Web penetration test - 5. Brute force cracking vulnerability - (2) SNMP password cracking

Simple network management protocol （SNMP） Is specially designed for use in IP Network management network nodes （ The server 、 The workstation 、 Router 、 Switch and HUBS etc. ） A standard protocol for , It's an application layer protocol . SNMP Enables network administrators to manage network performance , Identify and solve network problems and plan for network growth . adopt SNMP Receive random messages （ And incident reports ） The network management system was informed that there was a problem with the network .
Default UDP port ：161,162.

One 、hydra

Hydra Is a parallel login cracker , It supports multiple attack protocols . It's very fast and flexible , And new modules are easy to add .kali Toolset integrated .

hydra Project address ：https://github.com/vanhauser-thc/thc-hydra/releases Full version

hydra Support ：
Cisco AAA、Cisco auth、Cisco enable、CVS、FTP、HTTP(S)-FORM-GET、HTTP(S)-FORM-POST、HTTP(S)-GET、HTTP(S)-HEAD、HTTP- agent 、ICQ、IMAP、IRC、LDAP、MS-SQL、MySQL、NNTP、Oracle The listener 、Oracle SID、PC-Anywhere、PC-NFS、POP3、PostgreSQL、RDP、Rexec、Rlogin、Rsh、SIP、SMB(NT) 、SMTP、SMTP enumeration 、SNMP v1+v2+v3、SOCKS5、SSH（v1 and v2）、SSHKEY、Subversion、Teamspeak (TS2)、Telnet、VMware-Auth、VNC and XMPP`.

hydra -P /root/Desktop/pass.txt IP snmp

-L： Specify the user name dictionary path
-P： Specify password dictionary path

Two 、Medusa

Medusa It's a fast one 、 A parallel and modular login brute force cracker . The goal is to support as many services as possible that allow remote authentication .kalikali Toolset integrated .

file ：
www.foofus.net/jmk/medusa/medusa.html
Source code ：
https://github.com/jmk-foofus/medusa
https://github.com/jmk-foofus/medusa/archive/2.2.tar.gz

The main functions are as follows ：
1、 Thread based parallel testing ： It can target multiple hosts at the same time 、 The user or password performs a brute force test .
2、 Flexible user input ： Target information can be specified in a number of ways （ host / user / password ）. for example , Each item can be a single item , It can also be a file that contains multiple entries . Besides , The combined file format allows users to refine their target list .
3、 Modular design ： Each service module acts as an independent .mod File exists . This means that the list of supported services can be extended for brute force cracking without any modification to the core application .
4、 Support multiple protocols ： Many services are currently supported （ for example SMB、HTTP、POP3、MS-SQL、SSHv2 etc. ）.

medusa -M snmp -h IP –u ignite -P /root/Desktop/pass.txt

-U： Indicates the path to the user name list
-P： Indicates the path to the password list
-M： Specify the burst parameter type

3、 ... and 、Metasploit

use auxiliary/scanner/snmp/snmp_login
msf auxiliary(scanner/snmp/snmp_login)> set rhosts IP
msf auxiliary(scanner/snmp/snmp_login)> set pass_file /root/Desktop/pass.txt
msf auxiliary(scanner/snmp/snmp_login)> set stop_on_success true
msf auxiliary(scanner/snmp/snmp_login)> run

Four 、NMAP

nmap -sU –p 161 –n --script snmp-brute IP --script-args snmp-brute.communitiesdb=/root/Desktop/pass.txt

-sU：SNMP Message transmission passed UDP Conduct , Usually use UDP Port number 161/162
-p： Specify port number 161
-n： Do not do DNS analysis
--script snmp-brute： Specify the use of snmp-brute Script scan
--script-args： Specify script parameters
snmp-brute.communitiesdb： The script adopts snmp-brute.communitiesdb Allows the user to define the parameters of the file containing the community string to be used . If not defined , For brute force cracking SNMP The default word list for the community string is nselib/data/snmpcommunities.lst. If this vocabulary does not exist , The script falls back to nselib/data/passwords.lst. If no valid account is found , The output... Is not reported .

 Example usage ：
nmap -sU --script snmp-brute < The goal is > [--script-args snmp-brute.communitiesdb=<wordlist> ]

5、 ... and 、onesixtyone

oneixtyone Yes SNMP Scanning uses different methods . It takes advantage of it. SNMP Is a connectionless protocol , And send all... As soon as possible SNMP request . The scanner then waits for the responses to return and records them , In a manner similar to Nmap ping scanning .

Project address ：https://github.com/trailofbits/onesixtyone
kali The tool has been integrated .

oneixtyone IP -c /root/Desktop/pass.txt