Check for default SNMP community with Metasploit

As a general rule SNMP community string should be changed as soon as possible on corporate environment, but in fact it is not. There is a simple way to check whether or not this is done with the help of Metasploit.

First step is to start msfconsole. For our scan we can use snmp_login

msf >  use auxiliary/scanner/snmp/snmp_login

You can check the possible options be show options but we know what we are going to do so I’ll skip this step. Next you have to specify remote host or network

msf auxiliary(snmp_login) > setg rhosts 192.168.0.1-192.168.0.254
rhosts => 192.168.0.1-192.168.0.254
msf auxiliary(snmp_login) > exploit

The output looks like this

[+] 192.168.0.15:161 - LOGIN SUCCESSFUL: private (Access level: read-write); Proof (sysDescr.0): Ruckus Wireless Inc (C) 2006
[+] 192.168.0.15:161 - LOGIN SUCCESSFUL: public (Access level: read-write); Proof (sysDescr.0): Ruckus Wireless Inc (C) 2006
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

We have a device with default RO and default RW community in our network. Now we can use this information to enumerate some information back about this machine

msf auxiliary(snmp_login) > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(snmp_enum) > set rhosts 192.168.0.15
rhost => 192.168.0.15
msf auxiliary(snmp_enum) > exploit

And you’ll have a nice output with a lot of information about the machine, the software and etc.

Enjoy!

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*