Simple Network Management Protocol (SNMP) is commonly mismanaged by busy administrators and developers. Frequently, you will see default community strings or community strings that are reused throughout the entire organization you are testing. You will want to ensure that your clients are using the most secure version of SNMP and that you cannot simply walk in to a building, unplug a phone, and sniff the community string. Newer versions of SNMP include strong encryption to avoid such flaws.
More than likely you will not find many community strings that are set at default. That is when you must dig into your toolset and earn your pay. There are many utilities that assist in actions such as brute forcing SNMP community names. One favorite is onesixtyone. This scanner is fast and efficient and will send requests in parallel to speed things up.
Tip
Keep the following in mind when testing: just because a tool is very functional for most tasks, doesn't mean it will be functional for all. There is the possibility that you may have to reach back into your toolbox and try something different. The more you know about how a tool functions, the more likely you are to be successful in your testing. For instance, onesixtyone is looking for a particular value when it makes the SNMP request. The firewall used in this virtual lab probably does not use this value and therefore, it is invisible to the tool. After seeing the wealth of knowledge we obtained in the preceding section, would it not be horrible to miss out on this information just because we only used one tool for the task at hand?
The command syntax for onesixtyone is straightforward:
# onesixtyone -c dict.txt 192.168.50.10
Where we have onesixtyone, use the provided dict.txt file to check against 192.168.50.10. This results in the following on our virtual network:
Scanning 1 hosts, 49 communities 192.168.50.10 [public] Linux Phobos 3.16.0-30-generic #40-14.04 Ubuntu SMP Thu Jan 15 19:39:17 UTC 2015 x86_64
Looking at these results, we note that the host we scanned uses the Ubuntu Linux operating system and has the previously unknown community string of public. Let's change this on the host and see how we fare when using the same command:
Scanning 1 hosts, 50 communities
As expected, since we no longer had the community name in our list, we were unable to find it. We can create our own dict.txt file or add to the one that is already provided to us.
Tip
When dealing with dictionary files, it is better to have several available to meet specific needs. It would be a good idea to have at least three available just for SNMP purposes: one with many defaults, another with popular names that people use for community names, and lastly a large file with many names that can be customized to your client based on company names, usernames, and so on.