In a recent tutorial, I showed how the SNMP protocol can be a gold mine of information for reconnaissance on a potential target. If you haven’t already, I strongly suggest that you read it before progressing here, as little of this will make much sense without that background.
The MIB database, created by SNMP, contains extensive information on every device on the network. While SNMPv1 is very insecure and SNMPv3 is very secure, many companies still use SNMPv1. As such, the community public string (password) that provides access to SNMP and its MIB database is susceptible to cracking. Once the hacker has the SNMP community public string, they have access to all the info available in the SNMP MIB.
Better yet, if we can crack the private community string (password), we can change the settings on any network device—even take it off line. We could then potentially change the configuration settings on switches and routers to our advantage.
In this tutorial, we will be cracking the SNMPv1 community string (password) with one of the best SNMP cracking tools, onesixtyone (SNMP runs on port 161, hence its name).
Step 1: Find Onesixtyone
Onesixtyone—like so many of the best hacking tools—is built into BackTrack and Kali, so no need to download and install if you’re running BackTrack. We can find onesixtyone by going to BackTrack -> Information Gathering -> Network Analysis -> SNMP and then onesixtyone, as shown in the screenshot below.
In Kali, you can go to Applications -> Kali Linux -> Information Gathering -> SNMP Analysis -> onesixtyone
Step 2: Open Onesixtyone
When we click on onesixtyone, we will be greeted with a screenshot like that below.
Notice in the third line that the basic syntax for usage of onesixtyone.
onesixtyone (options) <host> <community>
- host is the IP address of the system we are targeting
- community is either public or private
Like any password-cracking software (that is not using brute-force), it’s only as good as its wordlist. Onesixtyone comes with a built-in wordlist of commonly used passwords on SNMP, but if your password isn’t in the list, you can use any word list you want.
Very often, if a sysadmin changes the SNMP community string, they will change it to something simple like the companyname-public or companyname-private. It’s always worth trying these or similar combinations before attempting a password crack.
Step 3: Take It Out for Spin
Now that we understand the basics of how onesixtyone works, let try it out.
./onesixtyone -c dict.txt 192.168.1.119
Now, all we need to do is hit enter and let onesixtyone do its job!
When using the built-in wordlist dict.txt, onesixtyone finishes its work in short order. Obviously, with longer word lists, this process can be more time consuming. To use another word list, simply replace the dict.txt with the full path to the file, such as:
./onesixtyone -c /root/anotherwordlist 192.168.1119 public
As you can see, onesixtyone was able to find the both the public and private community strings. The network administrator left both strings at their default values, which is common.
Other possible sources for potential word lists can be found here, among other places on the web, and some are as big as 50g!