SNMP
Nmap discovered a SNMP server on the target UDP port 161
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ sudo nmap -Pn -sU -sC -sV -p161 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-06 14:42 CET
Nmap scan report for 192.168.122.113
Host is up (0.026s latency).
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 3222a772a330d15f00000000
| snmpEngineBoots: 8
|_ snmpEngineTime: 2h07m32s
| snmp-sysdescr: Linux escape 4.15.0-124-generic #127-Ubuntu SMP Fri Nov 6 10:54:43 UTC 2020 x86_64
|_ System uptime: 2h07m32.74s (765274 timeticks)
Service Info: Host: escape
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.41 secondsPerforming an additional Nmap scan does not return much information
┌──(kali㉿kali)-[~/Tools/CDK]
└─$ sudo nmap -sU --script snmp-brute -p161 $IP
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-06 14:44 CET
Nmap scan report for 192.168.122.113
Host is up (0.029s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds
┌──(kali㉿kali)-[~/Tools/CDK]
└─$ hydra -P /usr/share/wordlists/seclists/Discovery/SNMP/snmp.txt snmp://$IP
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-06 14:45:25
[DATA] max 16 tasks per 1 server, overall 16 tasks, 3217 login tries (l:1/p:3217), ~202 tries per task
[DATA] attacking snmp://192.168.122.113:161/
[161][snmp] host: 192.168.122.113 password: public
[STATUS] attack finished for 192.168.122.113 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-06 14:45:25It uses the default, public, community string
Enumeration
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ python2 snmpbrute.py -t $IP -c public --linux
_____ _ ____ _______ ____ __
/ ___// | / / |/ / __ \ / __ )_______ __/ /____
\__ \/ |/ / /|_/ / /_/ / / __ / ___/ / / / __/ _ \
___/ / /| / / / / ____/ / /_/ / / / /_/ / /_/ __/
/____/_/ |_/_/ /_/_/ /_____/_/ \__,_/\__/\___/
SNMP Bruteforce & Enumeration Script v1.0b
http://www.secforce.com / nikos.vassakis <at> secforce.com
###############################################################
Trying 1 community strings ...
Waiting for late packets (CTRL+C to stop)
192.168.122.113 : 161 Version (v1): public
192.168.122.113 : 161 Version (v2c): public
Trying identified strings for READ-WRITE ...
Identified Community strings
0) 192.168.122.113 public (v1)(RO)
1) 192.168.122.113 public (v2c)(RO)
Select Community to Enumerate [0]:
Enumerating with READ-WRITE Community string: public (v1)
################## Enumerating MOUNTPOINTS Table using: 1.3.6.1.2.1.25.2.3.1.3 (MountPoints)
INFO
----
End of MIB
################## Enumerating UPTIME Table using: 1.3.6.1.2.1.1.3 (UpTime)
INFO
----
Timeticks: (813018) 2:15:30.18
################## Enumerating SYSTEM INFO Table using: 1.3.6.1.2.1.1 (System Info)
INFO
----
STRING: "Linux escape 4.15.0-124-generic #127-Ubuntu SMP Fri Nov 6 10:54:43 UTC 2020 x86_64"
OID: iso.3.6.1.4.1.8072.3.2.10
Timeticks: (813029) 2:15:30.29
STRING: "Me <me@example.org>"
STRING: "escape"
STRING: "Sitting on the Dock of the Bay"
INTEGER: 72
Timeticks: (94) 0:00:00.94
OID: iso.3.6.1.6.3.11.3.1.1
OID: iso.3.6.1.6.3.15.2.1.1
OID: iso.3.6.1.6.3.10.3.1.1
OID: iso.3.6.1.6.3.1
OID: iso.3.6.1.6.3.16.2.2.1
OID: iso.3.6.1.2.1.49
OID: iso.3.6.1.2.1.4
OID: iso.3.6.1.2.1.50
OID: iso.3.6.1.6.3.13.3.1.3
OID: iso.3.6.1.2.1.92
STRING: "The MIB for Message Processing and Dispatching."
STRING: "The management information definitions for the SNMP User-based Security Model."
STRING: "The SNMP Management Architecture MIB."
STRING: "The MIB module for SNMPv2 entities"
STRING: "View-based Access Control Model for SNMP."
STRING: "The MIB module for managing TCP implementations"
STRING: "The MIB module for managing IP and ICMP implementations"
STRING: "The MIB module for managing UDP implementations"
STRING: "The MIB modules for managing SNMP Notification, plus filtering."
STRING: "The MIB module for logging SNMP Notifications."
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
################## Enumerating RUNNING PROCESSES Table using: 1.3.6.1.2.1.25.4.2.1.2 (Running Processes)
INFO
----
End of MIB
################## Enumerating LISTENING TCP PORTS Table using: 1.3.6.1.2.1.6.13.1.3.0.0.0.0 (Listening TCP Ports)
INFO
----
################## Enumerating RUNNING SOFTWARE PATHS Table using: 1.3.6.1.2.1.25.4.2.1.4 (Running Software Paths)
INFO
----
End of MIB
################## Enumerating HOSTNAME Table using: 1.3.6.1.2.1.1.5 (Hostname)
INFO
----
STRING: "escape"
################## Enumerating LISTENING UDP PORTS Table using: 1.3.6.1.2.1.7.5.1.2.0.0.0.0 (Listening UDP Ports)
INFO
----
Get Cisco Config (y/N):
Enumerate with different community? (y/N):y
Identified Community strings
0) 192.168.122.113 public (v1)(RO)
1) 192.168.122.113 public (v2c)(RO)
Select Community to Enumerate [0]:1
Enumerating with READ-WRITE Community string: public (v2c)
################## Enumerating MOUNTPOINTS Table using: 1.3.6.1.2.1.25.2.3.1.3 (MountPoints)
INFO
----
No more variables left in this MIB View (It is past the end of the MIB tree)
################## Enumerating UPTIME Table using: 1.3.6.1.2.1.1.3 (UpTime)
INFO
----
Timeticks: (813874) 2:15:38.74
################## Enumerating SYSTEM INFO Table using: 1.3.6.1.2.1.1 (System Info)
INFO
----
STRING: "Linux escape 4.15.0-124-generic #127-Ubuntu SMP Fri Nov 6 10:54:43 UTC 2020 x86_64"
OID: iso.3.6.1.4.1.8072.3.2.10
Timeticks: (813885) 2:15:38.85
STRING: "Me <me@example.org>"
STRING: "escape"
STRING: "Sitting on the Dock of the Bay"
INTEGER: 72
Timeticks: (94) 0:00:00.94
OID: iso.3.6.1.6.3.11.3.1.1
OID: iso.3.6.1.6.3.15.2.1.1
OID: iso.3.6.1.6.3.10.3.1.1
OID: iso.3.6.1.6.3.1
OID: iso.3.6.1.6.3.16.2.2.1
OID: iso.3.6.1.2.1.49
OID: iso.3.6.1.2.1.4
OID: iso.3.6.1.2.1.50
OID: iso.3.6.1.6.3.13.3.1.3
OID: iso.3.6.1.2.1.92
STRING: "The MIB for Message Processing and Dispatching."
STRING: "The management information definitions for the SNMP User-based Security Model."
STRING: "The SNMP Management Architecture MIB."
STRING: "The MIB module for SNMPv2 entities"
STRING: "View-based Access Control Model for SNMP."
STRING: "The MIB module for managing TCP implementations"
STRING: "The MIB module for managing IP and ICMP implementations"
STRING: "The MIB module for managing UDP implementations"
STRING: "The MIB modules for managing SNMP Notification, plus filtering."
STRING: "The MIB module for logging SNMP Notifications."
