In a recent tutorial, I showed how the SNMP protocol can be a gold mine of information
for reconnaissance on a potential target. If you haven’t already, I
strongly suggest that you read it before progressing here, as little of
this will make much sense without that background.
The MIB database, created by SNMP, contains extensive information on
every device on the network. While SNMPv1 is very insecure and SNMPv3 is
very secure, many companies still use SNMPv1. As such, the community
public string (password) that provides access to SNMP and its MIB
database is susceptible to cracking. Once the hacker has the SNMP
community public string, they have access to all the info available in
the SNMP MIB.
Better yet, if we can crack the private community string (password), we can change the settings on any network device—even take it off line. We could then potentially change the configuration settings on switches and routers to our advantage.
In this tutorial, we will be cracking the SNMPv1 community string (password) with one of the best SNMP cracking tools, onesixtyone (SNMP runs on port 161, hence its name).
In Kali, you can go to Applications -> Kali Linux -> Information Gathering -> SNMP Analysis -> onesixtyone
Notice in the third line that the basic syntax for usage of onesixtyone.
Very often, if a sysadmin changes the SNMP community string, they will change it to something simple like the companyname-public or companyname-private. It’s always worth trying these or similar combinations before attempting a password crack.
Now, all we need to do is hit enter and let onesixtyone do its job!
When using the built-in wordlist dict.txt, onesixtyone finishes its
work in short order. Obviously, with longer word lists, this process can
be more time consuming. To use another word list, simply replace the
dict.txt with the full path to the file, such as:
Other possible sources for potential word lists can be found on the web, and some are as big as 5tb!
Cracking SNMP Passwords with Onesixtyone
The MIB database, created by SNMP, contains extensive information on
every device on the network. While SNMPv1 is very insecure and SNMPv3 is
very secure, many companies still use SNMPv1. As such, the community
public string (password) that provides access to SNMP and its MIB
database is susceptible to cracking. Once the hacker has the SNMP
community public string, they have access to all the info available in
the SNMP MIB.
Better yet, if we can crack the private community string (password), we can change the settings on any network device—even take it off line. We could then potentially change the configuration settings on switches and routers to our advantage.
In this tutorial, we will be cracking the SNMPv1 community string (password) with one of the best SNMP cracking tools, onesixtyone (SNMP runs on port 161, hence its name).
Step 1: Find Onesixtyone
Onesixtyone—like so many of the best hacking tools—is built into BackTrack and Kali, so no need to download and install if you’re running BackTrack. We can find onesixtyone by going to BackTrack -> Information Gathering -> Network Analysis -> SNMP and then onesixtyone, as shown in the screenshot below.
Step 2: Open Onesixtyone
When we click on onesixtyone, we will be greeted with a screenshot like that below.onesixtyone (options) <host> <community>Where:
- host is the IP address of the system we are targeting
- community is either public or private
Very often, if a sysadmin changes the SNMP community string, they will change it to something simple like the companyname-public or companyname-private. It’s always worth trying these or similar combinations before attempting a password crack.
Step 3: Take It Out for Spin
Now that we understand the basics of how onesixtyone works, let try it out../onesixtyone -c dict.txt 192.168.1.119
./onesixtyone -c /root/anotherwordlist 192.168.1119 publicAs you can see, onesixtyone was able to find the both the public and private community strings. The network administrator left both strings at their default values, which is common.
Other possible sources for potential word lists can be found on the web, and some are as big as 5tb!
Post a Comment