Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "SNMP"

From NetSec
Jump to: navigation, search
 
(2 intermediate revisions by 2 users not shown)
Line 58: Line 58:
  
 
A MIB is kind of like an OID definition file. You can have many many different MIB files with the boudaries of said files being the boundries of the organizations that wrote each file. So for example:
 
A MIB is kind of like an OID definition file. You can have many many different MIB files with the boudaries of said files being the boundries of the organizations that wrote each file. So for example:
[mepholic@andromeda:~]% ls /usr/share/snmp/mibs                                                                                                                                                                                                                                 <1103
+
[mepholic@andromeda:~]% ls /usr/share/snmp/mibs
ADSL2-LINE-MIB           DNS-SERVER-MIB                               DOCS-IF-MIB.txt                     IANAifType-MIB.txt           IPV6-TC.txt                PKTC-SIG-MIB                  SA-CM-MTA-12812-20100917.mib    SNMPv2-MIB.txt
+
ADSL2-LINE-MIB     DNS-SERVER-MIB                         DOCS-IF-MIB.txt                 IANAifType-MIB.txt     IPV6-TC.txt
ADSL2-LINE-TC-MIB       DOCS-BPI2-MIB                               DOCS-L2VPN-MIB.txt                   IANA-LANGUAGE-MIB.txt       IPV6-UDP-MIB.txt          Q-BRIDGE-MIB.txt              SA-CM-MTA-12812-20100921.mib    SNMPv2-SMI.txt
+
ADSL2-LINE-TC-MIB   DOCS-BPI2-MIB                           DOCS-L2VPN-MIB.txt             IANA-LANGUAGE-MIB.txt   IPV6-UDP-MIB.txt
  
 
On my system that's just a portion of the MIB files I have. Also, MIB files on net-snmp boxes (pretty much any linux box with net-snmp installed) is usually either /usr/share/snmp/mibs or /usr/local/share/snmp/mibs depending on if the package was installed from source or not.
 
On my system that's just a portion of the MIB files I have. Also, MIB files on net-snmp boxes (pretty much any linux box with net-snmp installed) is usually either /usr/share/snmp/mibs or /usr/local/share/snmp/mibs depending on if the package was installed from source or not.
Line 77: Line 77:
 
This brings us to our next topic
 
This brings us to our next topic
 
As mentioned earlier, you can actually turn an OID into name form with a command called snmptranslate. For example:
 
As mentioned earlier, you can actually turn an OID into name form with a command called snmptranslate. For example:
[mepholic@andromeda:~]% snmptranslate .1.3.6.1.2.1                                                                                                                                                                                                                               <1106
+
[mepholic@andromeda:~]% snmptranslate .1.3.6.1.2.1
SNMPv2-SMI::mib-2
+
SNMPv2-SMI::mib-2
shell -o snmptranslate .1.3.6.1.2.1.6.13.1.4
+
TCP-MIB::tcpConnRemAddress
+
  
 
If you want a better breakdown of what each element of the oid is, you can do this:
 
If you want a better breakdown of what each element of the oid is, you can do this:
[mepholic@andromeda:~]% snmptranslate -Td .1.3.6.1.2.1                                                                                                                                                                                                                           <1116
+
[mepholic@andromeda:~]% snmptranslate -Td .1.3.6.1.2.1
SNMPv2-SMI::mib-2
+
SNMPv2-SMI::mib-2
mib-2 OBJECT-TYPE
+
mib-2 OBJECT-TYPE
  -- FROM      SNMPv2-SMI, RFC1213-MIB
+
  -- FROM      SNMPv2-SMI, RFC1213-MIB
::= { iso(1) org(3) dod(6) internet(1) mgmt(2) 1 }
+
::= { iso(1) org(3) dod(6) internet(1) mgmt(2) 1 }
  
 
If you use -Tp it will print a tree of every named elemunt under the oid you put in. http://pastebin.com/0uhS2Tui
 
If you use -Tp it will print a tree of every named elemunt under the oid you put in. http://pastebin.com/0uhS2Tui
  
 
You have another cool command called snmpnetstat. It gives you netstat like output from snmp data. It takes the arguments that snmpwalk does along with another one.
 
You have another cool command called snmpnetstat. It gives you netstat like output from snmp data. It takes the arguments that snmpwalk does along with another one.
-C i guess stands for common
+
-C stands for common, it takes a fe arguments
-Ca will output connections to and from the device
+
-Ca will output connections to and from the device
-Can will do the same thing but without resolving the addresses
+
-Can will do the same thing but without resolving the addresses
-Ci will show information on the system's interfaces
+
-Ci will show information on the system's interfaces
-Cp will show protocol information
+
-Cp will show protocol information
-Cs will show statistics on each protocol
+
-Cs will show statistics on each protocol
-Cr will show you the devices routing tables
+
-Cr will show you the devices routing tables
  
 
So for example:
 
So for example:
Line 107: Line 105:
  
 
So this script is used to remove all of the pesky CPE side filters that my ISP put on my cable modem:
 
So this script is used to remove all of the pesky CPE side filters that my ISP put on my cable modem:
for ((i=1; i<=16; i++)); do snmpset -m +ALL -cprivate -v2c 192.168.100.1 DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.$i = 6; done
+
for ((i=1; i<=16; i++)); do snmpset -m +ALL -cprivate -v2c 192.168.100.1 DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.$i = 6; done
  
 
Most cable modems are managed over SNMP so that can be one potential use. Note, the above command doesn't uncap me, it just removes customer end IP filters. Well, up to 16 of them cause that's all there was in my case.
 
Most cable modems are managed over SNMP so that can be one potential use. Note, the above command doesn't uncap me, it just removes customer end IP filters. Well, up to 16 of them cause that's all there was in my case.
  
 
As you can see, when I run above script it gives me output like this:
 
As you can see, when I run above script it gives me output like this:
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.1 = INTEGER: destroy(6)
+
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.1 = INTEGER: destroy(6)
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.2 = INTEGER: destroy(6)
+
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.2 = INTEGER: destroy(6)
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.3 = INTEGER: destroy(6)
+
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.3 = INTEGER: destroy(6)
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.4 = INTEGER: destroy(6)
+
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.4 = INTEGER: destroy(6)
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.5 = INTEGER: destroy(6)
+
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.5 = INTEGER: destroy(6)
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.6 = INTEGER: destroy(6)
+
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.6 = INTEGER: destroy(6)
 
Note: when you have an MIB loaded for the OID you are setting, you don't need to set the type of value you are setting. It will auto detect it from the MIB if you put an = sign.
 
Note: when you have an MIB loaded for the OID you are setting, you don't need to set the type of value you are setting. It will auto detect it from the MIB if you put an = sign.
 
+
snmpset -m +ALL -cprivate -v2c 192.168.100.1 DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.1 = 6
nmpset -m +ALL -cprivate -v2c 192.168.100.1 DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.1 = 6
+
 
The script runs a command that looks something like that. I could also use:
 
The script runs a command that looks something like that. I could also use:
nmpset -m +ALL -cprivate -v2c 192.168.100.1 DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.1 i 6
+
snmpset -m +ALL -cprivate -v2c 192.168.100.1 DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.1 i 6
 +
to tell it that the value i am setting is an integer
  
Last resource i'd like to share with you guys is Cisco's snmp object navigator, http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en.
+
Last resource I'd like to share with you guys is [http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en|Cisco's SNMP Object Navigator]
 +
 
You can enter an OID or object name in there, hit translate and a lot of times, it'll let you download the mib it is in and it's dependant mibs or at least give you the name of the MIB so you can snatch it from google.
 
You can enter an OID or object name in there, hit translate and a lot of times, it'll let you download the mib it is in and it's dependant mibs or at least give you the name of the MIB so you can snatch it from google.
  
 
That's pretty much it for snmp guys, as far as a conclusion, it can be useful for network discovery, looking at what is connected to what, poking at shit maybe if you have a read/write community
 
That's pretty much it for snmp guys, as far as a conclusion, it can be useful for network discovery, looking at what is connected to what, poking at shit maybe if you have a read/write community
 +
 +
[[Category:Protocols]]

Latest revision as of 07:44, 19 May 2012

SNMP is Simple Network Management Protocol

Overview

What is SNMP in English?

Simply put, SNMP allows administrators to collect information about a particular device, server, workstation, switch, router, or any other network-enabled device.

SNMP Agent

An snmp daemon is software running on said device, that transmits information from the Management Information Base (MIB) to an SNMP Trap, or a management or logging device.

Protocol

 161/udp - SNMP Agent port
 162/udp - SNMP Trap/Notification port
PDU
  • IP header
  • UDP header
  • version
  • community
  • PDU-type
  • request-id
  • error-status
  • error-index
  • variable bindings

Lesson

SNMP stands for simple network management protocol. It allows you to do exactly what it sounds like, you can manage network devices using SNMP.

Snmp is a UDP based protocol, port 161/udp to be specific. This means it can be a pain to scan for, if for example you would like to see what SNMP enabled network devices reside on your local network because as most of you know, udp is a connectionless protocol.

If you send something to a UDP server, it doesn't have to reply to you. Thus, nmap for example takes a little more time to check and see if there really is a service listening on a port.

There's usually only 2 different privilege levels with snmp, in this lesson we will refer to them as `public' and `private'.

These are actually default community strings for most snmp enabled devices. A community string is essentially a password.

Snmp version 1 and 2 do not support usernames and it is a completely unencrypted protocol. That's where snmpv3 comes in. It's a little more complicated so I'll leave it for a later lesson.

Back to the community strings (`public' and `private'). When accessing a snmp device, like I said, you generally have 2 access levels, those would be read-only(public) and read-write(private). On some platforms, you can use granular access lists defining which community can access which OID's. Which brings us to our next topic, OID's.

OID stands for object identifier and OID is essentially just an element on an SNMP server. It's something that you can read the value of/set the value of.

You can actually turn an OID into name form with a command called snmptranslate but more on that later.

OID's in SNMP are pretty much exactly the same as OID's in LDAP. If you still have no clue what I'm talking about, I'll give you a small introuduction to OID.

OID's are basically trees of numbers. An oid will look something like this: .1.3.6.1.2.1. Each level defines an attribute of the OID.

The first level, .1 is called iso, anything under this is pretty much and iso standard oid. The second level, .1.3 , the 3 is called org. So far, this means "iso organization" The step above that, .1.3.6, is DoD. Anything under this is classified under Department of Defence. So ".ISO.Organization.Department of Defense". You then have .1.6.6.1. This 1, is classified as "Internet". Then you have .1.3.6.1.2, "IETF Management" and finally, .1.3.6.1.2.1, "SNMP MIB-2".

The DoD essentially created the internet, and therefore your base SNMP oid is under their name. You can think of OID's the same way you think of DNS, just backwards.

If you're wondering how snmp agents and snmp clients know what oid's do what, that's where an MIB comes in. MIB stands for management information base.

A MIB is kind of like an OID definition file. You can have many many different MIB files with the boudaries of said files being the boundries of the organizations that wrote each file. So for example:

[mepholic@andromeda:~]% ls /usr/share/snmp/mibs
ADSL2-LINE-MIB      DNS-SERVER-MIB                          DOCS-IF-MIB.txt                 IANAifType-MIB.txt      IPV6-TC.txt
ADSL2-LINE-TC-MIB   DOCS-BPI2-MIB                           DOCS-L2VPN-MIB.txt              IANA-LANGUAGE-MIB.txt   IPV6-UDP-MIB.txt

On my system that's just a portion of the MIB files I have. Also, MIB files on net-snmp boxes (pretty much any linux box with net-snmp installed) is usually either /usr/share/snmp/mibs or /usr/local/share/snmp/mibs depending on if the package was installed from source or not.

Next, lets actually use snmp to do something. The first command you will probably want to know about is the snmpwalk command. You can get a ton of information on it from the unix manpages but I'll just be focussing on a few options for now, -v and -c.

