Unix and Linux Enumeration 139
By default the SNMP protocol tends to contain two passwords used to both configure
and read the information from an agent:
■ Read community string
■ Configuration of the device or system can be viewed with the help of this pass-
word.
■ These strings are public.■ Read/write community string
■ Configuration on the device can be changed or edited using this password.
■ These strings are private.Although these strings can be changed, they can also be left at the defaults noted here.
Attackers can and will take the opportunity to leverage this mistake. An attacker can use
the default passwords for changing or viewing information for a device or system. As an
attacker you will attempt to use the service to enumerate the information from the device
for later attacks.
The following can be extracted through SNMP:
■ Network resources such as hosts, routers, and devices
■ File shares
■ ARP tables
■ Routing tables
■ Device-specific information
■ Traffic statistics
Commonly used SNMP enumeration tools include SNMPUtil and SolarWinds’ IP Net-
work Browser.
SNScan
SNScan is a utility designed to detect devices on a network enabled for SNMP. The utility
helps you locate and identify devices that are vulnerable to SNMP attacks. SNScan scans
specific ports (for example, UDP 161, 193, 391, and 1993) and looks for the use of standard
(public and private) and user-defined SNMP community names. User-defined community
names may be used to more effectively evaluate the presence of SNMP-enabled devices in
complex networks.
Unix and Linux Enumeration
Linux and Unix systems are no different from Windows systems and can be enumerated as
well. The difference lies in the tools and the approach. In this section you will take a look
at a handful of the tools that have proven useful in exploring these systems.