1
00:00:06,750 --> 00:00:09,690
- SNPM or a Simple Network
Management Protocol

2
00:00:09,690 --> 00:00:11,720
is another one of those
protocols that's been around

3
00:00:11,720 --> 00:00:13,550
for a really long time,

4
00:00:13,550 --> 00:00:16,870
and you can extract a lot
of information from it.

5
00:00:16,870 --> 00:00:19,280
It's primarily used on networking devices.

6
00:00:19,280 --> 00:00:21,810
So for example, Cisco
routers and switches,

7
00:00:21,810 --> 00:00:24,240
provided it's configured
and you can access it,

8
00:00:24,240 --> 00:00:26,770
you can extract a lot of information,

9
00:00:26,770 --> 00:00:30,590
and of course you're gonna
need to know a password two,

10
00:00:30,590 --> 00:00:31,423
however.

11
00:00:32,560 --> 00:00:33,660
Let's run through the points here.

12
00:00:33,660 --> 00:00:37,920
So SNMP is used for management
and monitoring of devices

13
00:00:37,920 --> 00:00:38,753
on the network.

14
00:00:38,753 --> 00:00:40,340
It doesn't have to be
a router or a switch.

15
00:00:40,340 --> 00:00:43,290
It could be a server running an SNMP agent

16
00:00:43,290 --> 00:00:44,160
that you can talk to.

17
00:00:44,160 --> 00:00:45,183
You can poll it.

18
00:00:46,100 --> 00:00:47,920
It's also configuration that can occur.

19
00:00:47,920 --> 00:00:50,830
You can actually write
to these various objects

20
00:00:50,830 --> 00:00:54,160
within an SNMP enabled system.

21
00:00:54,160 --> 00:00:57,090
So sometimes you need to
be aware of a manager.

22
00:00:57,090 --> 00:01:00,480
An SNMP manager is a
system that's going to poll

23
00:01:01,570 --> 00:01:04,143
SNMP enabled devices
to gather information.

24
00:01:05,370 --> 00:01:06,950
We haven't touched on traps yet.

25
00:01:06,950 --> 00:01:10,010
So SNMP operates as poll and trap.

26
00:01:10,010 --> 00:01:12,460
So you can poll to request information

27
00:01:12,460 --> 00:01:15,700
and an SNMP system can proactively trap

28
00:01:15,700 --> 00:01:19,340
or send notifications to the manager.

29
00:01:19,340 --> 00:01:22,270
So the manager's job
is to poll proactively,

30
00:01:22,270 --> 00:01:26,293
and receive reactive traps.

31
00:01:27,150 --> 00:01:28,910
For example, let me give you an example.

32
00:01:28,910 --> 00:01:31,760
You got a Cisco router and
it's got an ethernet interface

33
00:01:31,760 --> 00:01:33,140
as the WAN.

34
00:01:33,140 --> 00:01:34,450
That interface goes down.

35
00:01:34,450 --> 00:01:36,840
You can configure that system to trap

36
00:01:36,840 --> 00:01:39,560
to the SNMP manager that
the interface is down,

37
00:01:39,560 --> 00:01:42,117
and then the manager's job is
to alert the administrators,

38
00:01:42,117 --> 00:01:43,630
"Hey, WAN interface went down.

39
00:01:43,630 --> 00:01:45,260
We should probably take a look at that."

40
00:01:45,260 --> 00:01:48,750
Agents exist on all of
the devices in the network

41
00:01:48,750 --> 00:01:52,580
where SNMP is enabled, or some
sort of agent is installed.

42
00:01:52,580 --> 00:01:54,520
Again, going back to the Cisco example,

43
00:01:54,520 --> 00:01:57,560
all Cisco devices have
an SNMP agent on them,

44
00:01:57,560 --> 00:02:00,530
you just have to configure
it to turn it on.

45
00:02:00,530 --> 00:02:04,260
And as I mentioned, it
is common to see SNMP

46
00:02:04,260 --> 00:02:06,250
running on devices on the network.

47
00:02:06,250 --> 00:02:08,300
Because you need to monitor your network,

48
00:02:08,300 --> 00:02:10,100
you need to know what it looks like.

49
00:02:11,130 --> 00:02:13,180
Are you hitting any thresholds?

50
00:02:13,180 --> 00:02:14,310
Things like that.

51
00:02:14,310 --> 00:02:17,220
There are two passwords in SNMP.

52
00:02:17,220 --> 00:02:19,000
Those two passwords are
not public and private.

53
00:02:19,000 --> 00:02:21,900
What I mean is there's
a read-only password

54
00:02:21,900 --> 00:02:23,590
and a read-write password.

55
00:02:23,590 --> 00:02:24,810
That read only password,

56
00:02:24,810 --> 00:02:26,600
and they're not called
passwords, by the way,

57
00:02:26,600 --> 00:02:28,303
they're called community strings.

58
00:02:29,570 --> 00:02:30,960
The read-only community string

59
00:02:30,960 --> 00:02:32,850
and a read-write community string.

60
00:02:32,850 --> 00:02:35,520
As you can imagine, the
read-write community string

61
00:02:35,520 --> 00:02:37,700
should be considered more sensitive

62
00:02:37,700 --> 00:02:40,100
because you can actually
change the configuration

63
00:02:40,100 --> 00:02:41,140
of the device.

64
00:02:41,140 --> 00:02:42,910
And what you'll see is that

65
00:02:42,910 --> 00:02:45,260
you'll often see public and private used

66
00:02:45,260 --> 00:02:47,130
in SNMP configurations.

67
00:02:47,130 --> 00:02:49,330
It's a misconfigured SNMP agent

68
00:02:49,330 --> 00:02:51,350
if they're using public and private

69
00:02:51,350 --> 00:02:53,210
for their community strings.

70
00:02:53,210 --> 00:02:56,640
All the examples you'll see
in text, public and private.

71
00:02:56,640 --> 00:03:00,080
Because of that, people go
and type public and private.

72
00:03:00,080 --> 00:03:05,080
So, can you enumerate
information from that SNMP agent?

73
00:03:05,240 --> 00:03:07,600
There's three versions for SNMP.

74
00:03:07,600 --> 00:03:09,750
First one, version one,
it's all plain text,

75
00:03:09,750 --> 00:03:12,930
32-bit counters that can
be overflowed quite easily,

76
00:03:12,930 --> 00:03:16,150
4 billion is not that big a
number in this day and age.

77
00:03:16,150 --> 00:03:17,720
V2c came out afterwards,

78
00:03:17,720 --> 00:03:19,690
it added 64-bit counters,

79
00:03:19,690 --> 00:03:22,550
and we didn't get to encryption of data

80
00:03:22,550 --> 00:03:25,430
as well as authentication
until version three.

81
00:03:25,430 --> 00:03:27,610
And you'll often see v1 and v2c

82
00:03:27,610 --> 00:03:29,950
are the versions that
are out there being used.

83
00:03:29,950 --> 00:03:32,170
Now, I talked about 32-bit counters.

84
00:03:32,170 --> 00:03:35,840
4 billion is, it's a
big number, of course,

85
00:03:35,840 --> 00:03:39,610
but in terms of network
interfaces that are passing,

86
00:03:39,610 --> 00:03:44,300
you know, terabits a day, 32
bits is not gonna cover it.

87
00:03:44,300 --> 00:03:47,420
So that's why they added
64-bit counters in v2c,

88
00:03:47,420 --> 00:03:49,820
but they did not add
encryption and authentication

89
00:03:49,820 --> 00:03:51,463
until SNMP version three.

90
00:03:52,860 --> 00:03:56,900
SNMP version three has been
around for a long time still,

91
00:03:56,900 --> 00:04:00,120
just not as long as v1 and v2c.

92
00:04:00,120 --> 00:04:02,840
The prevalent protocol out there is v2c

93
00:04:02,840 --> 00:04:04,770
because of the 64-bit counter

94
00:04:04,770 --> 00:04:07,640
and the ease of configuration of it.

95
00:04:07,640 --> 00:04:09,290
V3 gets a little complicated

96
00:04:09,290 --> 00:04:11,540
cause you gotta manage
passwords and whatnot.

97
00:04:12,460 --> 00:04:15,483
So most networks out there today
are still doing version 2c.

98
00:04:18,760 --> 00:04:21,790
SNMP, it's a tree like structure.

99
00:04:21,790 --> 00:04:23,830
It's a database of information.

100
00:04:23,830 --> 00:04:27,440
There are objects within this
management information base,

101
00:04:27,440 --> 00:04:32,440
or MIB, that identify leaves
of the tree, if you will.

