Onesixtyone

The MIB database, created by SNMP, contains extensive information on every device on the network. While SNMPv1 is very insecure and SNMPv3 is very secure, many companies still use SNMPv1. As such, the community public string (password) that provides access to SNMP and its MIB database is susceptible to cracking. Once the hacker has the SNMP community public string, they have access to all the info available in the SNMP MIB.

Better yet, if we can crack the private community string (password), we can change the settings on any network device—even take it off line. We could then potentially change the configuration settings on switches and routers to our advantage.

In this tutorial, we will be cracking the SNMPv1 community string (password) with one of the best SNMP cracking tools, onesixtyone (SNMP runs on port 161, hence its name).

Step 1

Find Onesixtyone

Onesixtyone—like so many of the best hacking tools—is built into Kali, so no need to download and install if you're running BackTrack. We can find onesixtyone by going to Kali -> Information Gathering -> Network Analysis -> SNMP and then onesixtyone, as shown in the screenshot below.

Open Onesixtyone

When we click on onesixtyone, we will be greeted with a screenshot like that below.

otice in the third line that the basic syntax for usage of onesixtyone.

• onesixtyone (options) <host> <community>

Where:

• host is the IP address of the system we are targeting
• community is either public or private

Like any password-cracking software (that is not using brute-force), it's only as good as its wordlist. Onesixtyone comes with a built-in wordlist of commonly used passwords on SNMP, but if your password isn't in the list, you can use any word list you want.

Very often, if a sysadmin changes the SNMP community string, they will change it to something simple like the companyname-public or companyname-private. It's always worth trying these or similar combinations before attempting a password crack.

Take It Out for Spin

Now that we understand the basics of how onesixtyone works, let try it out.

• ./onesixtyone -c dict.txt 192.168.1.119

Now, all we need to do is hit enter and let onesixtyone do its job!

When using the built-in wordlist dict.txt, onesixtyone finishes its work in short order. Obviously, with longer word lists, this process can be more time consuming. To use another word list, simply replace the dict.txt with the full path to the file, such as:

• ./onesixtyone -c /root/anotherwordlist 192.168.1119 public

As you can see, onesixtyone was able to find the both the public and private community strings. The network administrator left both strings at their default values, which is common.

Other possible sources for potential word lists can be found here, among other places on the web, and some are as big as 50g!

Keep coming back for more adventures in Hackerland!

Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.