- 浏览: 279742 次
文章分类
- 全部博客 (276)
- burp+hydra暴力破解 (1)
- kali linux工具集 (6)
- kali (59)
- linux (54)
- password (14)
- web (63)
- 渗透测试 (50)
- windows (40)
- metasploit (9)
- 信息收集 (32)
- burp suit (4)
- 安全审计 (9)
- https://github.com/secretsquirrel/the-backdoor-factory (0)
- nmap (4)
- arachni (2)
- 工具 (5)
- sql (3)
- 网络 (2)
- 后渗透测试 (10)
- 内网 (5)
- 无线 (2)
- C (3)
- bios (1)
- RoR (12)
- mongodb (1)
- linxu (1)
- gdb (1)
- linux,虚拟化 (1)
- python (4)
最新评论
Part 1:setup snmp service
ref: http://resources.infosecinstitute.com/vulnerability-assessment-of-snmp-service-i/
1. ifconfig
2. ping baidu.com
3. apt-get install snmpd
4. vim /etc/snmp/snmpd.conf
5. comment agentAddress udp:127.0.0.1:161
6. uncomment agentAddress udp:161,udp6:[::1]:161
7. /etc/init.d/snmpd restart
==================================================================================
Part2:
ref: http://resources.infosecinstitute.com/vulnerability-assessment-of-snmp-service-ii/
Management Information Base (MIB):is a database used for managing the entities in a communications network(wiki: http://en.wikipedia.org/wiki/Management_information_base)
Community String:
An SNMP community string is a text string which acts as an authentication token (a password basically) between the management stations and network devices on which SNMP agents are hosted. Community Strings travel in clear text over the network, hence are subject to network sniffing attacks. Community Strings are sent with every network packet exchanged between the node and management station.
There are two different modes in which SNMP operates and both of these modes have different community strings:
Read only
This mode permits querying the device and reading the information, but does not permit any kind of changes to the configuration. The default community string for this mode is “public.”
Read Write
In this mode, changes to the device are permitted; hence if one connects with this community string, we can even modify the remote device’s configurations. The default community string for this mode is “private.”
Port Scanning:
By default, SNMP runs on UDP port number 161. Unless explicitly configured, SNMP will not run on a different port.
The next step for us is to check if default community strings are enabled or not. If we find out any such host, consider it as a lottery because SNMP can give us lots and lots of information, which otherwise could have been hours worth of work for a penetration tester.
The tool is known as "onesixtyone".
Onesixtyone is basically a utility that can be used to bruteforce the SNMP community strings. It takes a list of hosts as an input and a password dictionary. It supports large dictionary files and is quick in checking if any of the passwords match. This is very helpful to penetration testers because during a pentest one wants to do quick checks to identify whether any of the hosts, out of a gamut of devices identified running SNMP, are running with default passwords. If there is more time and one wants to go ahead and check it against large dictionary, it could be done as well. The tool caters to both these requirements.
To invoke this utility, just type "onesixtyone" at the command prompt and you’ll see something like the following:
root@kali:/opt/metasploit# onesixtyone
onesixtyone 0.3.2 [options] <host> <community>
-c <communityfile> file with community names to try
-i <inputfile> file with target hosts
-o <outputfile> output log
-d debug mode, use twice for more information
-w n wait n milliseconds (1/1000 of a second) between sending packets (default 10)
-q quiet mode, do not print log to stdout, use with -l
examples: ./s -c dict.txt 192.168.4.1 public
./s -c dict.txt -i hosts -o my.log -w 100
Switch “i” is used to input the target file which we created previously. This will be treated as a target list and every host mentioned in the input file will be tried one by one against the password dictionary that we fed to the tool using switch “c.”
If a match is found by the tool,refer to image 2
else refer to image 3
==================================================================================
Part 3: snmpcheck
ref: http://resources.infosecinstitute.com/vulnerability-assessment-of-snmp-service-iii/
“snmpcheck” that can be used to harvest the information from hosts running default installations of SNMP.Using “snmpcheck” tool, we can enumerate information like system up time, host name of the remote system, users on the remote system, software installed with their exact versions, a list of running processes and a list of all TCP and UDP ports and many other details.
Snmpcheck runs through the SNMP’s MIB retrieving the information stored and displaying the same in a user friendly manner which could be read by a layman
However, this will only be possible in cases where the community string of the remote host is known to the tool, without which the authentication will fail and we’ll not be able to retrieve any information from the target.
“t” – This switch is used to specify the target IP address on which we want to run the tool. “t” is a mandatory switch. Tool can never work without a target.
“w” – This switch is used to confirm whether the target IP address has write access enabled or not. “w” is an optional switch. Not all devices will have write access enabled, but if any of the network devices has write access enabled and if we can brute force the community string for SNMP write mode, we can even make configuration changes on the remote host.
“p” – This switch is used to
specify the port number on which SNMP service is running on target node. This is an optional switch and if the end user does not specify a port number when running the tool, then snmpcheck will take the default configuration. By default, the tool is configured to run on UDP port 161.
“c” – This switch is used to specify the community string. This switch is also optional. Default configuration is “public”.
“v” – This switch is used to specify the SNMP version in case the user knows what is running on the target box. This switch is optional as well. Default configuration for this switch is “version 1″.
“r” – This switch is used to specify the number of retries. It is required in case an end user wants to explicitly instruct the tool to try for “x” number of times before giving up on a host. This switch is optional as well and defaults to a single retry.
“d” – This optional switch disables connection to TCP ports when specified, thus avoiding the overhead time (maybe a couple of seconds) which snmpcheck would otherwise take.
“T”- This switch allows the end user to configure a specific timeout (in seconds). Unless explicitly specified, the timeout is set to 45 seconds since this switch is optional.
“l” – It enables the logging feature of the tool when specified but it need not be mandatorily specified though.
“h” – This pulls up the help menu of the tool which can aid the user for quick reference of the switches they can use to fine tune its behavior and output.
root@kali:/opt/metasploit# snmpcheck -t 192.168.59.134 -c public
Check if Write Access is enabled:
We can check whether write access is enabled or not by adding one more switch to our initial command “-w”
root@kali:/opt/metasploit# snmpcheck -t 192.168.59.134 -c public -w
resutl refer image 4
Let me quickly demonstrate how the output would look if write access is not enabled. I ran the tool a second time after disabling the write access on the concerned target and this time, we have a different output. “Snmpcheck” timed out, and the output is significantly different from the previous one. One thing notable here is that the tool did connect to the remote host, so the timeout shown is definitely not a connection timeout.
refer to image 5
==================================================================================
Part 4: SNMPWALK
ref http://resources.infosecinstitute.com/vulnerability-assessment-of-snmp-service-part-4/
Users can feed in a specific OID directly to “snmpwalk” to probe that object (in MIB tree structure).
“Snmpwalk” is a tool that uses SNMP GETNEXT operation to query the network device for a tree of information. When an end user feeds the OID to the tool using the command line, this basically is an instruction to GETNEXT operation as to what portion of the tree it should look into.
Using GETNEXT requests, “snmpwalk” will query all variables listed under that particular OID (sub-tree) and the results obtained are presented via these requests to the end user.
Let’s first see how we can walk through the entire OID tree using “snmpwalk”.Our first command will go through every available object and return the values back to us for each of these nodes.
snmpwalk 192.168.1.101 –c public –v1 1
Snmpwalk is followed by the target IP address in the above command. The “c” switch is used to provide the community string and the “v” switch specifies the version of SNMP on the target system. I used “1″ as the version since that’s the version of SNMP on the target box. The last “1″ is nothing but the OID. Since we are giving the OID for ISO, snmpwalk will walk through the entire MIB tree and retrieve everything.
I’ll now cover an example of leaf node OID.
snmpwalk 192.168.1.101 –c public –v1 sysName
Following is an example of running the tool using a specific OID.
snmpwalk 192.168.1.101 –c public –v1 1.3.6.1
ref: http://resources.infosecinstitute.com/vulnerability-assessment-of-snmp-service-i/
1. ifconfig
2. ping baidu.com
3. apt-get install snmpd
4. vim /etc/snmp/snmpd.conf
5. comment agentAddress udp:127.0.0.1:161
6. uncomment agentAddress udp:161,udp6:[::1]:161
7. /etc/init.d/snmpd restart
==================================================================================
Part2:
ref: http://resources.infosecinstitute.com/vulnerability-assessment-of-snmp-service-ii/
Management Information Base (MIB):is a database used for managing the entities in a communications network(wiki: http://en.wikipedia.org/wiki/Management_information_base)
Community String:
An SNMP community string is a text string which acts as an authentication token (a password basically) between the management stations and network devices on which SNMP agents are hosted. Community Strings travel in clear text over the network, hence are subject to network sniffing attacks. Community Strings are sent with every network packet exchanged between the node and management station.
There are two different modes in which SNMP operates and both of these modes have different community strings:
Read only
This mode permits querying the device and reading the information, but does not permit any kind of changes to the configuration. The default community string for this mode is “public.”
Read Write
In this mode, changes to the device are permitted; hence if one connects with this community string, we can even modify the remote device’s configurations. The default community string for this mode is “private.”
Port Scanning:
By default, SNMP runs on UDP port number 161. Unless explicitly configured, SNMP will not run on a different port.
The next step for us is to check if default community strings are enabled or not. If we find out any such host, consider it as a lottery because SNMP can give us lots and lots of information, which otherwise could have been hours worth of work for a penetration tester.
The tool is known as "onesixtyone".
Onesixtyone is basically a utility that can be used to bruteforce the SNMP community strings. It takes a list of hosts as an input and a password dictionary. It supports large dictionary files and is quick in checking if any of the passwords match. This is very helpful to penetration testers because during a pentest one wants to do quick checks to identify whether any of the hosts, out of a gamut of devices identified running SNMP, are running with default passwords. If there is more time and one wants to go ahead and check it against large dictionary, it could be done as well. The tool caters to both these requirements.
To invoke this utility, just type "onesixtyone" at the command prompt and you’ll see something like the following:
root@kali:/opt/metasploit# onesixtyone
onesixtyone 0.3.2 [options] <host> <community>
-c <communityfile> file with community names to try
-i <inputfile> file with target hosts
-o <outputfile> output log
-d debug mode, use twice for more information
-w n wait n milliseconds (1/1000 of a second) between sending packets (default 10)
-q quiet mode, do not print log to stdout, use with -l
examples: ./s -c dict.txt 192.168.4.1 public
./s -c dict.txt -i hosts -o my.log -w 100
Switch “i” is used to input the target file which we created previously. This will be treated as a target list and every host mentioned in the input file will be tried one by one against the password dictionary that we fed to the tool using switch “c.”
If a match is found by the tool,refer to image 2
else refer to image 3
==================================================================================
Part 3: snmpcheck
ref: http://resources.infosecinstitute.com/vulnerability-assessment-of-snmp-service-iii/
“snmpcheck” that can be used to harvest the information from hosts running default installations of SNMP.Using “snmpcheck” tool, we can enumerate information like system up time, host name of the remote system, users on the remote system, software installed with their exact versions, a list of running processes and a list of all TCP and UDP ports and many other details.
Snmpcheck runs through the SNMP’s MIB retrieving the information stored and displaying the same in a user friendly manner which could be read by a layman
However, this will only be possible in cases where the community string of the remote host is known to the tool, without which the authentication will fail and we’ll not be able to retrieve any information from the target.
