1.) nmap -A x.x.x.x
2.) sudo nmap -sU x.x.x.x
Tools for UDP scan:
sledgehammer: cd ~/Desktop/cisco-audit/ADMsnmp
sledgehammer:./ADMsnmp
ADMsnmp v 0.1 (c) The ADM crew
./ADMsnmp: [-g,-wordf,-out , [-waitf,-sleep, -manysend,-inter <#>] ]
: host to scan
[-guessname] : guess password with hostname
[-wordfile] : wordlist of password to try
[-outputfile] : output file
[-waitfor] : time in milisecond in each send of snmprequest
[-sleep] : time in second of the scan process life
[-manysend] : how many paket to send by request
[-inter] : time to wait in milisecond after each requestsledgehammer:~/Desktop/cisco-audit/ADMsnmp
ADMsnmp is a good tool for bruteforcing community names on SNMP enabled boxes.
sledgehammer:~/Desktop/cisco-audit/ADMsnmp
./ADMsnmp 127.0.0.1 -w snmp.passwd
ADMsnmp vbeta 0.1 (c) The ADM crew
ftp://ADM.isp.at/ADM/
greets: !ADM, el8.org, ansia
>>>>>>>>>>> get req name=1234 id = 2 >>>>>>>>>>>
>>>>>>>>>>> get req name=2read id = 5 >>>>>>>>>>>
>>>>>>>>>>> get req name=4changes id = 8 >>>>>>>>>>>
>>>>>>>>>>> get req name=CISCO id = 11 >>>>>>>>>>>
>>>>>>>>>>> get req name=IBM id = 14 >>>>>>>>>>>
>>>>>>>>>>> get req name=OrigEquipMfr id = 17 >>>>>>>>>>>
>>>>>>>>>>> get req name=SNMP id = 20 >>>>>>>>>>>
>>>>>>>>>>> get req name=SUN id = 23 >>>>>>>>>>>
>>>>>>>>>>> get req name=access id = 26 >>>>>>>>>>>
>>>>>>>>>>> get req name=admin id = 29 >>>>>>>>>>>
>>>>>>>>>>> get req name=agent id = 32 >>>>>>>>>>>
>>>>>>>>>>> get req name=all id = 35 >>>>>>>>>>>
>>>>>>>>>>> get req name=cisco id = 38 >>>>>>>>>>>
>>>>>>>>>>> get req name=community id = 41 >>>>>>>>>>>
>>>>>>>>>>> get req name=default id = 44 >>>>>>>>>>>
>>>>>>>>>>> get req name=enable id = 47 >>>>>>>>>>>
>>>>>>>>>>> get req name=field id = 50 >>>>>>>>>>>
>>>>>>>>>>> get req name=guest id = 53 >>>>>>>>>>>
>>>>>>>>>>> get req name=hello id = 56 >>>>>>>>>>>
>>>>>>>>>>> get req name=ibm id = 59 >>>>>>>>>>>
>>>>>>>>>>> get req name=manager id = 62 >>>>>>>>>>>
>>>>>>>>>>> get req name=mngt id = 65 >>>>>>>>>>>
>>>>>>>>>>> get req name=monitor id = 68 >>>>>>>>>>>
>>>>>>>>>>> get req name=netman id = 71 >>>>>>>>>>>
>>>>>>>>>>> get req name=network id = 74 >>>>>>>>>>>
>>>>>>>>>>> get req name=none id = 77 >>>>>>>>>>>
>>>>>>>>>>> get req name=openview id = 80 >>>>>>>>>>>
>>>>>>>>>>> get req name=pass id = 83 >>>>>>>>>>>
>>>>>>>>>>> get req name=password id = 86 >>>>>>>>>>>
>>>>>>>>>>> get req name=private id = 89 >>>>>>>>>>>
>>>>>>>>>>> get req name=proxy id = 92 >>>>>>>>>>>
>>>>>>>>>>> get req name=public id = 95 >>>>>>>>>>>
<<<<<<<<<<< id =" 96" name =" public" ret ="0">>>>>>>>>>>>> send setrequest id = 96 name = public >>>>>>>>
>>>>>>>>>>> get req name=read id = 98 >>>>>>>>>>>
