səhifə 88/132 tarix 21.12.2023 ölçüsü #187693
PEN-200
telnet 192.168.50.8 25
220 mail ESMTP Postfix (Ubuntu)
VRFY goofy
550 5.1.1 : Recipient address rejected: User unknown in local recipient table
VRFY root
252 2.0.0 root
Listing 83 - Interacting with the SMTP service via Telnet on Windows
The above output depicts yet another example of enumeration that we can perform from a
compromised Windows host when Kali is not available.
6.3.6
SNMP Enumeration
Over the years, we have often found that the
Simple Network Management Protocol
(SNMP) is not
well-understood by many network administrators. This often results in SNMP misconfigurations,
which can result in significant information leaks.
SNMP is based on UDP, a simple, stateless protocol, and is therefore susceptible to IP spoofing
and replay attacks. Additionally, the commonly used SNMP protocols 1, 2, and 2c offer no traffic
encryption, meaning that SNMP information and credentials can be easily intercepted over a local
network. Traditional SNMP protocols also have weak authentication schemes and are commonly
left configured with default public and private community strings.
Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
158
Until recently, SNMPv3, which provides authentication and encryption, has been
shipped to support only DES-56, proven to be a weak encryption scheme that can
be easily brute-forced. A more recent SNMPv3 implementation supports the AES-
256 encryption scheme.
Because all of the above applies to a protocol that is, by definition, meant to “Manage the
Network,” SNMP is another one of our favorite enumeration protocols.
Several years ago, OffSec performed an internal penetration test on a company
that provided network integration services to a large number of corporate clients,
banks, and other similar organizations. After several hours of scoping out the
system, we discovered a large class B network with thousands of attached Cisco
routers. It was explained to us that each of these routers was a gateway to one
of their clients, used for management and configuration purposes.
A quick scan for default cisco / cisco telnet credentials discovered a single low-
end Cisco ADSL router. Digging a bit further revealed a set of complex SNMP
public and private community strings in the router configuration file. As it turned
out, these same public and private community strings were used on every single
networking device, for the whole class B range, and beyond – simple
management, right?
An interesting thing about enterprise routing hardware is that these devices often
support configuration file read and write through private SNMP community string
access. Since the private community strings for all the gateway routers were
now known to us, by writing a simple script to copy all the router configurations
on that network using SNMP and TFTP protocols, we not only compromised the
infrastructure of the entire network integration company, but the infrastructure of
their clients, as well.
Now that we have gained a basic understanding of SNMP, we can explore one of its main
features, the
SNMP MIB Tree
.
The SNMP
Management Information Base
(MIB) is a database containing information usually
related to network management. The database is organized like a tree, with branches that
represent different organizations or network functions. The leaves of the tree (or final endpoints)
correspond to specific variable values that can then be accessed and probed by an external user.
The IBM Knowledge Center
274
contains a wealth of information about the MIB tree.
For example, the following MIB values correspond to specific Microsoft Windows SNMP
parameters and contain much more than network-based information:
274
(IBM, 2022), https://www.ibm.com/support/knowledgecenter/ssw_aix_71/commprogramming/mib.html
Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
159
1.3.6.1.2.1.25.1.6.0
System Processes
1.3.6.1.2.1.25.4.2.1.2
Running Programs
1.3.6.1.2.1.25.4.2.1.4
Processes Path
1.3.6.1.2.1.25.2.3.1.4
Storage Units
1.3.6.1.2.1.25.6.3.1.2
Software Name
1.3.6.1.4.1.77.1.2.25
User Accounts
1.3.6.1.2.1.6.13.1.3
TCP Local Ports
Table 2 - Windows SNMP MIB values
To scan for open SNMP ports, we can run nmap, using the -sU option to perform UDP scanning
and the --open option to limit the output and display only open ports.
kali@kali:~$
Yüklə
Dostları ilə paylaş: