© 2018 Caendra, Inc. - Hera For PTP - SNMP Analysis
© 2018 Caendra, Inc. - Hera For PTP - SNMP Analysis
© 2018 Caendra, Inc. - Hera For PTP - SNMP Analysis
1. You are going to do an internal penetration test, where you will be connected
directly on their LAN network (10.10.10.0/24).
2. Windows Firewall is enabled in all of the hosts and only few ports are enabled
which reduces the attack’s surface.
To guide you during the lab you will find different Tasks.
Tasks are meant for educational purposes and to show you the usage of different tools and
different methods to achieve the same goal.
Armed with the skills acquired though the task you can achieve the Lab goal.
If this is the first time you do this lab, we advise you to follow these Tasks.
Once you have completed all the Tasks, you can proceed to the end of this paper and check
the solutions.
Hosts
Usernames
Use the usernames discovered in the previous task to launch a brute-force attack against
the SMB host.
Use the Metasploit framework to get a shell in the host 10.10.10.20 using the discovered
username and password.
We must keep in mind that by default nmap does not check for UDP ports. As we already
know, SNMP runs on the UDP port 161. Therefore, let's check if this specific is opened:
As you can see, the UDP port 161 is open in both hosts. This information is crucial for our
next tasks.
Note: additional we will have to double check nmap results by sending SNMP requests
to both hosts and check if we get responses from both of them. Sometimes, when hosts
are protected by host-based firewalls they may confuse the nmap’s results.
Once we know that there are systems in a network running SNMP, we might want to explore
this service since it might reveal important data that we can use during our activities.
Firstly, we need to discover what are the communities in use by this service.
Note: if you are not familiar with SNMP terms like communities, please, take a look at
the course material.
We are going to use onesixtyone in order to brute-force the community name against the
host 10.10.10.5. So onesixtyone will use a list of predefined potential community
names (file named dict.txt) that come with the tool in order to try to guess which one is
in use by the system 10.10.10.5.
Another useful tool that we can use to check if SNMP is really running in a remote host, and
also to gather more information, is snmpwalk. Let’s run snmpwalk against 10.10.10.20
and check the results:
As you can see, we were not able to obtain any information via SNMP from 10.10.10.20.
Let’s test 10.10.10.5:
In this case, we were able to gather a lot of information via SNMP. Run this command on
your own to see the entire result list.
We are going to use a tool named snmpenum, which can be downloaded from packetstorm
here: http://dl.packetstormsecurity.net/UNIX/scanners/snmpenum.zip.
snmpenum, uses a database of OIDs to request specific information via SNMP. It comes with
3 different databases, stored in files:
root@kali:~/tools/snmp# ls
cisco.txt linux.txt README.txt snmpenum.pl windows.txt
Note: you might have some problems running some of the previous databases. Most
likely the issue is related to a bad file format between Windows and Linux. Run the
following comman to fix this kind of error:
Depending on the system you are dealing with, you'll need to use different OID to get
specific information, such as processes running, hostnames, etc. As we already discovered
that 10.10.10.20 is a Windows machine, let’s use snmpenum with the windows database
file (windows.txt):
From the list of information retrieved, we found a couple of interesting data, such as:
running processes, users, services, installed applications, etc. It must be noted that the
same results can be achieved using snmpcheck. Furthermore, the previous tool was much
more detailed.
----------------------------------------
USERS
----------------------------------------
Guest
admin
Administrator
----------------------------------------
SYSTEM INFO
----------------------------------------
Hardware: x86 Family 6 Model 44 Stepping 2 AT/AT COMPATIBLE - Software: Windows
Version 6.0 (Build 6002 Multiprocessor Free)
To continue, we need to review carefully the results of task2. Note that all TCP ports on
10.10.10.5 are closed, this means that it is really a remote possibility of getting a shell on
that host, which has just a few UDP ports open and allowing incoming traffic.
If we review the results for the host 10.10.10.20 the situation is a little bit better, the SMB
ports are open (ports 139 and 445):
Then, let’s try to use hydra to perform a brute force attack against 10.10.10.20 using the
SMB protocol. We might be lucky since most users out there reuse usernames and
passwords in different systems across the network.
The hydra switches are described in the help: hydra –help. However, the most relevant
parts of the command are explained below:
• -L users.txt
This is the dictionary file containing a list of users
• -P /usr/share/john/password.lst
This is telling hydra to use a dictionary file containing a list of known passwords.
This particular file (password.lst) belongs to “John the Ripper” a very
powerful password cracker
• 10.10.10.20
Our target
• SMB
This is the protocol that should be used by hydra to perform the brute-force attack.
• -f
Once hydra discovers a valid login pair it will stop and quit
• -V
It will be verbose
[ATTEMPT] target 10.10.10.20 - login "admin" - pass "654321" - 230 of 10638 [child 0]
[ATTEMPT] target 10.10.10.20 - login "admin" - pass "666666" - 231 of 10638 [child 0]
[ATTEMPT] target 10.10.10.20 - login "admin" - pass "a12345" - 232 of 10638 [child 0]
[ATTEMPT] target 10.10.10.20 - login "admin" - pass "a1b2c3d4" - 233 of 10638 [child 0]
[445][smb] host: 10.10.10.20 login: admin password: a1b2c3d4
[STATUS] attack finished for 10.10.10.20 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Computer : SERVER02
OS : Windows .NET Server (Build 3790, Service Pack 1).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/win32
meterpreter >