SNMP get-next-request Recon

I noticed some external recon via SNMP. There were 2 requests, both over port 161 from the internet. They were IP packets via UDP. The requests both seem to be "get-next-request", both from the same source and to the same destination.

SNMP get-next request to retrieve SNMP MIB (management information base) table values. The MIB values are referenced using a series of dotted integers. For example a request for the MIB variable "1.3.6.1.2.1.1.1" would return the system description for the network device. So if it's a router is would return the vendor, version, etc. with the commands below.

The only differences between the 2 requests are
1.) version
2.) request-id


SNMP version-1 (0) is the oldest version and uses plaintext everything. The SNMP v2c (1) is the same as version-1 except that it has a larger counter field for more flexible polling intervals of systems being monitored. There is a version 3 that adds security, but the attacker is not looking for this version thus I can only assume that whatever they're after is only applicable if they find v1 or v2.

The request-id is just a unique integer that identifies that specific message, so it makes sense that each request contains a different id.

Thus the conclusion is that the attacker is using these packet requests to try to determine if this device is responding to snmp v1 or v2 perhaps with a tool like SNMPWalk and then determining what type of device it is. The attacker can turn around and use this information determine what patch level it's at and what attacks it can turn around and use to exploit against it.

Simple Network Management Protocol
  version: version-1 (0)
  community: public
  data: get-next-request (1)
   get-next-request
    request-id: 1118066890
    error-status: noError (0)
    error-index: 0
    variable-bindings: 1 item
     1.3.6.1.2.1.1.1.0: Value (Null)
      Object Name: 1.3.6.1.2.1.1.1.0 (iso.3.6.1.2.1.1.1.0)
      Value (Null)


Simple Network Management Protocol
  version: v2c (1)
  community: public
  data: get-next-request (1)
   get-next-request
    request-id: 1118066889
    error-status: noError (0)
    error-index: 0
    variable-bindings: 1 item
     1.3.6.1.2.1.1.1.0: Value (Null)
      Object Name: 1.3.6.1.2.1.1.1.0 (iso.3.6.1.2.1.1.1.0)
      Value (Null)


SANS provides a nice link explaining snmp recon.

More about neonprimetime

• neonprimetime pastebin
• neonprimetime virustotal
• @neonprimetime twitter
• neonprimetime reddit

Top Blogs of all-time

1. pagerank botnet sql injection walk-thru
2. DOM XSS 101 Walk-Through
3. An Invoice email and a Hot mess of Java

Top Github Contributions

1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.