-v is for version, it accepts 1, 2c, and 3 as arguments. -c is for community, it will accept pretty much anything as an argument so be careful about using funky characters in community strings cause it can fuck with bash like ! $ ; []{} & ~ ` for example. Pretty much anything that isn't A-Za-z0-9.

So what snmpwalk does is it walks your MIB's and tries to query the specified server for each OID in your MIB files. So let's say you do: snmpwalk -v2c -cpublic 192.168.1.1. That will try to access port 161/udp on 192.168.1.1 with snmp version 2c and community public.

You can also filter this output by putting an oid after the IP. That'll give you anything under that OID in your MIB's. Generally, you can use some keywords like: system, interfaces, at, ip, icmp, etc.

So here's some sample output, http://pastebin.com/tXpxAACi.

As you can see, you can get a lot of useful information from this depending on what MIB's you have, you can get a lot more shit. This brings us to our next topic As mentioned earlier, you can actually turn an OID into name form with a command called snmptranslate. For example:

[mepholic@andromeda:~]% snmptranslate .1.3.6.1.2.1
SNMPv2-SMI::mib-2

If you want a better breakdown of what each element of the oid is, you can do this:

[mepholic@andromeda:~]% snmptranslate -Td .1.3.6.1.2.1
SNMPv2-SMI::mib-2
mib-2 OBJECT-TYPE
  -- FROM       SNMPv2-SMI, RFC1213-MIB
::= { iso(1) org(3) dod(6) internet(1) mgmt(2) 1 }

If you use -Tp it will print a tree of every named elemunt under the oid you put in. http://pastebin.com/0uhS2Tui

You have another cool command called snmpnetstat. It gives you netstat like output from snmp data. It takes the arguments that snmpwalk does along with another one.

-C stands for common, it takes a fe arguments
-Ca will output connections to and from the device
-Can will do the same thing but without resolving the addresses
-Ci will show information on the system's interfaces
-Cp will show protocol information
-Cs will show statistics on each protocol
-Cr will show you the devices routing tables

So for example: http://pastebin.com/NhEqRKrb

The next 2 commands I'm going to go over are snmpset and snmpget. These 2 commands take the same arguments as snmpwalk. I recommend when using these, you also use: -m +ALL. This loads every single mib in your mib directory. Also, snmpget takes an OID compared to snmpset which takes an OID, a data type and a value.

So this script is used to remove all of the pesky CPE side filters that my ISP put on my cable modem:

for ((i=1; i<=16; i++)); do snmpset -m +ALL -cprivate -v2c 192.168.100.1 DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.$i = 6; done

Most cable modems are managed over SNMP so that can be one potential use. Note, the above command doesn't uncap me, it just removes customer end IP filters. Well, up to 16 of them cause that's all there was in my case.

As you can see, when I run above script it gives me output like this:

DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.1 = INTEGER: destroy(6)
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.2 = INTEGER: destroy(6)
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.3 = INTEGER: destroy(6)
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.4 = INTEGER: destroy(6)
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.5 = INTEGER: destroy(6)
DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.6 = INTEGER: destroy(6)

Note: when you have an MIB loaded for the OID you are setting, you don't need to set the type of value you are setting. It will auto detect it from the MIB if you put an = sign.

snmpset -m +ALL -cprivate -v2c 192.168.100.1 DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.1 = 6

The script runs a command that looks something like that. I could also use:

snmpset -m +ALL -cprivate -v2c 192.168.100.1 DOCS-CABLE-DEVICE-MIB::docsDevFilterIpStatus.1 i 6

to tell it that the value i am setting is an integer

Last resource I'd like to share with you guys is SNMP Object Navigator

You can enter an OID or object name in there, hit translate and a lot of times, it'll let you download the mib it is in and it's dependant mibs or at least give you the name of the MIB so you can snatch it from google.

That's pretty much it for snmp guys, as far as a conclusion, it can be useful for network discovery, looking at what is connected to what, poking at shit maybe if you have a read/write community