As a general rule SNMP community string should be changed as soon as possible on corporate environment, but in fact it is not. There is a simple way to check whether or not this is done with the help of Metasploit.
First step is to start msfconsole. For our scan we can use snmp_login
msf > use auxiliary/scanner/snmp/snmp_login
You can check the possible options be show options but we know what we are going to do so I’ll skip this step. Next you have to specify remote host or network
msf auxiliary(snmp_login) > setg rhosts 192.168.0.1-192.168.0.254 rhosts => 192.168.0.1-192.168.0.254 msf auxiliary(snmp_login) > exploit
The output looks like this
[+] 192.168.0.15:161 - LOGIN SUCCESSFUL: private (Access level: read-write); Proof (sysDescr.0): Ruckus Wireless Inc (C) 2006 [+] 192.168.0.15:161 - LOGIN SUCCESSFUL: public (Access level: read-write); Proof (sysDescr.0): Ruckus Wireless Inc (C) 2006 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
We have a device with default RO and default RW community in our network. Now we can use this information to enumerate some information back about this machine
msf auxiliary(snmp_login) > use auxiliary/scanner/snmp/snmp_enum msf auxiliary(snmp_enum) > set rhosts 192.168.0.15 rhost => 192.168.0.15 msf auxiliary(snmp_enum) > exploit
And you’ll have a nice output with a lot of information about the machine, the software and etc.