08 March 2012

BackTrack tool review: snmpcheck

Note: This is part of a series on BackTrack 5 tool reviews. It is not meant to be an exhaustive analysis of any tool, just a demonstration of the tool using real-world targets.


This tool presumes that you know of a host running the snmp service. Alternatively, you can try finding one with a tool like SHODAN or scan with Nmap for port 161 (UDP) open.


Pretty simple--enter an IP address. Everything else is optional. If you know the snmp service is running on a different port, you can add that with the -p option. Additionally, if you happen to know the community string, add it with -c. Otherwise, snmpcheck will use the default public.

root@bt:/pentest/enumeration/snmp/snmpcheck# ./snmpcheck-1.8.pl
snmpcheck.pl v1.8 - SNMP enumerator
Copyright (c) 2005-2011 by Matteo Cantoni (www.nothink.org)

 Usage ./snmpcheck.pl -t

-t : target host;

-p : SNMP port; default port is 161;
-c : SNMP community; default is public;
-v : SNMP version (1,2); default is 1;
-r : request retries; default is 0;

-w : detect write access (separate action by enumeration);

-d : disable 'TCP connections' enumeration!
-T : force timeout in seconds; default is 20. Max is 60;
-D : enable debug;
-h : show help menu;

I found a random host with UDP port 161 open and the snmp service running. Point snmpcheck at it, and you're off:

root@bt:/pentest/enumeration/snmp/snmpcheck# ./snmpcheck-1.8.pl -t 134.48.81.17
snmpcheck.pl v1.8 - SNMP enumerator
Copyright (c) 2005-2011 by Matteo Cantoni (www.nothink.org)


 [*] Try to connect to 134.48.81.17
 [*] Connected to 134.48.81.17
 [*] Starting enumeration at 2012-03-08 20:28:07


 [*] System information
 -----------------------------------------------------------------------------------------------
 Hostname               : MARYN12105
 Description            : Hardware: x86 Family 6 Model 8 Stepping 6 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)
 Uptime system          : 6 hours, 47:16.37
 Uptime SNMP daemon     : 16 hours, 35:50.71
 Motd                   : -
 Domain (NT)            : MARQNET


 [*] User accounts
 -----------------------------------------------------------------------------------------------
 Administrator
 Guest
 arianace
 chapr
 ficengar
 mmana
 wilyrt


 [*] Network information
 -----------------------------------------------------------------------------------------------
 IP forwarding enabled   : no
 Default TTL             : 128
 TCP segments received   : 74692479
 TCP segments sent       : 57614412
 TCP segments retrans.   : 150854
 Input datagrams         : 2412799
 Delivered datagrams     : 2255627
 Output datagrams        : 1114372


 [*] Network interfaces
 -----------------------------------------------------------------------------------------------
Use of uninitialized value within @intspeed in pattern match (m//) at ./snmpcheck-1.8.pl line 676.
Use of uninitialized value within @intspeed in division (/) at ./snmpcheck-1.8.pl line 678.
 Interface               : [ up ] 3Com EtherLink PCI


Hardware Address : 00:a0:c9:c9:1a:7d
IP Address       : 134.48.81.17
Netmask          : 255.255.255.0
MTU              : 1500
Bytes In         : 1280835700 (1.2G)
Bytes Out        : 802255200 (766M)




 [*] Routing information
 -----------------------------------------------------------------------------------------------
      Destination  Next Hop       Mask Metric


          0.0.0.0     134.48.81.17          0.0.0.0        -


 [*] Listening TCP ports and connections
 -----------------------------------------------------------------------------------------------
   Local Address   Port      Remote Address   Port       State


         0.0.0.0    139             0.0.0.0    139       Listening
         0.0.0.0     23             0.0.0.0     23       Listening


 [*] Listening UDP ports
 -----------------------------------------------------------------------------------------------
   Local Address   Port


         0.0.0.0   1101
         0.0.0.0    137
         0.0.0.0    138


 [*] Non-administrative shares
 -----------------------------------------------------------------------------------------------
 Share Name : Inbox
 Path       : D:\Inbox
 Comments   : 


 Share Name : Outbox
 Path       : D:\Outbox
 Comments   : 


 [*] Wait...don't stop snmpcheck.pl...
 Total non anonymous users     : -


 [*] Enumerated 134.48.81.17 in 46.98 seconds


Windows 2000, hostname and domain, user accounts, open ports (both TCP and UDP), shares...Pretty nice bit of information gathering for one open port, don't you think?
Post a Comment