HOWTO use NMAP for SNMP Enumeration

Here’s an example of using NMAP scanning UDP open port of 161 for SNMP protocol.

root@kali:~# nmap -sU –open -p 161 10.11.1.200-254

Starting Nmap 6.47 ( http://nmap.org ) at 2016-07-22 16:44 EDT
Nmap scan report for 10.11.1.218
Host is up (0.041s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
MAC Address: 00:50:56:89:53:4B (VMware)

Nmap scan report for 10.11.1.219
Host is up (0.047s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
MAC Address: 00:50:56:89:35:90 (VMware)

Nmap scan report for 10.11.1.221
Host is up (0.041s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
MAC Address: 00:50:56:89:5E:D2 (VMware)

Alternative tool such as “onesixtyone” is available in Kali Linux distribution.

root@kali:~# onesixtyone
onesixtyone 0.3.2 [options] <host> <community>
-c <communityfile> file with community names to try
-i <inputfile> file with target hosts
-o <outputfile> output log
-d debug mode, use twice for more information

-w n wait n milliseconds (1/1000 of a second) between sending packets (default 10)
-q quiet mode, do not print log to stdout, use with -l
examples: ./s -c dict.txt 192.168.4.1 public
./s -c dict.txt -i hosts -o my.log -w 100

Take note of -c and -i parameter, we will use this parameters in a script.

First create a community file, for example using public, private and manager which are the common SNMP community names.

root@kali:~# nano community
root@kali:~# cat community
public
private
manager

Create a list of ip address as input value. The command below is to create a for loop sequence from 200 to 254, do echo 10.11.1.$ip using my test network and place it to ips input file.

root@kali:~# for ip in $(seq 200 254);do echo 10.11.1.$ip;done > ips
root@kali:~#

Once these two files are ready, then I can use the “onesixtyone” tool to execute the following command. #onesixtyone -c community -i ips [enter]

root@kali:~# onesixtyone -c community -i ips
Scanning 55 hosts, 3 communities
10.11.1.227 [public] Hardware: x86 Family 6 Model 12 Stepping 2 AT/AT COMPATIBLE – Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)

Well, I found one public community string in my test lab. From here we can continue to query the SNMP for more useful information about the target lab network.

Using SNMPWalk to read community public string.

Example command, #snmpwalk -c public -v1 10.11.1.227, running snmpwalk tool using public community string with version 1 to the target server 10.11.1227.

root@kali:~# snmpwalk -c public -v1 10.11.1.227
iso.3.6.1.2.1.1.1.0 = STRING: “Hardware: x86 Family 6 Model 12 Stepping 2 AT/AT COMPATIBLE – Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)”
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.2
iso.3.6.1.2.1.1.3.0 = Timeticks: (221409) 0:36:54.09
iso.3.6.1.2.1.1.4.0 = “”
iso.3.6.1.2.1.1.5.0 = STRING: “JD”
iso.3.6.1.2.1.1.6.0 = “”
iso.3.6.1.2.1.1.7.0 = INTEGER: 76
iso.3.6.1.2.1.2.1.0 = INTEGER: 2
iso.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1
iso.3.6.1.2.1.2.2.1.1.16777219 = INTEGER: 16777219
iso.3.6.1.2.1.2.2.1.2.1 = Hex-STRING: 4D 53 20 54 43 50 20 4C 6F 6F 70 62 61 63 6B 20
69 6E 74 65 72 66 61 63 65 00
iso.3.6.1.2.1.2.2.1.2.16777219 = Hex-STRING: 56 4D 77 61 72 65 20 41 63 63 65 6C 65 72 61 74
65 64 20 41 4D 44 20 50 43 4E 65 74 20 41 64 61
70 74 65 72 00
iso.3.6.1.2.1.2.2.1.3.1 = INTEGER: 24
iso.3.6.1.2.1.2.2.1.3.16777219 = INTEGER: 6
iso.3.6.1.2.1.2.2.1.4.1 = INTEGER: 1500
iso.3.6.1.2.1.2.2.1.4.16777219 = INTEGER: 1500
iso.3.6.1.2.1.2.2.1.5.1 = Gauge32: 10000000
iso.3.6.1.2.1.2.2.1.5.16777219 = Gauge32: 1000000000