“t” – This switch is used to specify the target IP address on which we want to run the tool. “t” is a mandatory switch. Tool can never work without a target.
“w” – This switch is used to confirm whether the target IP address has write access enabled or not. “w” is an optional switch. Not all devices will have write access enabled, but if any of the network devices has write access enabled and if we can brute force the community string for SNMP write mode, we can even make configuration changes on the remote host.
“p” – This switch is used to
specify the port number on which SNMP service is running on target node. This is an optional switch and if the end user does not specify a port number when running the tool, then snmpcheck will take the default configuration. By default, the tool is configured to run on UDP port 161.
“c” – This switch is used to specify the community string. This switch is also optional. Default configuration is “public”.
“v” – This switch is used to specify the SNMP version in case the user knows what is running on the target box. This switch is optional as well. Default configuration for this switch is “version 1″.
“r” – This switch is used to specify the number of retries. It is required in case an end user wants to explicitly instruct the tool to try for “x” number of times before giving up on a host. This switch is optional as well and defaults to a single retry.
“d” – This optional switch disables connection to TCP ports when specified, thus avoiding the overhead time (maybe a couple of seconds) which snmpcheck would otherwise take.
“T”- This switch allows the end user to configure a specific timeout (in seconds). Unless explicitly specified, the timeout is set to 45 seconds since this switch is optional.
“l” – It enables the logging feature of the tool when specified but it need not be mandatorily specified though.
“h” – This pulls up the help menu of the tool which can aid the user for quick reference of the switches they can use to fine tune its behavior and output.
root@kali:/opt/metasploit# snmpcheck -t 192.168.59.134 -c public
Check if Write Access is enabled:
We can check whether write access is enabled or not by adding one more switch to our initial command “-w”
root@kali:/opt/metasploit# snmpcheck -t 192.168.59.134 -c public -w
resutl refer image 4
Let me quickly demonstrate how the output would look if write access is not enabled. I ran the tool a second time after disabling the write access on the concerned target and this time, we have a different output. “Snmpcheck” timed out, and the output is significantly different from the previous one. One thing notable here is that the tool did connect to the remote host, so the timeout shown is definitely not a connection timeout.
refer to image 5
==================================================================================
Part 4: SNMPWALK
ref http://resources.infosecinstitute.com/vulnerability-assessment-of-snmp-service-part-4/
Users can feed in a specific OID directly to “snmpwalk” to probe that object (in MIB tree structure).
“Snmpwalk” is a tool that uses SNMP GETNEXT operation to query the network device for a tree of information. When an end user feeds the OID to the tool using the command line, this basically is an instruction to GETNEXT operation as to what portion of the tree it should look into.
Using GETNEXT requests, “snmpwalk” will query all variables listed under that particular OID (sub-tree) and the results obtained are presented via these requests to the end user.
Let’s first see how we can walk through the entire OID tree using “snmpwalk”.Our first command will go through every available object and return the values back to us for each of these nodes.
snmpwalk 192.168.1.101 –c public –v1 1
Snmpwalk is followed by the target IP address in the above command. The “c” switch is used to provide the community string and the “v” switch specifies the version of SNMP on the target system. I used “1″ as the version since that’s the version of SNMP on the target box. The last “1″ is nothing but the OID. Since we are giving the OID for ISO, snmpwalk will walk through the entire MIB tree and retrieve everything.
I’ll now cover an example of leaf node OID.
snmpwalk 192.168.1.101 –c public –v1 sysName
Following is an example of running the tool using a specific OID.
