SNMP Protocol & snmpwalk

The SNMP is a management protocol often used to monitor and remotly configures servers and other network devices such as switches, router etc.
This protocol has a weak authentication system: public and private community strings.

  • Public community string can read information from a SNMP enabled device
  • Private community string can often reconfigure a device

Wikipedia has a nice article about this, also the mib tree where you can find here.

Scanning machines with snmp enabled can give interesting results if improperly configured. Many tools exist, but the one I was exposed to during my Offensive Security course was
Scanning a Windows system running snmp.

From our linux machine’s shell, we’d would type the following command to scan a single machine.
linux~#snmpwalk -c public -v1 -target IP

This can return information such as running services, and/or installed applications. Also somewhere in the output, we could find the operating system’s version. It can be a very long output, so using grep is a good idea.
linux~#snmpwalk -c public -v1 -target IP | grep sysDescr.0

One can also enumerate users with snmpwalk:
linux~#snmpwalk -c public -v1 -target IP 1 | grep | cut -d” ” -f4

Enumerating services with snmpwalk:
linux~#snmpwalk -c public -v1 -target IP 1 | grep hrSWRunName | cut -d” ” -f4

Enumerating TCP ports:
linux~#snmpwalk -c public -v1 -target IP 1 | grep tcpConnState | cut -d” ” -f4

And enumerating installed applications:
linux~#snmpwalk -c public -v1 -target IP 1 | grep hrSWInstalledName | cut -d” ” -f4

The above syntax, the switches -c & -v are used. The first -c is to indicate which community string: public or private. The second, -v tells the script which version of snmp to use. In this case version 1. We also inform the script to add the root of the mib tree with “1” after the target’s IP address. See top of the this post for a wiki link on the mib tree.

Of course, one can use the following script “snmpcheck” to gather most or all information availible in a more human readable format.


Simple Netcat usage

Netcat is a powerful tool that everyone should learn to use. I’ve only been aware of this tool for about a month now, and already I’m finding way to use it (or situations where it could be useful) at work.

Netcat is able to connect (read/write)to any port using TCP or UDP protocols. One can send and receive files, scan ports and you can even redirect standard input/output/errors with netcat. It’s also possible to use netcat for port redirection.

Here are few interesting articles about Netcat:

Here are few simple examples of the netcat syntax. Let’s look at transferring a text file from a Windows machine to a Linux machine. Of course, we’ll assume the Windows system has a copy of netcat.

First the Linux machine, receiving the file, needs to setup a listener.
linux~#nc -lvp 4444 > output.txt
Any traffic directed to port 4444 will be directed into the output.txt file.

Second, the Windows system will open a connection and send the text file.
C:\>nc -nv -Linux IP here- 4444 <>
The contents of test.txt will be piped into port 4444, and sent to our listening Linux machine.

Now netcat doesn’t have any “progress bar” to show when the transfer is completed, so you need to guess and kill the connection manually using the CTRL-C key combination.

Banner grabbing with netcat is pretty simple. All one needs to do is connect to the specified IP address and port. Once connected, depending on the port one used, commands can be issued to gather more information. Of course, all services will give out banners, and systems administrators can always remove the banner. Let’s look at how one can retrieve an SMTP banner.

linux~#nc -nv -IP address- 25
Sometimes, but not always, the SMTP server will give out information such as:
Sendmail 8.13.1/8.13.1
One can also type in commands once connected to verify the existence of users.

Another fun thing one can do with netcat, is command redirection. Using the “-e” switch, you can redirect standard input, output and error to a specific port. So we can essentially send a command shell via netcat so let’s do this.

Imagine 2 users on a the same network, John and Cindy. John needs Cindy’s assistance on his computer and wishes to send her a command shell over the network to her computer.

So let’s start by starting netcat on a particular port, and bind redirect our command shell to it.
From John’s computer:
C:\>nc -lvn 4444 -e cmd.exe
This will basically redirect all input/output & errors from cmd.exe to port 4444.

From Cindy’s computer:
Now that John’s netcat is waiting for a connection, all that Cindy needs to do is connect to John’s computer on port 4444 and she should receive the command prompt.
linux~#nc -nv -John’s ip here- 4444

This is called a bind shell. Try it and see…


Obligatory first post…

Well, after years of reading on other people’s blogs. After weeks of debating if I should start one of my own, and wondering what would I write about. I finally figured out a subject… Computers, network security and other related subjects.

Now, I’m no expert. Not a profession security consultant, nor am I a security analyst. I’m a system administrator, presently learning the ins and outs of security.

Figured I’d use a blog as a reference. I’ll post links to articles related to computer networking and network security, and maybe type up some of my own learning experience during my journey into this strange/difficult and mythical subject known a “Penetration Testing”.

A little about myself I suppose. Been in IT for a few years now, and like many I’ve had a computer since I was a kid (back in the 8086 days). Got a few certifications such as MCDST, Comptia Linux+, Network+, i-Net+ and for some reason I have a CIW certification…don’t ask.

Presently working on Offensive Security 101 [now known as Pentesting with Backtrack], so I’m looking forward to eventually getting the Offensive Security Certified Professional, or OSCP. So odds are, I’ll mostly be posting my experiences along the course, without going against the course’s copyright. Let me tell you, this one is hard…