Another useful mechanism for enumerating a target system is the Simple Network Management Protocol (SNMP). This protocol is used to assist in the management of devices such as routers, hubs, and switches, among others. SNMP comes in three versions:
SNMPv1 This version of the protocol was introduced as a standardized mechanism for managing network devices. While it accomplished many tasks such as introducing a standardized protocol, it lacked success in many others. The shortcomings of this protocol were addressed in later versions. Of interest to the pentester is the fact that this version does not include any security measures.
SNMPv2 This version introduced new management functions as well as security features that were not included in the initial version. By design, this version of the protocol is backward compatible with SNMPv1. SNMPv3 This is the latest version of the protocol; it places increased emphasis on the area of security. The security of SNMPv3 is focused on two areas: Authentication is used to ensure that traps are read by only the intended recipient. Privacy encrypts the payload of the SNMP message to ensure that it cannot be read by unauthorized users. SNMP is an Application layer protocol that functions using UDP. The protocol works across platforms, meaning it can be accessed on most modern operating systems including Windows, Linux, and Unix. The main requirement for SNMP is that the network is running TCP/IP. SNMP enumeration for the ethical hacker consists of leveraging the weaknesses in the protocol to reveal user accounts and devices on a target running the protocol. To understand how this is possible, let’s delve into some components of the SNMP system. In the SNMP system two components are running: the SNMP agent and the SNMP management station. The agent is located on the device to be managed or monitored, whereas the management station communicates with the agent itself.
The system works through the use of the agent and the management station like so:
1. The SNMP management station sends a request to the agent.
2. The agent receives the request and sends back a reply.
The messages sent back and forth function by setting or reading variables on a device. In
addition, the agent uses traps to let the management station know if anything has occurred, such as failure or reboot, that needs to be addressed.