Table of Contents

Scanner SNMP Auxiliary Modules


snmp_enum

The snmp_enum module performs detailed enumeration of a host or range of hosts via SNMP similar to the standalone tools snmpenum and snmpcheck.

msf > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(snmp_enum) > show options

Module options:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMUNITY  public           yes       SNMP Community String
   RETRIES    1                yes       SNMP Retries
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      161              yes       The target port
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    1                yes       SNMP Timeout
   VERSION    1                yes       SNMP Version

Although you can pass a range of hosts to this module, the output will become quite cluttered and confusing so it is best to simply do one host at a time.

msf auxiliary(snmp_enum) > set RHOSTS 192.168.1.2
RHOSTS => 192.168.1.2
msf auxiliary(snmp_enum) > run

[*] System information

Hostname                : Netgear-GSM7224
Description             : GSM7224 L2 Managed Gigabit Switch
Contact                 : dookie
Location                : Basement
Uptime snmp             : 56 days, 00:36:28.00
Uptime system           : -
System date             : -

[*] Network information

IP forwarding enabled   :  no
Default TTL             :  64
TCP segments received   :  20782
TCP segments sent       :  9973
TCP segments retrans.   :  9973
Input datagrams         :  4052407
Delivered datagrams     :  1155615
Output datagrams        :  18261

[*] Network interfaces

Interface [ up ] Unit: 1 Slot: 0 Port: 1 Gigabit - Level

	Id              : 1
	Mac address     : 00:0f:b5:fc:bd:24
	Type            : ethernet-csmacd
	Speed           : 1000 Mbps
	Mtu             : 1500
	In octets       : 3716564861
	Out octets      : 675201778
...snip...
[*] Routing information

     Destination         Next hop             Mask           Metric

         0.0.0.0      5.1.168.192          0.0.0.0                1
       1.0.0.127        1.0.0.127  255.255.255.255                0

[*] TCP connections and listening ports

   Local address       Local port   Remote address      Remote port            State

         0.0.0.0               23          0.0.0.0                0           listen
         0.0.0.0               80          0.0.0.0                0           listen
         0.0.0.0             4242          0.0.0.0                0           listen
       1.0.0.127             2222          0.0.0.0                0           listen

[*] Listening UDP ports

   Local address       Local port

         0.0.0.0                0
         0.0.0.0              161
         0.0.0.0              514

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(snmp_enum) >

snmp_enumshares

The snmp_enumshares module is a simple scanner that will query a range of hosts via SNMP to determine any available shares.

msf > use auxiliary/scanner/snmp/snmp_enumshares
msf auxiliary(snmp_enumshares) > show options

Module options:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMUNITY  public           yes       SNMP Community String
   RETRIES    1                yes       SNMP Retries
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      161              yes       The target port
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    1                yes       SNMP Timeout
   VERSION    1                yes       SNMP Version >1/2c>

We configure the module by setting our RHOSTS range and THREADS value and let it run.

msf auxiliary(snmp_enumshares) > set RHOSTS 192.168.1.200-210
RHOSTS => 192.168.1.200-210
msf auxiliary(snmp_enumshares) > set THREADS 11
THREADS => 11
msf auxiliary(snmp_enumshares) > run

[+] 192.168.1.201 
	shared_docs -  (C:\Documents and Settings\Administrator\Desktop\shared_docs)
[*] Scanned 02 of 11 hosts (018% complete)
[*] Scanned 03 of 11 hosts (027% complete)
[*] Scanned 05 of 11 hosts (045% complete)
[*] Scanned 07 of 11 hosts (063% complete)
[*] Scanned 09 of 11 hosts (081% complete)
[*] Scanned 11 of 11 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(snmp_enumshares) >

snmp_enumusers

The snmp_enumusers module queries a range of hosts via SNMP and gathers a list of usernames on the remote system.

msf > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(snmp_enumusers) > show options

Module options:

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMUNITY  public           yes       SNMP Community String
   RETRIES    1                yes       SNMP Retries
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      161              yes       The target port
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    1                yes       SNMP Timeout
   VERSION    1                yes       SNMP Version >1/2c>

As with most auxiliary modules, we set our RHOSTS and THREADS value and launch it.

msf auxiliary(snmp_enumusers) > set RHOSTS 192.168.1.200-211
RHOSTS => 192.168.1.200-211
msf auxiliary(snmp_enumusers) > set THREADS 11
THREADS => 11
msf auxiliary(snmp_enumusers) > run

[+] 192.168.1.201 Found Users: ASPNET, Administrator, Guest, HelpAssistant, SUPPORT_388945a0, victim 
[*] Scanned 02 of 12 hosts (016% complete)
[*] Scanned 05 of 12 hosts (041% complete)
[*] Scanned 06 of 12 hosts (050% complete)
[*] Scanned 07 of 12 hosts (058% complete)
[*] Scanned 08 of 12 hosts (066% complete)
[*] Scanned 09 of 12 hosts (075% complete)
[*] Scanned 11 of 12 hosts (091% complete)
[*] Scanned 12 of 12 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(snmp_enumusers) >

snmp_login

The snmp_login scanner is a module that scans a range of IP addresses to determine the community string for SNMP-enabled devices.

msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > show options

Module options (auxiliary/scanner/snmp/snmp_login):

   Name              Current Setting                                                       Required  Description
   ----              ---------------                                                       --------  -----------
   BLANK_PASSWORDS   false                                                                 no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                     yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                                 no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                 no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                 no        Add all users in the current database to the list
   PASSWORD                                                                                no        The password to test
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt  no        File containing communities, one per line
   RHOSTS                                                                                  yes       The target address range or CIDR identifier
   RPORT             161                                                                   yes       The target port
   STOP_ON_SUCCESS   false                                                                 yes       Stop guessing when a credential works for a host
   THREADS           1                                                                     yes       The number of concurrent threads
   USER_AS_PASS      false                                                                 no        Try the username as the password for all users
   VERBOSE           true                                                                  yes       Whether to print output for all attempts
   VERSION           1                                                                     yes       The SNMP version to scan (Accepted: 1, 2c, all)

We set our RHOSTS and THREADS values while using the default wordlist and let the scanner run.

msf auxiliary(snmp_login) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(snmp_login) > set THREADS 254
THREADS => 254
msf auxiliary(snmp_login) > run

[+] SNMP: 192.168.1.2 community string: 'public' info: 'GSM7224 L2 Managed Gigabit Switch'
[+] SNMP: 192.168.1.199 community string: 'public' info: 'HP ETHERNET MULTI-ENVIRONMENT'
[+] SNMP: 192.168.1.2 community string: 'private' info: 'GSM7224 L2 Managed Gigabit Switch'
[+] SNMP: 192.168.1.199 community string: 'private' info: 'HP ETHERNET MULTI-ENVIRONMENT'
[*] Validating scan results from 2 hosts...
[*] Host 192.168.1.199 provides READ-WRITE access with community 'internal'
[*] Host 192.168.1.199 provides READ-WRITE access with community 'private'
[*] Host 192.168.1.199 provides READ-WRITE access with community 'public'
[*] Host 192.168.1.2 provides READ-WRITE access with community 'private'
[*] Host 192.168.1.2 provides READ-ONLY access with community 'public'
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(snmp_login) >

Our quick SNMP sweep found both the default public and private community strings of two devices on our network. This module can also be a useful tool for network administrators to identify attached devices that are insecurely configured.