snmpwalk 192.168.1.101 –c public –v1 1.3.6.1
发表评论
-
kali 2.0 broadcom wifi connection
2015-12-12 16:28 423引用apt-get install -y linux-head ... -
kali2.0中国源
2015-09-27 01:42 428#中科大kali源 deb http://mirrors.us ... -
wpscan
2015-08-01 10:39 409https://www.digitalocean.com/co ... -
linux dd命令
2015-06-06 14:29 350dd if=/dev/hda of=disk.mbr coun ... -
Wine中使用MinGW
2015-03-17 00:49 629原文:http://null-byte.wonderhowto ... -
linux install firefix&plugin
2015-01-22 20:56 4191. download firefox&plugins ... -
gitrob--github信息收集
2015-01-17 00:36 957原文地址:http://michenriksen.com/bl ... -
合并gif和php文件
2015-01-04 23:07 8121. apt-get install gifsicle ... -
kaili 1.09安装问题解决
2014-12-28 14:10 421本人采用的安装方法是 1. 在VMware中安装1.09 Ka ... -
[译]剪切粘贴二进制文件
2014-12-17 01:20 809原文地址:http://pen-testing.sans.or ... -
kali更新exploit-db
2014-12-12 01:08 1779cd /usr/share/exploitdb wget h ... -
使用Tesseract 识别验证码
2014-12-10 00:48 773参考: http://code.google.com/p/te ... -
使用apt-fast加速Ubuntu软件安装
2014-12-02 01:21 533apt-get是Ubuntu常用的软件安装和更新命令但是它使用 ... -
[译]通过认证的SMB Sessions攫取信息
2014-11-20 02:06 1202原文地址:http://pen-testing.sans.or ... -
[译]命令行连接wifi
2014-11-20 01:34 8257原文地址:http://www.blackmoreops.co ... -
[译]网络渗透测试及其,工具及资源
2014-11-19 02:06 689原文地址:http://pen-testi ... -
kali更新源
2014-11-12 19:37 6721. cat > /etc/apt/sources. ... -
chm文件转换成pdf 文件
2014-11-06 01:02 1330apt-get install chm2pdf chm2pdf ... -
DotDotPwn的https模式
2014-11-05 22:26 861参考: http://www.spentera.com/201 ... -
[译]dotdotpwn使用
2014-11-05 21:26 1632原文地址:https://github.c ...
相关推荐
Unity2018版本的Standard Assets,官网也可以下载,但是需要登录unity账号,传到这里方便没有账号的人下载
目的:当App中用到固定的json数据时,如:国家城市列表、班级成员等时,可以将json数据制作为本地json文件存入assets文件夹下。 步骤如下: 1、新建assets文件夹,并将json文件复制到此文件夹中 在main文件夹下新建...
内含assets拆包工具、操作说明,适用于非专业人士
获取assets文件夹下资源 获取assets文件夹下资源 详细介绍:https://blog.csdn.net/Greathfs/article/details/52123984
sharedassets0.assets.resS
Android 加载assets文件夹的文本文件 图片
读取Assets资源文件 Json解析
Unity拥有多种标准资源(Standard Assets)。这些是大多数Unity客户广泛使用的资源集合。这些是: 2D,相机(Cameras); 角色(Characters); 跨平台输入(CrossPlatformInput); 效果(Effects); 环境...
通过编辑器扩展实现打AssetsBundle资源包
Assets 资源,放在 assets 目录下,ADT 在建立Android 工程时会自动建立该目录, 这就意味着所有放在 assets 目录中的资源文件都不会生成资源 ID
assets下mp3
安卓assets文件的使用java源码
Laravel开发-laravel-assets Laravel的资产管理
Mac下的命令行工具 简单实用。可以导出Assets.car的图片资源
实现从Android项目下的assets中获取ini文件的指定内容的功能
android 从assets获取图片
今天用到了提示音,读取 android 文件夹 assets 下的音频,写了个demo,可以直接拿去用;文件夹下音频大小好像不能超过1M,否则可能不能读取;
根据网站资源引用说明:pyecharts 使用的所有静态资源文件存放于 pyecharts-assets 项目中,默认挂载在 https://assets.pyecharts.org/assets/所以pyecharts图表默认会从该网站拉取js静态文件。实际运行时经常出现...
Unity Android StreamingAssets读图片和读文本事例