SNMP: Part 1 SNMP Client in C and Introduction

SNMP Client written in C, started up and ready to fire!:

In this first of a two post article will cover:
-Basics of SNMP.
-Writing an SNMP Client in C.
-The usefulness it can have in conducting penetration testing and hacking.
In Part 2 I will cover
-Possible malicious use of SNMP, that could be performed by an attacker, and how this could be mitigated.

As a note, all of this is performed on a windows 7 system with Visual Studio 2013 as my IDE.

The SNMP protocol is used for communicating with network devices.

Typical queries in SNMP are things such as: bytes In/Out on an interface, errors, CPU load, Uptime, and temperature.
SNMP requests are performed through a numbering scheme where each perion (.) represents a leg of the MIB tree pictured below. The numbers represent the member of that MIB tree leg extention:



As pictured above it is easy to see that an SNMP request such as a GET or a SET request with the data of represents the SysDescr member.
Or expanded, it represents: iso->org->dod->Internet->directory->mib-2->SysDescr.

SNMP is generally defined under the following RFC’s, and is carried out under UDP communication and on port 161 and 162.

Version 1 was originally written in 1988.
Version 1:RFC1155, RFC1156, RFC1157
Version 2:RFC1901, RFC1908, RFC2578
These updates Extended version 1, added new data types, and added better retrieval methods such as GETBULK.
version 3:RFC3411, RFC3418 (w/security)

Typically SNMPv2 (v2c) is used.

Basic commands in SNMP are:
GET (client to server), Query for a value.
GET-NEXT (client -> server), Get next value (list of values for a table)
GET-RESPONSE (server to client), Response to GET/SET, or error.
SET (client to server), Set a value, or perform action.
TRAP (server to client), Spontaneous notification from equipment (line down,temperature above threshold, etc).

Community strings act to only allow “authorized” requests.
The common (and misfortune) practice of leaving things default leads to the widespread use of the two default community names, although others exists, and can be used to find some really interesting equipment.
The two default (or one of the 3 variations used for each “public” and “private”) common community strings are “public”, “Public”, “PUBLIC” and “private”, “Private”, “PRIVATE”.
Public is for read-only access to the device.
Private is used for write access to the device..

Below is a GET request in Wireshare and the subsequent server response:


Wireshark response to GET request:
snmp-packet received

Version 1, originally conceived in the 80’s. Community strings are sent in plain text.
Version 2c: SNMP v2c was developed to fix some of the problems in v1. Community strings are still sent in plain-text.
Version 3: The newest version of SNMP, v3 supports full security and authentication.

Refer to the RFCs quoted above for more information.



Below is some source code that performs a query with a GET-NEXT request, and subsequently walks the table by successively requesting the OID string returned in each request, starting with “1.3”.
The compiled Executable and accompanying project file is also downloadable.

[ ZIP ] VS2013 Project
[ ZIP ] Executable
[ C   ] C Code for SNMP Client.


~ by Rhys Mossom on March 6, 2015.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: