InfoSec LAB

Mentor_SNMP_Configuration

Created: 3 min read

SNMP Configuration

Checking for SNMP configuration upon completing basic system analysis It was also discovered through PEAS

svc@mentor:~$ ll /etc/snmp
total 20
drwxr-xr-x   3 root root 4096 Nov 10  2022 ./
drwxr-xr-x 108 root root 4096 Dec  5  2022 ../
-rw-r--r--   1 root root  511 Jun  5  2022 snmp.conf
-rw-r--r--   1 root root 3453 Jun  5  2022 snmpd.conf
drwxr-xr-x   2 root root 4096 Apr 21  2022 snmpd.conf.d/

The /etc/snmp directory holds configuration for the SNMP server instance. In particular, the snmpd.conf file

snmpd.conf

svc@mentor:~$ cat /etc/snmp/snmpd.conf | grep -E -v '^(#|$)'
sysLocation    Sitting on the Dock of the Bay
sysContact     Me <admin@mentorquotes.htb>
sysServices    72
master  agentx
agentAddress udp:161,udp6:[::1]:161
view   systemonly  included   .1.3.6.1.2.1.1
view   systemonly  included   .1.3.6.1.2.1.25.1
rocommunity  public default -V systemonly
rocommunity6 public default -V systemonly
rouser authPrivUser authpriv -V systemonly
includeDir /etc/snmp/snmpd.conf.d
createUser bootstrap MD5 SuperSecurePassword123__ DES
rouser bootstrap priv
com2sec AllUser default internal
group AllGroup v2c AllUser
view SystemView included .1.3.6.1.2.1.25.1.1
view AllView included .1
access AllGroup "" any noauth exact AllView none none

The snmpd.conf file contains a set of configurations for the running SNMP server instance;

  1. Agent Information:
    • sysLocation: Specifies the physical location of the SNMP agent.
    • sysContact: Specifies the contact information for the SNMP agent.
    • sysServices: Indicates the set of services that the SNMP agent provides.
  2. Security Configuration:
    • rocommunity and rocommunity6: Define the read-only community strings (passwords) for SNMP version 2c and SNMP version 3, respectively. The community string public is often used for read-only access.
    • rouser: Specifies the security name, authentication protocol, and password for a user. In this case, the user bootstrap is created with MD5 authentication and DES privacy.
  3. Access Control:
    • com2sec: Defines the SNMP version 2c community string security settings. It creates a mapping between a community string and a security name.
    • group: Groups users with access rights. Here, AllGroup includes users from the v2c community and the AllUser user.
    • view: Defines views of the SNMP tree that users or groups can access. SystemView includes the system information, and AllView includes all MIB objects.
  4. Miscellaneous:
    • includeDir: Specifies a directory to include additional configuration files.
    • createUser: Creates an SNMPv3 user with authentication and privacy settings.
    • agentAddress: Defines the network address on which the SNMP agent listens.

CLEARTEXT Password

Most importantly, the configuration includes an SNMP directive, createUser, for SNMPv3 authentication, specifying a CLEARTEXT password (SuperSecurePassword123__). On Debian-based systems, the default configuration runs the SNMP daemon (snmpd) under the security context of a dedicated “service” account. This service account is typically disabled as the SNMP daemon functions as a service. Therefore, it’s highly unlikely that the CLEARTEXT password belongs to the SNMP daemon’s service account, raising the possibility of password reuse elsewhere.

Found the owner of the CLEARTEXT password. Moving on to the Lateral Movement phase

Interactive Graph View

Backlinks