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
Timeticks: (94) 0:00:00.94
################## Enumerating RUNNING PROCESSES Table using: 1.3.6.1.2.1.25.4.2.1.2 (Running Processes)
INFO
----
No more variables left in this MIB View (It is past the end of the MIB tree)
################## Enumerating LISTENING TCP PORTS Table using: 1.3.6.1.2.1.6.13.1.3.0.0.0.0 (Listening TCP Ports)
INFO
----
No Such Object available on this agent at this OID
################## Enumerating RUNNING SOFTWARE PATHS Table using: 1.3.6.1.2.1.25.4.2.1.4 (Running Software Paths)
INFO
----
No more variables left in this MIB View (It is past the end of the MIB tree)
################## Enumerating HOSTNAME Table using: 1.3.6.1.2.1.1.5 (Hostname)
INFO
----
STRING: "escape"
################## Enumerating LISTENING UDP PORTS Table using: 1.3.6.1.2.1.7.5.1.2.0.0.0.0 (Listening UDP Ports)
INFO
----
No Such Object available on this agent at this OID
Get Cisco Config (y/N):
Enumerate with different community? (y/N):N/A
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ snmp-check -p 161 -c public -v 1 $IP -w
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 192.168.122.113:161 using SNMPv1 and community 'public'
[+] Write access check enabled
[*] Write access not permitted!
[*] System information:
Host IP address : 192.168.122.113
Hostname : escape
Description : Linux escape 4.15.0-124-generic #127-Ubuntu SMP Fri Nov 6 10:54:43 UTC 2020 x86_64
Contact : Me <me@example.org>
Location : Sitting on the Dock of the Bay
Uptime snmp : 02:13:28.07
Uptime system : 02:12:59.89
System date : 2025-3-6 08:48:10.0
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ snmp-check -p 161 -c public -v 2c $IP -w
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 192.168.122.113:161 using SNMPv2c and community 'public'
[+] Write access check enabled
[*] Write access not permitted!
[*] System information:
Host IP address : 192.168.122.113
Hostname : escape
Description : Linux escape 4.15.0-124-generic #127-Ubuntu SMP Fri Nov 6 10:54:43 UTC 2020 x86_64
Contact : Me <me@example.org>
Location : Sitting on the Dock of the Bay
Uptime snmp : 02:13:19.98
Uptime system : 02:12:51.80
System date : 2025-3-6 08:48:02.0
[*] Network information:
Default TTL : noSuchObject
TCP segments received : noSuchObject
TCP segments sent : noSuchObject
TCP segments retrans : noSuchObject
Input datagrams : noSuchObject
Delivered datagrams : noSuchObject
Output datagrams : noSuchObject
[*] File system information:
Index : noSuchObject
Mount point : noSuchObject
Access : noSuchObject
Bootable : noSuchObject
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ snmpwalk -v 1 -c public $IP .1
iso.3.6.1.2.1.1.1.0 = STRING: "Linux escape 4.15.0-124-generic #127-Ubuntu SMP Fri Nov 6 10:54:43 UTC 2020 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (788700) 2:11:27.00
iso.3.6.1.2.1.1.4.0 = STRING: "Me <me@example.org>"
iso.3.6.1.2.1.1.5.0 = STRING: "escape"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (94) 0:00:00.94
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (94) 0:00:00.94
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (94) 0:00:00.94
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (94) 0:00:00.94
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (94) 0:00:00.94
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (94) 0:00:00.94
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (94) 0:00:00.94
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (94) 0:00:00.94
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (94) 0:00:00.94
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (94) 0:00:00.94
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (94) 0:00:00.94
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (791615) 2:11:56.15
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E9 03 06 08 2E 27 00 2D 05 00
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/boot/vmlinuz-4.15.0-124-generic root=UUID=4676bbd8-1129-41ca-b3ba-8cd344834c03 ro
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 172
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
End of MIBNot much information is avilable