Enumeration with SNMP

Another useful mechanism for enumerating a target system is the Simple Network Manage- ment Protocol (SNMP). This protocol is used to assist in the management of devices such as routers, hubs, and switches, among others.

SNMP comes in three versions:

SNMPv1 This version of the protocol was introduced as a standardized mechanism for managing network devices. While it accomplished many tasks such as introducing a standardized protocol, it lacked in many others. The shortcomings of this protocol were addressed in later versions. Of interest to the pen tester is the fact that this version does not include any security measures.

SNMPv2 This version introduced new management functions as well as security features that were not included in the initial version. By design this version of the protocol is back-wards compatible with SNMPv1.

SNMPv3 This is the latest version of the protocol; it places increased emphasis on the area of security. The security of SNMPv3 is focused on two areas:
1. Authentication is used to ensure that traps are read by only the intended recipient.

2. Privacy encrypts the payload of the SNMP message to ensure that it cannot be read by unauthorized users.

SNMP is an application layer protocol that functions using UDP. The protocol works across platforms, meaning it can be accessed on most modern operating systems including Windows, Linux, and Unix. The main requirement for SNMP is that the network is running the TCP/IP protocol.

SNMP enumeration for the ethical hacker consists of leveraging the weaknesses in the protocol to reveal user accounts and devices on a target running the protocol. To understand how this is possible, let’s delve into some components of the SNMP system. In the SNMP system two components are running: the SNMP agent and the SNMP management station. The agent is located on the device to be managed or monitored, whereas the management station communicates with the agent itself.

Management Information Base

Management Information Base (MIB) is a database that contains descriptions of the net- work objects that can be managed through SNMP. MIB is the collection of hierarchically organized information. It provides a standard representation of the SNMP agent’s information and storage. MIB elements are recognized using object identifiers. The object identifier (OID) is the numeric name given to the object and begins with the root of the MIB tree. It can uniquely identify the object present in the MIB hierarchy.

MIB-managed objects include scalar objects that define a single object instance and tabular objects that define groups of related object instances. The object identifiers include the object’s type, such as counter, string, or address; access level such as read or read/write; size restrictions; and range information. MIB is used as a codebook by the SNMP manager for converting the OID numbers into a human-readable display.

SNScan

SNScan is a utility designed to detect devices on a network enabled for SNMP. The utility helps you locate and identify devices that are vulnerable to SNMP attacks. SNScan scans specific ports (for example, UDP 161, 193, 391, and 1993) and looks for the use of standard (public and private) and user-defined SNMP community names. User-defined community names may be used to more effectively evaluate the presence of SNMP-enabled devices in complex networks.