: SNMP Exploits for Network Management Systems