SNMP Auditing

Here is an easy way to find all snmp devices on your network and check if they are running any of a list of common strings you want to test for.  And do it without risking a write access check.  I did the following with my Mac PowerBook just using the C compiler CC.

First you grab a copy of the ADM SNMP tool from http://adm.freelsd.net/ADM/

Nice piece of code from the ADM crew and credit due them.  I just hacked it slightly for my own purposes.

The great thing about this code is that they give you the C source code in the snmp.c file.  So you can see what this tool does before you compile it.  One thing that I found is that the tool does do write tests.  Needless to say I did not like that idea so I had to add some basic code hacks to disable the write checks.  Then I had to comment out or edit all the printf statements because I wanted nice tab delineated output that I could pull into excel later.   You can download the zipped snmp-ro.c file I modified from HERE.  This is only the snmp.c modified copy. I recommend you download their file, unzip then you can drop my file into same folder and compile it instead.  You want their zip to get the readme, basic snmp.passwd file etc.  My version of their C file is called snmp-ro.c for read only.  The variable I created to disable the write tests is writetest so you can search on that if you want to find where I bypassed the write tests.

So assuming you have the CC compiler installed on your system it by default compiles the snmp-ro.c file as a.out.  Just rename that file to snmp-ro and do a chmod +x to make it executable.

That gives you the core of our project.  Now you need a script I wrote to cycle through a file of IPs testing each host with the snmp-ro tool.

I made a file called multiscan-snmp.sh and here is all it contains.  Make sure to chmod +x the file to make it executable.

for f in cat hosts.txt

do

./snmp-ro $f

done

Now all you have to do is find all the SNMP answering hosts on your network.  That is a simple nmap command.  The below example finds the hosts on the private 192.168.1.0/24 range.  It outputs the results in greppable format.

nmap -sU -p 161 -n -oG hoststemp.txt 192.168.1.0/24

Next I grep the resulting output for just the open snmp port hosts

cat hoststemp.txt | grep open > hosts.txt

Last I just pull the hosts.txt file into excel, import the text file delinating on spaces.  Delete all columns but the IPs and save back on top of itself.  Sure some more unix born guy could whip up a quick awk to do the same thing.  Now you have the hosts.txt file holding the IPs of all systems you want to check.  Just make sure to edit the snmp.passwd text file that comes from the ADM groups original zip file.  It has some basic strings to check for. You might want to add your company name etc  Lazy admins just love to use the company name.

Just do something like

./multiscan-snmp > snmpviolations.txt

I did find that I had to run my results file through one more command before it would go into excel properly.

cat snmpviolations.txt | tr “\r” ” ” > snmpviolationsexcelimport.txt

Pull that into excel like you did the nmap scan results except delineate by tabs and tidy up.  The first column should be the IP of the host, the second column should have the snmp hostname retrived by a get if one of the strings worked and the third column will be the string that worked to access the device.  If you just have an IP with a blank second and third column your simple snmp dictionary attack did not work on that host.  It is easy enough to sort the spreadsheet by the third column and delete out all rows that did not have an easy to break snmp string.

Last step?  Send the final excel file to the IT network admins and make them clean up the mess.

Share
  • When I run the script I end up with the error below..??
    any ideas?
    I luv what you have done with this…. makes my job somewhat easier.

    ./snmp-ro: line 1: syntax error near unexpected token ('
    ./snmp-ro: line 1:
    /*********** ADMsnmp (c) The ADM Crew ***************/'

  • That file is a C source code file. You should be compiling it not running it as a script. You can download Xcode from Apple to get the compiler installed if you have not already. http://developer.apple.com/tools/xcode/

    Then just go to a command line where ever you have the snmp-ro.c file and enter

    cc snmp-ro.c

    Ignore the errors and you get the a.out binary I mention in the post.

  • I got it to work…
    gcc snmp-ro.c

    then as you stated i re-wrote the a.out

    THanks it worked Great!!!!

  • Excellent. Hope it helps your auditing. They wrote a good tool. Just I was not comfortable with a write test in production environments.

  • I keep getting something like:
    123.123.123.123
    cant resolve hostname!
    cant resolve hostname!
    cant resolve hostname!
    cant resolve hostname!
    123.123.123.123
    cant resolve hostname!
    cant resolve hostname!
    cant resolve hostname!
    cant resolve hostname!

    Can you point me how in the snmp-ro file Where I can stop it from trying to resolve the hostnames?

  • Looks like the hostname function is host2ip You could try taking that out in some way. But I had no issues with using IPs so I would check your source file that you dont have some odd character at the end like a space or something at the end of the ip.

  • Looks like the hostname function is host2ip You could try taking that out in some way. But I had no issues with using IPs so I would check your source file that you dont have some odd character at the end like a space or something at the end of the ip.