maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-snmp/cisco-snmp.md
Carlos Polop ad3f52d725 t2
2025-01-03 01:07:38 +01:00

46 lines
2.0 KiB
Markdown
Raw Blame History

# Cisco SNMP
{{#include ../../banners/hacktricks-training.md}}
## Pentesting Cisco Networks
**SNMP** functions over UDP with ports 161/UDP for general messages and 162/UDP for trap messages. This protocol relies on community strings, serving as passwords that enable communication between SNMP agents and servers. These strings are pivotal for they determine access levels, specifically **read-only (RO) or read-write (RW) permissions**. A notable attack vector for pentesters is the **brute-forcing of community strings**, aiming to infiltrate network devices.
A practical tool for executing such brute-force attacks is [**onesixtyone**](https://github.com/trailofbits/onesixtyone), which necessitates a list of potential community strings and the IP addresses of the targets:
```bash
onesixtyone -c communitystrings -i targets
```
#### `cisco_config_tftp`
The Metasploit framework features the `cisco_config_tftp` module, facilitating the extraction of device configurations, contingent upon acquiring an RW community string. Essential parameters for this operation include:
- RW community string (**COMMUNITY**)
- Attacker's IP (**LHOST**)
- Target device's IP (**RHOSTS**)
- Destination path for the configuration files (**OUTPUTDIR**)
Upon configuration, this module enables the download of device settings directly to a specified folder.
#### `snmp_enum`
Another Metasploit module, **`snmp_enum`**, specializes in gathering detailed hardware information. It operates with either type of community string and requires the target's IP address for successful execution:
```bash
msf6 auxiliary(scanner/snmp/snmp_enum) > set COMMUNITY public
msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.100.10
msf6 auxiliary(scanner/snmp/snmp_enum) > exploit
```
## References
- [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink