-
Notifications
You must be signed in to change notification settings - Fork 35
/
Target.Host.Service.SNMP.txt
94 lines (61 loc) · 3.09 KB
/
Target.Host.Service.SNMP.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
`` Scanning
`` Network discovery
~$ nmap -sU -sV -p 161 VAR_TARGET_RANGE
~$ onesixtyone -s -o VAR_FILENAME VAR_TARGET_CIDR
~$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt VAR_TARGET_HOST
~$ hydra -P /usr/share/seclists/Discovery/SNMP/snmp.txt -V VAR_TARGET_HOST snmp
`` Basic
~$ nmap -v -sV -Pn -sU -p 161,162 --script snmp-info,snmp-interfaces,snmp-netstat,snmp-processes,snmp-sysdescr,snmp-win32-services,snmp-win32-shares,snmp-win32-software,snmp-win32-users VAR_TARGET_HOST
`` Extended
~$ python ./snmpbrute.py -t VAR_TARGET_HOST -f /usr/share/seclists/Discovery/SNMP/snmp.txt
~$ xprobe2 -v -p udp:161:open VAR_TARGET_HOST
~$ snmp-check VAR_TARGET_HOST -c public
`` FTP Bounce scanning
~$ nmap VAR_TARGET_HOST -b VAR_FTP_HOST -Pn -n -g 88 -v -sU -p 161,162 --script snmp-netstat,snmp-processes
`` Network range
#!/bin/bash
for ip in $(cat ip_list.txt); do
echo $ip;
for str in $(cat /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings_onesixtyone.txt); do
if snmpwalk -OsS -v 1 -c $str $ip > $ip.snmpwalk; then
break
fi
done;
done
`` Table
- 1.3.6.1.2.1.25.1.6.0 - System Processes
- 1.3.6.1.2.1.25.2.3.1.4 - Storage Units
- 1.3.6.1.2.1.25.4.2.1.2 - Running Programs
- 1.3.6.1.2.1.25.4.2.1.4 - Processes Path
- 1.3.6.1.2.1.25.6.3.1.2 - Software Name
- 1.3.6.1.2.1.6.13.1.3 - TCP Local Ports
- 1.3.6.1.4.1.77.1.2.25 - User Accounts
`` Community strings
- /usr/share/wordlists/fasttrack.txt
`` Community string bruteforcing
~$ nmap -sU VAR_TARGET_HOST -p 161 --script snmp-brute -Pn --script-args snmp-brute.communitiesdb=/usr/share/wordlists/fasttrack.txt
~$ onesixtyone -c /usr/share/wordlists/dirb/small.txt VAR_TARGET_HOST
~$ for i in $(cat /usr/share/wordlists/metasploit/unix_users.txt);do snmpwalk -v 1 -c $i VAR_TARGET_HOST;done| grep -v "Timeout"
~$ echo public > community-strings.txt
~$ echo private >> community-strings.txt
~$ echo manager >> community-strings.txt
~$ for ip in $(seq 1 254);do echo VAR_TARGET_HOST_BASE.$ip;done > ips
~$ onesixtyone -c community-strings.txt -i ips
~$ hydra -P password-file.txt -V VAR_TARGET_HOST snmp
`` Community string checks
~$ snmp-check VAR_TARGET_HOST -c public
~$ snmpget -v 1 -c public VAR_TARGET_HOST
~$ snmpwalk -v 1 -c public VAR_TARGET_HOST
~$ snmpbulkwalk -v2c -c public -Cn0 -Cr10 VAR_TARGET_HOST
`` Windows users
~$ snmpwalk -c public -v1 VAR_TARGET_HOST 1.3.6.1.4.1.77.1.2.25
`` Running processes
~$ snmpwalk -c public -v1 VAR_TARGET_HOST P 1.3.6.1.2.1.25.4.2.1.2
`` Open TCP ports
~$ snmpwalk -c public -v1 VAR_TARGET_HOST 1.3.6.1.2.1.6.13.1.3
`` Installed software
~$ snmpwalk -c public -v1 VAR_TARGET_HOST 1.3.6.1.2.1.25.6.3.1.2
`` Shares
~$ snmpwalk -c public -v1 VAR_TARGET_HOST 1.3.6.1.4.1.77.1.2.3.1.1
`` Password Bruteforcing
~$ hydra -P VAR_WORDLIST -V VAR_TARGET_HOST snmp