This will continue to go on with wealth of information about your target machine. Now, let’s try something else using mib-values parameters.

mib-values examples:

1.3.6.1.2.1.25.4.2.1.2 Running Programs

1.3.6.1.2.1.6.13.1.3 TCP Local Ports

1.3.6.1.2.1.25.6.3.1.2 Running Programs

Let check the running programs to our target lab machine.

root@kali:~# snmpwalk -c public -v1 10.11.1.227 1.3.6.1.2.1.25.4.2.1.2
iso.3.6.1.2.1.25.4.2.1.2.1 = STRING: “System Idle Process”
iso.3.6.1.2.1.25.4.2.1.2.8 = STRING: “System”
iso.3.6.1.2.1.25.4.2.1.2.172 = STRING: “smss.exe”
iso.3.6.1.2.1.25.4.2.1.2.200 = STRING: “csrss.exe”
iso.3.6.1.2.1.25.4.2.1.2.216 = STRING: “WINLOGON.EXE”
iso.3.6.1.2.1.25.4.2.1.2.244 = STRING: “services.exe”
iso.3.6.1.2.1.25.4.2.1.2.256 = STRING: “LSASS.EXE”
iso.3.6.1.2.1.25.4.2.1.2.448 = STRING: “svchost.exe”
iso.3.6.1.2.1.25.4.2.1.2.476 = STRING: “SPOOLSV.EXE”
iso.3.6.1.2.1.25.4.2.1.2.508 = STRING: “msdtc.exe”
iso.3.6.1.2.1.25.4.2.1.2.612 = STRING: “svchost.exe”
iso.3.6.1.2.1.25.4.2.1.2.640 = STRING: “LLSSRV.EXE”
iso.3.6.1.2.1.25.4.2.1.2.676 = STRING: “sqlservr.exe”
iso.3.6.1.2.1.25.4.2.1.2.744 = STRING: “regsvc.exe”
iso.3.6.1.2.1.25.4.2.1.2.772 = STRING: “mstask.exe”
iso.3.6.1.2.1.25.4.2.1.2.808 = STRING: “snmp.exe”
iso.3.6.1.2.1.25.4.2.1.2.856 = STRING: “vmtoolsd.exe”
iso.3.6.1.2.1.25.4.2.1.2.928 = STRING: “winmgmt.exe”
iso.3.6.1.2.1.25.4.2.1.2.944 = STRING: “winvnc4.exe”
iso.3.6.1.2.1.25.4.2.1.2.956 = STRING: “svchost.exe”
iso.3.6.1.2.1.25.4.2.1.2.988 = STRING: “mssearch.exe”
iso.3.6.1.2.1.25.4.2.1.2.1168 = STRING: “dfssvc.exe”
iso.3.6.1.2.1.25.4.2.1.2.1356 = STRING: “sqlagent.exe”
iso.3.6.1.2.1.25.4.2.1.2.1416 = STRING: “inetinfo.exe”
iso.3.6.1.2.1.25.4.2.1.2.1624 = STRING: “svchost.exe”
iso.3.6.1.2.1.25.4.2.1.2.1692 = STRING: “dllhost.exe”

Now let’s check the list of open ports.

root@kali:~# snmpwalk -c public -v1 10.11.1.227 1.3.6.1.2.1.6.13.1.3
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.21.0.0.0.0.18446 = INTEGER: 21
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.25.0.0.0.0.18681 = INTEGER: 25
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.80.0.0.0.0.10310 = INTEGER: 80
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.135.0.0.0.0.2176 = INTEGER: 135
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.443.0.0.0.0.18563 = INTEGER: 443
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.445.0.0.0.0.2272 = INTEGER: 445
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1025.0.0.0.0.18510 = INTEGER: 1025
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1026.0.0.0.0.2162 = INTEGER: 1026
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1035.0.0.0.0.2057 = INTEGER: 1035
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1053.0.0.0.0.2208 = INTEGER: 1053
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.3372.0.0.0.0.34824 = INTEGER: 3372
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.5800.0.0.0.0.26725 = INTEGER: 5800
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.5900.0.0.0.0.18514 = INTEGER: 5900
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.6532.0.0.0.0.2144 = INTEGER: 6532
iso.3.6.1.2.1.6.13.1.3.10.11.1.227.21.10.11.0.49.43152 = INTEGER: 21
iso.3.6.1.2.1.6.13.1.3.10.11.1.227.139.0.0.0.0.26743 = INTEGER: 139
iso.3.6.1.2.1.6.13.1.3.10.11.1.227.1055.10.11.0.49.50723 = INTEGER: 1055
iso.3.6.1.2.1.6.13.1.3.10.11.1.227.27900.0.0.0.0.18556 = INTEGER: 27900
iso.3.6.1.2.1.6.13.1.3.127.0.0.1.27900.0.0.0.0.18588 = INTEGER: 27900