102
00:04:33,560 --> 00:04:37,960
So the notation for these
object identifiers here is ASN.1

103
00:04:37,960 --> 00:04:40,723
or Abstract Syntax Notation One.

104
00:04:42,110 --> 00:04:44,510
And these are all device dependent.

105
00:04:44,510 --> 00:04:47,140
What you'll need to do is decode it,

106
00:04:47,140 --> 00:04:50,550
and that's where something
like OID view or OidView

107
00:04:50,550 --> 00:04:51,480
comes into play,

108
00:04:51,480 --> 00:04:53,850
Go into oidview.com.

109
00:04:53,850 --> 00:04:57,470
You can go in there and figure
out what these numbers mean

110
00:04:57,470 --> 00:05:01,240
that you see when looking
at the object identifiers.

111
00:05:01,240 --> 00:05:03,360
Because whenever you do an SNMP walk,

112
00:05:03,360 --> 00:05:06,290
which we're gonna talk
about here in just a second,

113
00:05:06,290 --> 00:05:08,010
you're gonna see these OIDs.

114
00:05:08,010 --> 00:05:09,960
You need to translate that information.

115
00:05:11,190 --> 00:05:14,220
And here's an example of an SNMP walk.

116
00:05:14,220 --> 00:05:18,120
So we have here a Cisco 1841.

117
00:05:18,120 --> 00:05:21,810
It's a pretty old router
these days, running SNMP.

118
00:05:21,810 --> 00:05:23,630
That configuration on that router

119
00:05:23,630 --> 00:05:28,423
is SNMP dash server community
public read-only 10.

120
00:05:29,600 --> 00:05:31,950
So this is a read only community string.

121
00:05:31,950 --> 00:05:34,510
That's the actual community
string right there.

122
00:05:34,510 --> 00:05:38,160
The word public, that is
the quote on quote password

123
00:05:38,160 --> 00:05:39,570
to get information.

124
00:05:39,570 --> 00:05:41,540
The RO 10, read-only,

125
00:05:41,540 --> 00:05:43,700
means it's a read-only community string,

126
00:05:43,700 --> 00:05:45,700
and the 10 is an access list

127
00:05:45,700 --> 00:05:48,573
that is applied to the SNMP agent.

128
00:05:49,910 --> 00:05:52,780
On this system, we're running Ubuntu,

129
00:05:52,780 --> 00:05:55,410
comes with SNMP walk pre-installed.

130
00:05:55,410 --> 00:05:57,990
We can run SNMP walk dash v2c,

131
00:05:57,990 --> 00:06:00,470
cause we wanna use version 2C.

132
00:06:00,470 --> 00:06:01,858
Community string.

133
00:06:01,858 --> 00:06:05,320
That's the minus C command
line switch of public.

134
00:06:05,320 --> 00:06:06,310
We give it a host,

135
00:06:06,310 --> 00:06:08,620
and then I just pipe it
the ahead so we can see

136
00:06:08,620 --> 00:06:10,510
the first 10 lines.

137
00:06:10,510 --> 00:06:12,380
And even in the first 10 lines

138
00:06:12,380 --> 00:06:14,410
we can get some useful information.

139
00:06:14,410 --> 00:06:19,070
Right here, string R1841,
that is the host name,

140
00:06:19,070 --> 00:06:22,653
the actual configured
host name of this router.

141
00:06:23,750 --> 00:06:27,090
So as you're discovering
systems out there, what's alive,

142
00:06:27,090 --> 00:06:30,306
if you see a .1 or a .254,

143
00:06:30,306 --> 00:06:31,850
there's a good chance that's a router.

144
00:06:31,850 --> 00:06:34,170
If it's a router, that
means it's a network device.

145
00:06:34,170 --> 00:06:36,260
Does it have SNMP configured?

146
00:06:36,260 --> 00:06:37,390
Try to walk it.

147
00:06:37,390 --> 00:06:39,330
See what kind of information you can get,

148
00:06:39,330 --> 00:06:43,323
and then maybe start brute
forcing community strings.

149
00:06:44,210 --> 00:06:48,980
You know, admin, God,
Cisco 123, public, private.

150
00:06:48,980 --> 00:06:51,500
Try these various community strings

151
00:06:51,500 --> 00:06:56,500
that might commonly be used
by lazy administrators.

152
00:06:56,640 --> 00:07:00,070
No offense, public and private deployers.

