Simple Network Management Protocol Hacking

 The goal of this lab was to retrieve a valid set of credentials and establish a shell on one of the machines on a LAN.


I started by scanning the network to find live hosts and then which ports and services they were running. Via this scanning, I determined the following:


  • The host @ 10.10.10.5 had filtered or closed ports for TCP connections, but it had port 161 open for UDP connections as it was running SNMP Version 1 on that port. Furthermore, nmap found a valid community string (public) for that service.
  • The host @ 10.10.10.20 was possibly running SNMP, but not definitely as port 161 returned an open | filtered state when tested using UDP
  • The host @ 10.10.10.20 had ports 139 and 445 open (139 for TCP connections for NetBIOS over IP sessions using SMB and port 445 for SMB over IP)
  • The host @ 10.10.10.20 was running an old server OS (Service Pack 1)










All of this was interesting, and bearing in mind the goals of the lab, it seemed most likely that I would be able to find credentials via SNMP which would then help me gain a shell via NetBIOS on the other machine.


I therefore started enumerating the SNMP service running on port 161 @ 10.10.10.5 using an nmap script. This script found two valid community strings (public and private). Version 1 of SNMP actually sends these strings in plain text so they could have been sniffed, but I used a brute force attack. SNMP uses encryption for the strings, so brute force attacks are necessary. I tried the same attack against the host @ 10.10.10.20 but this returned no results.



Now that I had valid community strings, I could start to dig deeper into the data contained in the SNMP Management Information Base (MIB).


Objects (properties of devices being managed using SNMP) have unique addresses in MIBs. We can reference these using a numbering system. I was interested in trying to find usernames, so I used the Object IDentifier (OID) of 1.3.6.1.4.1.77.1.2.25 (a useful one to know!) This gave me three usernames - so far so good!



I also tried looking through all of the data I could loot using SNMP, but it was too much so it does make sense to focus on specific data you want to retrieve. For example, I found the name of the device @ OID 1.3.6.1.2.1.1.5.0




Even though I had successfully found community strings using nmap, I decided to see if a different tool (onesixtyone) could achieve the same - it did find public but not private.


Moving forwards, I decided to try using the discovered usernames to target the NetBIOS service running on the host @ 10.10.10.20 so I put them into a .txt file.



I then used this .txt file of usernames to target a brute force attack. My thinking was that people tend to reuse usernames across networks for different purposes. I tried with Hydra first of all, since it is fast, but it did not work. This was disappointing, so I tried the msfconsole module to brute force an SMB login. This worked.




Despite having worked, the module was slow, so I tried Patator. I ran it briefly first of all so I could get a failed logon string. I then used this to narrow down the results and was happy to see that Patator worked and was much faster than the msfconsole module. I then tried it again by excluding the logon failed code instead of the string and got the same result.





Armed now with a username:password set of credentials, I fired up a psexec attack in msfconsole and successfully obtained a reverse meterpreter shell. I migrated the process, dumped the SAM hashes and tried to crack them. Hashcat successfully found one more password, but could not find the password for the user called german, even with a larger wordlist. Still, the lab had been completed as the looted data from the SNMP service had led me to a successful shell on a machine on the network!


















Popular posts from this blog

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more