In this article, we will demonstrate how to identify and exploit SNMP services using various tools, each suited for different scenarios, from quick brute-force attempts to large-scale automated attacks.

MITRE ATT&CK Techniques:

T1110.001 – Brute Force: Password Guessing

T1046 – Network Service Scanning

T1078 – Valid Accounts

Table of Contents

Introduction

Enumeration

• Nmap Scan for SNMP

Brute-Force Techniques

• Hydra
• Metasploit
• Medusa
• Patator
• Nmap NSE Script (snmp-brute.nse)
• OneSixtyone

Introduction

SNMP (Simple Network Management Protocol) is a protocol used for managing and monitoring network devices. It operates on UDP port 161 and allows administrators to perform various tasks, such as configuring devices, monitoring performance, and detecting faults. However, SNMP can also be vulnerable to password cracking attacks, especially if default or weak community strings are used.

Enumeration

Nmap Scan

To start the enumeration process, we perform a simple Nmap scan on the target IP address to check for an open SNMP port:

nmap -p161 -sU 192.168.1.13

This scan will help us identify if the target device has an open SNMP port and if it is responding to SNMP requests.

Brute-Force Techniques

Tools Quick Reference

Hydra

Hydra is a fast and flexible tool designed for brute-force password cracking across various protocols, including SNMP. It automates the process of testing community strings from a provided wordlist.

To perform a brute-force attack against an SNMP service using Hydra, use the following command:

hydra -P pass.txt 192.168.1.13 snmp

Explanation:

• -L users.txt: Specifies the path to the username list (not applicable for SNMP, as it uses community strings instead).
• -P pass.txt: Specifies the path to the password list (community strings).
• 168.1.13: Target IP address.
• snmp: Protocol to attack.

Metasploit

Metasploit includes auxiliary modules that can perform brute-force attacks on various services, including SNMP. In this case, we can effectively automate login attempts to find weak or default community strings on target systems.

To perform a brute force attack against an SNMP service using Metasploit, use the following commands:

msf6 > use auxiliary/scanner/snmp/snmp_login
set rhosts 192.168.1.13
set pass_file pass.txt
set verbose false
run

Explanation:

• use auxiliary/scanner/snmp/snmp_login: Selects the Metasploit module designed for brute-forcing SNMP login credentials.
• set rhosts 192.168.1.13: Specifies the target machine’s IP address for the scan.
• set pass_file pass.txt: Defines a file containing potential community strings to try during the brute-force attack.
• set verbose false: Disables verbose output, reducing on-screen clutter during the attack.

Medusa

Medusa is a speedy, parallel, and modular login brute force that supports multiple protocols, including SNMP. It allows testers to perform dictionary-based attacks against services like SNMP.

To perform a brute-force attack against an SNMP service using Medusa, use the following command:

medusa -h 192.168.1.13 -U users.txt -P pass.txt -M snmp

Explanation:

• -h 192.168.1.13: Specifies the IP address of the target machine.
• -U users.txt: Points to a file containing a list of usernames (not applicable for SNMP, as it uses community strings instead).
• -P pass.txt: Points to a file containing a list of passwords (community strings).
• -M snmp: Indicates that the SNMP module should be used for this attack.

Patator

Patator is a versatile, multi-threaded brute forcing tool capable of attacking a wide range of protocols, including SNMP. It’s modular, highly customizable, and known for its stability and clear, structured output.

To perform a brute-force attack against an SNMP service using Patator, use the following command:

patator SNMP_login host=192.168.1.13 community=FILE0 0=pass.txt

Explanation:

• patator: Launches the Patator brute force tool.
• SNMP_login: Specifies the module for brute forcing SNMP credentials.
• host=192.168.1.13: Indicates the target machine’s IP address.
• community=FILE0 0=pass.txt: Assigns FILE0 as a placeholder for community strings, pulling values from pass.txt.

Nmap NSE Script (snmp-brute.nse)

Nmap is widely recognized as a powerful tool for network scanning and host enumeration. Beyond its core functionality, it features the Nmap Scripting Engine (NSE)—A collection of scripts that extend its capabilities to perform a wide range of tasks, including brute force attaks against services like SNMP.

To perform a brute-force attack against an SNMP service using Nmap, use the following command:

nmap -sU -p 161 -n --script snmp-brute 192.168.1.13 --script-args snmp-brute.communitiesdb=pass.txt

Explanation:

• -sU: Scans for UDP ports.
• -p 161: Scans for SNMP service on port 161.
• –script snmp-brute: Specifies the use of the SNMP brute-force NSE script.
• –script-args snmp-brute.communitiesdb=pass.txt: Provides the script with your custom community string list.

Onesixtyone

Onesixtyone is a simple and efficient tool for brute-forcing SNMP community strings.

To perform a brute-force attack against an SNMP service using Onesixtyone, use the following command:

onesixtyone 192.168.1.13 -c pass.txt

Explanation:

• onesixtyone: Launches the Onesixtyone brute force tool.
• 168.1.13: Target IP address.
• -c pass.txt: Specifies the file containing community strings to try.

Defensive Strategy

To defend against SNMP brute-force attacks, consider the following strategies:

• Use strong and unique community strings.
• Limit access to SNMP services using firewalls and access control lists.
• Monitor for suspicious SNMP activity using intrusion detection systems and log analysis.
• Implement rate limiting and IP blocking to prevent brute-force attacks.

By understanding how to identify and exploit SNMP services using various tools, you can improve your defensive strategies and protect your network against potential attacks.

SNMP Brute-Force – Offense, Defence & MITRE Mapping

Defence-in-Depth Summary

To learn more about Password Cracking. Follow this Link.

Author: Anmol Dev is a Technical Writer, Researcher and Penetration Tester. Contact here: Linkedin and Twitter.