153
00:07:00,070 --> 00:07:03,870
Another command I ran right
here is piping that same command

154
00:07:03,870 --> 00:07:07,000
to word count minus L to
see the number of lines.

155
00:07:07,000 --> 00:07:12,000
We have 4,873 lines
returned from an SNMP walk.

156
00:07:12,490 --> 00:07:13,900
It takes a little while to do it,

157
00:07:13,900 --> 00:07:16,160
but the amount of information you can get.

158
00:07:16,160 --> 00:07:18,610
If you're able to get
just the first chunk,

159
00:07:18,610 --> 00:07:20,681
you can get the rest of it.

160
00:07:20,681 --> 00:07:21,870
There's all kinds of information in there.

161
00:07:21,870 --> 00:07:25,140
IP addresses, utilization on interfaces.

162
00:07:25,140 --> 00:07:27,120
If you see that one ethernet interface

163
00:07:27,120 --> 00:07:29,000
has the majority of the traffic,

164
00:07:29,000 --> 00:07:30,010
that's where you wanna look.

165
00:07:30,010 --> 00:07:32,800
What's going into and
out of that interface.

166
00:07:32,800 --> 00:07:34,900
You're not gonna be able
to see that from SNMP.

167
00:07:34,900 --> 00:07:38,580
However, it gives you a place to focus.

168
00:07:38,580 --> 00:07:40,750
Is there a system on that subnet

169
00:07:40,750 --> 00:07:43,350
that that interface is plugged
into, that you can access

170
00:07:43,350 --> 00:07:46,460
and then see what traffic
is going across the network?

171
00:07:46,460 --> 00:07:49,090
Another tool: OpUtils, from ManageEngine,

172
00:07:49,090 --> 00:07:53,713
will allow you to poll
or walk an SNMP agent.

173
00:07:55,082 --> 00:07:57,760
This is a screenshot
of that tool in action.

174
00:07:57,760 --> 00:08:00,530
SolarWinds also has
their network discovery

175
00:08:00,530 --> 00:08:03,830
and diagram capability is built on,

176
00:08:03,830 --> 00:08:06,900
not just SNMP but ICMP and other tools,

177
00:08:06,900 --> 00:08:08,420
but, and other protocols.

178
00:08:08,420 --> 00:08:10,670
But it does include SNMP monitoring,

179
00:08:10,670 --> 00:08:12,503
including trap reception.

180
00:08:13,930 --> 00:08:17,400
With this topology information
you can get from SNMP,

181
00:08:17,400 --> 00:08:19,810
then you can build a diagram.

182
00:08:19,810 --> 00:08:22,000
Let me give you an example
of what I mean by that.

183
00:08:22,000 --> 00:08:23,780
If you have five routers,

184
00:08:23,780 --> 00:08:27,240
and they're all plugged
in in like a pentagon,

185
00:08:27,240 --> 00:08:28,560
just as an example.

186
00:08:28,560 --> 00:08:32,160
You poll router A, and it's
got two ethernet interfaces.

187
00:08:32,160 --> 00:08:34,780
You poll router B, it's got
two ethernet interfaces.

188
00:08:34,780 --> 00:08:38,100
Where you see the IP
address and subnet overlap,

189
00:08:38,100 --> 00:08:40,590
they're plugged into the
same broadcast domain.

190
00:08:40,590 --> 00:08:42,540
It's the same switched network

191
00:08:42,540 --> 00:08:46,340
that those two interfaces are
plugged into, most likely.

192
00:08:46,340 --> 00:08:48,220
It's possible to have overlapping IPs

193
00:08:48,220 --> 00:08:49,640
plugged into different
parts of the network.

194
00:08:49,640 --> 00:08:51,630
but most of the time,

195
00:08:51,630 --> 00:08:53,140
these two interfaces are gonna be

196
00:08:53,140 --> 00:08:55,330
connected to each other logically,

197
00:08:55,330 --> 00:08:58,180
meaning they have the same
broadcast domain between them.

198
00:08:59,460 --> 00:09:03,603
Some more tools for SNMP
enumeration to be aware of:

199
00:09:05,020 --> 00:09:07,733
SNMP walk, we took a look
at a screenshot of that.

200
00:09:08,630 --> 00:09:13,200
Net-SNMP, Getif, Spiceworks, SNMP Scanner,

201
00:09:13,200 --> 00:09:14,623
and SNMP informant.