Scanning SNMP services with Metasploit

Let us perform a TCP port scan of a different network as shown in the following screenshot:

We will be using the tcp scan module listed under auxiliary/scanner/portscan, as shown in the preceding screenshot. Let's run the module and analyze the results as follows:

We can see that we found two services only that don't look that appealing. Let us also perform a UDP sweep of the network and check if we can find something interesting:

To carry out a UDP sweep, we will use the auxiliary/scanner/discovery/udp_sweep module as shown in the preceding screenshot. Next, we only need to provide the network range by setting the RHOSTS option. Additionally, you can increase the number of threads as well. Let's run the module and analyze results:

Amazing! We can see plenty of results generated by the UDP sweep module. Additionally, a Simple Network Management Protocol (SNMP) service is also discovered on 192.168.1.19.

The SNMP, is a commonly used service that provides network management and monitoring capabilities. SNMP offers the ability to poll networked devices and monitor data such as utilization and errors for various systems on the host. SNMP is also capable of changing the configurations on the host, allowing the remote management of the network device. SNMP is vulnerable because it is often automatically installed on many network devices with public as the read string and private as the write string. This would mean that systems might be fitted to a network without any knowledge that SNMP is functioning and using these default keys.

This default installation of SNMP provides an attacker with the means to perform reconnaissance on a system, and, an exploit that can be used to create a denial of service. SNMP MIBs provide information such as the system name, location, contacts, and sometimes even phone numbers. Let's perform an SNMP sweep over the target and analyze what interesting information we encounter:

We will use snmp_enum from auxiliary/scanner/snmp to perform an SNMP sweep. We set the value of RHOSTS to 192.168.1.19, and we can additionally provide the number of threads as well. Let's see what sort of information pops up:

Wow! We can see that we have plenty of system information such as Host IP, hostname, contact, uptime, description of the system, and even user accounts. The found usernames can be handy in trying brute-force attacks as we did in the previous sections. Let's see what else we got:

We also have the list of listening ports (TCP and UDP), connection information, a list of network services, processes, and even a list of installed applications, as shown in the following screenshot:

Hence, SNMP sweep provides us with tons of reconnaissance features for the target system, which may help us perform attacks such as social engineering and getting to know what various applications might be running on the target, so that we can prepare the list of services to exploit and focus on specifically.

More on SNMP sweeping can be found at https://www.offensive-security.com/metasploit-unleashed/snmp-scan/.