On a recent test I came across SNMP write access on a Windows box and really wanted to use it to lower the security posture of the server however at the time the only attacks that I could come up with were Denial of Service (change IP, name etc) or Pointless POC’s (writing a contact etc).
Anyway that stuck with me and when I found it again on a separate test I decided to dig a little deeper. I found that it was possible to send a kill signal to any process on the server. This is of course providing the owner of the SNMP daemon has sufficient rights to kill the process.
I created a script to do this a while ago just to automate the action. I have since decided to release this as my first tool and therefore added some nice menus etc and looped the kill process function.
Without further a do……I give you SNMP Process Sniper.
This is still very rough and there are a number of amendments that I will make to it in the future such as port forwarding through an additional menu option using either IPtables or nc as SNMPSET and SNMPWALK are both limited to default ports.
In addition I got a bit carried away with the colours LMAO sorry!
Code can be found on the Tools Page or snmp-process-sniper
This script just runs a few basic functions using host mibs and the snmpwalk and snmpset tools built into Kali, if your going to use this on anything else, make sure you have those tools installed.
I should also point out that this was tested against an enterprise solution such as IBM Tivoli Netcool SNMP Agent. Not all SNMP agents make the “hrswrunstatus” mib writeable, this includes windows default builtin snmp agent. It appears that Microsoft decided to do things there own way rather than following the RFC although the RFC does say “MAX-ACCESS Read/Write” http://tools.ietf.org/html/rfc2790. In short Microsoft is more secure ;-P
Scenario:
You are testing a windows device running snmp and have managed through some means to enumerate the write community string. The snmp service is running as system.
Lets run the program and look at some screenshots:
Firstly the script reads in some variables: Target, Community String and Version:
Then it completes a simple test to make sure that the SNMP settings are valid:
If we push enter we will then be prompted with a menu to select an option, if you already know the PID you want to kill then select 2 otherwise to enumerate the list of PID’s and Process Names select 1.
Selecting option 1 looks like the following and provides two columns PID’s and Process Name and then reverts back to the menu:
Now that we know the PID to kill we can select option 2 and kill the Process:
In this example I have selected to kill process 1234.
I have been able to use this to kill RDP sessions, Firewalls and Antivirus amongst anything else that runs as a process.
Anyway I hope this is of use to someone.