161,162,10161,10162 - SNMP
VERSIONS
There are 2 important versions of SNMP:
- SNMPv1: Main one, it is still the most frequent, the authentication is based on a string (community string) that travels in plain-text (all the information travels in plain text). Version 2 and 2c send the traffic in plain text also and uses a community string as authentication.
- SNMPv3: Uses a better authentication form and the information travels encrypted using (dictionary attack could be performed but would be much harder to find the correct creds than in SNMPv1 and v2).
Para guessear la community string hay que hacer fuerza bruta -> Brute Force - CheatSheet - HackTricks
hydra -P /usr/share/SecLists/Discovery/SNMP/common-snmp-community-strings.txt monitored.htb snmp
Dumpear info
snmpbulkwalk -c public -v2c IP . | tee snmp_data
Procesos corriendo (pueden tener contraseñas)
grep "\.1312 = " snmp_data
Devices
The process begins with the extraction of sysDesc MIB data (1.3.6.1.2.1.1.1.0) from each file to identify the devices. This is accomplished through the use of a grep command:
grep ".1.3.6.1.2.1.1.1.0" *.snmp
Identify Private String
A crucial step involves identifying the private community string used by organizations, particularly on Cisco IOS routers. This string enables the extraction of running configurations from routers. The identification often relies on analyzing SNMP Trap data for the word "trap" with a grep command:
grep -i "trap" *.snmp
Usernames/Passwords
Logs stored within MIB tables are examined for failed logon attempts, which might accidentally include passwords entered as usernames. Keywords such as fail, failed, or login are searched to find valuable data:
grep -i "login\|fail" *.snmp
Emails
Finally, to extract email addresses from the data, a grep command with a regular expression is used, focusing on patterns that match email formats:
grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" *.snmp
#!/bin/bash
# Fichero con las IPs
IPLIST="ips.txt"
COMMUNITY="public"
VERSION="2c"
while read ip; do
echo "[*] Consultando $ip ..."
snmpbulkwalk -v$VERSION -c $COMMUNITY "$ip" > "snmp_$ip.txt"
if [[ $? -eq 0 ]]; then
echo "[+] Finalizado: $ip -> Guardado en snmp_$ip.txt"
else
echo "[!] Error al consultar $ip"
fi
echo "-----------------------------------------"
done < "$IPLIST"
echo "[✔] Proceso completado."
#!/bin/bash
# Script para buscar información sensible en resultados de snmpbulkwalk
CARPETA="."
ARCHIVOS=$(ls $CARPETA/snmp_*.txt 2>/dev/null)
if [[ -z "$ARCHIVOS" ]]; then
echo "[!] No se encontraron archivos snmp_*.txt en $CARPETA"
exit 1
fi
echo "[*] Analizando archivos SNMP..."
for f in $ARCHIVOS; do
echo "=============================================="
echo "[*] Archivo: $f"
# Usuarios y credenciales
grep -iE "user|username|login|account" "$f" && echo "--- Usuarios detectados"
grep -iE "pass|pwd|password" "$f" && echo "--- Contraseñas detectadas"
grep -iE "secret|key|community" "$f" && echo "--- Claves detectadas"
# Configuración y ficheros
grep -iE "conf|config|backup|shadow" "$f" && echo "--- Configuración sensible"
grep -iE "/etc|/home|/var|shadow|passwd" "$f" && echo "--- Rutas del sistema"
# Hashes comunes
grep -E "[a-f0-9]{32}" "$f" && echo "--- Posibles MD5"
grep -E "[a-f0-9]{40}" "$f" && echo "--- Posibles SHA1"
grep -E "[a-f0-9]{64}" "$f" && echo "--- Posibles SHA256"
# IPs y dominios
grep -Eo "([0-9]{1,3}\.){3}[0-9]{1,3}" "$f" | sort -u && echo "--- IPs encontradas"
grep -iE "\.com|\.net|\.org|\.local|\.corp" "$f" && echo "--- Dominios encontrados"
# Correos electrónicos
grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" "$f" | sort -u && echo "--- Emails encontrados"
# Traps
grep -i "trap" "$f" && echo "--- Posibles traps SNMP detectados"
# Intentos de login fallidos
grep -i "login\|fail" "$f" && echo "--- Logs de login/fallos detectados"
echo
done
echo "[✔] Búsqueda completada."