Here is an easy way to find all snmp devices on your network and check if they are running any of a list of common strings you want to test for. And do it without risking a write access check. I did the following with my Mac PowerBook just using the C compiler CC.
First you grab a copy of the ADM SNMP tool from http://adm.freelsd.net/ADM/
Nice piece of code from the ADM crew and credit due them. I just hacked it slightly for my own purposes.
The great thing about this code is that they give you the C source code in the snmp.c file. So you can see what this tool does before you compile it. One thing that I found is that the tool does do write tests. Needless to say I did not like that idea so I had to add some basic code hacks to disable the write checks. Then I had to comment out or edit all the printf statements because I wanted nice tab delineated output that I could pull into excel later. You can download the zipped snmp-ro.c file I modified from HERE. This is only the snmp.c modified copy. I recommend you download their file, unzip then you can drop my file into same folder and compile it instead. You want their zip to get the readme, basic snmp.passwd file etc. My version of their C file is called snmp-ro.c for read only. The variable I created to disable the write tests is writetest so you can search on that if you want to find where I bypassed the write tests.
So assuming you have the CC compiler installed on your system it by default compiles the snmp-ro.c file as a.out. Just rename that file to snmp-ro and do a chmod +x to make it executable.
That gives you the core of our project. Now you need a script I wrote to cycle through a file of IPs testing each host with the snmp-ro tool.
I made a file called multiscan-snmp.sh and here is all it contains. Make sure to chmod +x the file to make it executable.
for f in `cat hosts.txt`
Now all you have to do is find all the SNMP answering hosts on your network. That is a simple nmap command. The below example finds the hosts on the private 192.168.1.0/24 range. It outputs the results in greppable format.
nmap -sU -p 161 -n -oG hoststemp.txt 192.168.1.0/24
Next I grep the resulting output for just the open snmp port hosts
cat hoststemp.txt | grep open > hosts.txt
Last I just pull the hosts.txt file into excel, import the text file delinating on spaces. Delete all columns but the IPs and save back on top of itself. Sure some more unix born guy could whip up a quick awk to do the same thing. Now you have the hosts.txt file holding the IPs of all systems you want to check. Just make sure to edit the snmp.passwd text file that comes from the ADM groups original zip file. It has some basic strings to check for. You might want to add your company name etc Lazy admins just love to use the company name.
Just do something like
./multiscan-snmp > snmpviolations.txt
I did find that I had to run my results file through one more command before it would go into excel properly.
cat snmpviolations.txt | tr “\r” ” ” > snmpviolationsexcelimport.txt
Pull that into excel like you did the nmap scan results except delineate by tabs and tidy up. The first column should be the IP of the host, the second column should have the snmp hostname retrived by a get if one of the strings worked and the third column will be the string that worked to access the device. If you just have an IP with a blank second and third column your simple snmp dictionary attack did not work on that host. It is easy enough to sort the spreadsheet by the third column and delete out all rows that did not have an easy to break snmp string.
Last step? Send the final excel file to the IT network admins and make them clean up the mess.