In this article, we will learn how to gain control over our victim’s SNMP service. There are various ways to do it and let take time and learn all those because different circumstances call for a different measure.
Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, FTP, HTTP, HTTPS, smb, several databases, and much more
Now, we need to choose a word list. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.
Run the following command
hydra -P /root/Desktop/pass.txt 192.168.1.125 snmp
-P: denotes the path for the password list
Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the SNMP password as ignite123.
This is the graphical version to apply dictionary attack via SNMP port to hack a system. For this method to work:
Open xHydra in your Kali. And select Single Target option and their give the IP of your victim PC. And select SNMP in the box against Protocol option and give the port number 161 against the port option.
Now, go to Passwords tab and in Username section check the box adjacent to Protocol doesn’t require a username.
Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.
Now go to the specific Tab and in the SNMP and clear the data written in the text box below the SNMP as shown in the given image.
When you will clear all entries it will look like as shown in the next image given below.
After doing this, go to the Start tab and click on the Start button on the left.
Now, the process of dictionary attack will start. Thus, you will obtain the password of your victim.
As you can see that we have the password ignite123 cracked.
Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, SNMP, and VNC to name a few
Run the following command
medusa -M snmp -h 192.168.1.125 –u ignite -P /root/Desktop/pass.txt
-h: denotes host IP
-u: denote a particular user
But Brute forcing SNMP doesn’t require username but medusa doesn’t work without a proper syntax, you can use any username of your choice
–P: denotes the path for the password list
As you can observe that we had successfully grabbed the SNMP password as ignite123.
This module will test SNMP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
Open Kali terminal type msfconsole
use auxiliary/scanner/snmp/snmp_login msf auxiliary(scanner/snmp/snmp_login)> set rhosts 192.168.1.125 msf auxiliary(scanner/snmp/snmp_login)> set pass_file /root/Desktop/pass.txt msf auxiliary(scanner/snmp/snmp_login)> set stop_on_success true msf auxiliary(scanner/snmp/snmp_login)> run
From given below image you can observe that we had successfully grabbed the SNMP password.
We can also crack the SNMP password using nmap, execute given below command.
nmap -sU –p 161 –n --script snmp-brute 192.168.1.125 --script-args snmp-brute.communitiesdb=/root/Desktop/pass.txt
As you can see above that we have the password cracked as ignite123.
Onesixtyone is an SNMP scanner that sends multiple SNMP requests to multiple IP addresses, trying different community strings and waiting for replies.
onesixtyone 192.168.1.125 -c /root/Desktop/pass.txt
As you can see above that we have the password cracked as ignite123 using onesixtyone
Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here