In this first of a two post article will cover:
-Basics of SNMP.
-Writing an SNMP Client in C.
-The usefulness it can have in conducting penetration testing and hacking.
In Part 2 I will cover
-Possible malicious use of SNMP, that could be performed by an attacker, and how this could be mitigated.
As a note, all of this is performed on a windows 7 system with Visual Studio 2013 as my IDE.
Typical queries in SNMP are things such as: bytes In/Out on an interface, errors, CPU load, Uptime, and temperature.
SNMP requests are performed through a numbering scheme where each perion (.) represents a leg of the MIB tree pictured below. The numbers represent the member of that MIB tree leg extention:
As pictured above it is easy to see that an SNMP request such as a GET or a SET request with the data of 126.96.36.199.188.8.131.52 represents the SysDescr member.
Or expanded, it represents: iso->org->dod->Internet->directory->mib-2->SysDescr.
SNMP is generally defined under the following RFC’s, and is carried out under UDP communication and on port 161 and 162.
Version 1 was originally written in 1988.
Version 1:RFC1155, RFC1156, RFC1157
Version 2:RFC1901, RFC1908, RFC2578
These updates Extended version 1, added new data types, and added better retrieval methods such as GETBULK.
version 3:RFC3411, RFC3418 (w/security)
Typically SNMPv2 (v2c) is used.
Basic commands in SNMP are:
GET (client to server), Query for a value.
GET-NEXT (client -> server), Get next value (list of values for a table)
GET-RESPONSE (server to client), Response to GET/SET, or error.
SET (client to server), Set a value, or perform action.
TRAP (server to client), Spontaneous notification from equipment (line down,temperature above threshold, etc).
Community strings act to only allow “authorized” requests.
The common (and misfortune) practice of leaving things default leads to the widespread use of the two default community names, although others exists, and can be used to find some really interesting equipment.
The two default (or one of the 3 variations used for each “public” and “private”) common community strings are “public”, “Public”, “PUBLIC” and “private”, “Private”, “PRIVATE”.
Public is for read-only access to the device.
Private is used for write access to the device..
Below is a GET request in Wireshare and the subsequent server response:
Version 1, originally conceived in the 80’s. Community strings are sent in plain text.
Version 2c: SNMP v2c was developed to fix some of the problems in v1. Community strings are still sent in plain-text.
Version 3: The newest version of SNMP, v3 supports full security and authentication.
Refer to the RFCs quoted above for more information.
Below is some source code that performs a query with a GET-NEXT request, and subsequently walks the table by successively requesting the OID string returned in each request, starting with “1.3”.
The compiled Executable and accompanying project file is also downloadable.