The results show a lot of open ports including 135, 443, 445, etc.

Next, let’s check the list of installed software to our test lab machine.

root@kali:~# snmpwalk -c public -v1 10.11.1.227 1.3.6.1.2.1.25.6.3.1.2
iso.3.6.1.2.1.25.6.3.1.2.1 = STRING: “Windows 2000 Hotfix (SP4) KB810217”
iso.3.6.1.2.1.25.6.3.1.2.2 = STRING: “Windows 2000 Hotfix (SP4) KB817606”
iso.3.6.1.2.1.25.6.3.1.2.3 = STRING: “Windows 2000 Hotfix – KB819696”
iso.3.6.1.2.1.25.6.3.1.2.4 = STRING: “Windows 2000 Hotfix – KB823182”
iso.3.6.1.2.1.25.6.3.1.2.5 = STRING: “Windows 2000 Hotfix – KB823559”
iso.3.6.1.2.1.25.6.3.1.2.6 = STRING: “Windows 2000 Hotfix – KB824105”
iso.3.6.1.2.1.25.6.3.1.2.7 = STRING: “Windows 2000 Hotfix – KB824151”
iso.3.6.1.2.1.25.6.3.1.2.8 = STRING: “Windows 2000 Hotfix – KB826232”
iso.3.6.1.2.1.25.6.3.1.2.9 = STRING: “Windows 2000 Hotfix – KB828035”
iso.3.6.1.2.1.25.6.3.1.2.10 = STRING: “Windows 2000 Hotfix – KB828741”
iso.3.6.1.2.1.25.6.3.1.2.11 = STRING: “Windows 2000 Hotfix – KB828749”
iso.3.6.1.2.1.25.6.3.1.2.12 = STRING: “Windows 2000 Hotfix – KB835732”
iso.3.6.1.2.1.25.6.3.1.2.13 = STRING: “Windows 2000 Hotfix – KB837001”
iso.3.6.1.2.1.25.6.3.1.2.14 = STRING: “Windows 2000 Hotfix – KB839643”
iso.3.6.1.2.1.25.6.3.1.2.15 = STRING: “Windows 2000 Hotfix – KB839645”
iso.3.6.1.2.1.25.6.3.1.2.16 = STRING: “Windows 2000 Hotfix – KB840987”
iso.3.6.1.2.1.25.6.3.1.2.17 = STRING: “Windows 2000 Hotfix – KB841356”
iso.3.6.1.2.1.25.6.3.1.2.18 = STRING: “Windows 2000 Hotfix – KB841533”
iso.3.6.1.2.1.25.6.3.1.2.19 = STRING: “Windows 2000 Hotfix – KB841872”
iso.3.6.1.2.1.25.6.3.1.2.20 = STRING: “Windows 2000 Hotfix – KB841873”
iso.3.6.1.2.1.25.6.3.1.2.21 = STRING: “Windows 2000 Hotfix – KB842526”
iso.3.6.1.2.1.25.6.3.1.2.22 = STRING: “Windows 2000 Hotfix – KB842773”
iso.3.6.1.2.1.25.6.3.1.2.23 = STRING: “Microsoft Data Access Components KB870669”
iso.3.6.1.2.1.25.6.3.1.2.24 = STRING: “Windows 2000 Hotfix – KB871250”

 

Please continue reading other HOWTO articles.

EM @QUE.COM

Founder, QUE.COM Game Studios. | Founder, Yehey.com a Shout for Joy! |
MAJ.COM Management of Assets and Joint Venture |

More at KING.NET Ideas to Life | Network of Innovation |

Send your Tip to my Bitcoin/Ethereum or other crypto currency.

Leave a Reply