<<<<<<<<<<< id =" 97" name =" public" ret ="0">>>>>>>>>>>> get req name=read-only id = 101 >>>>>>>>>>>
>>>>>>>>>>> get req name=read-write id = 104 >>>>>>>>>>>
>>>>>>>>>>> get req name=root id = 107 >>>>>>>>>>>
>>>>>>>>>>> get req name=router id = 110 >>>>>>>>>>>
>>>>>>>>>>> get req name=secret id = 113 >>>>>>>>>>>
>>>>>>>>>>> get req name=security id = 116 >>>>>>>>>>>
>>>>>>>>>>> get req name=snmp id = 119 >>>>>>>>>>>
>>>>>>>>>>> get req name=snmpd id = 122 >>>>>>>>>>>
>>>>>>>>>>> get req name=solaris id = 125 >>>>>>>>>>>
>>>>>>>>>>> get req name=sun id = 128 >>>>>>>>>>>
>>>>>>>>>>> get req name=switch id = 2 >>>>>>>>>>>
>>>>>>>>>>> get req name=system id = 5 >>>>>>>>>>>
>>>>>>>>>>> get req name=tech id = 8 >>>>>>>>>>>
>>>>>>>>>>> get req name=test id = 11 >>>>>>>>>>>
>>>>>>>>>>> get req name=world id = 14 >>>>>>>>>>>
>>>>>>>>>>> get req name=write id = 17 >>>>>>>>>>>
snmp check on 127.0.0.1
sys.sysName.0:Aficio 2022
name = public readonly access
2.) sudo nmap -sU x.x.x.x
Tools for UDP scan:
sledgehammer: cd ~/Desktop/cisco-audit/ADMsnmp
sledgehammer:./ADMsnmp
ADMsnmp v 0.1 (c) The ADM crew
./ADMsnmp: [-g,-wordf,-out , [-waitf,-sleep, -manysend,-inter <#>] ]
: host to scan
[-guessname] : guess password with hostname
[-wordfile] : wordlist of password to try
[-outputfile] : output file
[-waitfor] : time in milisecond in each send of snmprequest
[-sleep] : time in second of the scan process life
[-manysend] : how many paket to send by request
[-inter] : time to wait in milisecond after each requestsledgehammer:~/Desktop/cisco-audit/ADMsnmp
ADMsnmp is a good tool for bruteforcing community names on SNMP enabled boxes.
sledgehammer:~/Desktop/cisco-audit/ADMsnmp
./ADMsnmp 127.0.0.1 -w snmp.passwd
ADMsnmp vbeta 0.1 (c) The ADM crew
ftp://ADM.isp.at/ADM/
greets: !ADM, el8.org, ansia
>>>>>>>>>>> get req name=1234 id = 2 >>>>>>>>>>>
>>>>>>>>>>> get req name=2read id = 5 >>>>>>>>>>>
>>>>>>>>>>> get req name=4changes id = 8 >>>>>>>>>>>
>>>>>>>>>>> get req name=CISCO id = 11 >>>>>>>>>>>
>>>>>>>>>>> get req name=IBM id = 14 >>>>>>>>>>>
>>>>>>>>>>> get req name=OrigEquipMfr id = 17 >>>>>>>>>>>
>>>>>>>>>>> get req name=SNMP id = 20 >>>>>>>>>>>
>>>>>>>>>>> get req name=SUN id = 23 >>>>>>>>>>>
>>>>>>>>>>> get req name=access id = 26 >>>>>>>>>>>
>>>>>>>>>>> get req name=admin id = 29 >>>>>>>>>>>
>>>>>>>>>>> get req name=agent id = 32 >>>>>>>>>>>
>>>>>>>>>>> get req name=all id = 35 >>>>>>>>>>>
>>>>>>>>>>> get req name=cisco id = 38 >>>>>>>>>>>
>>>>>>>>>>> get req name=community id = 41 >>>>>>>>>>>
>>>>>>>>>>> get req name=default id = 44 >>>>>>>>>>>
>>>>>>>>>>> get req name=enable id = 47 >>>>>>>>>>>
>>>>>>>>>>> get req name=field id = 50 >>>>>>>>>>>
>>>>>>>>>>> get req name=guest id = 53 >>>>>>>>>>>
>>>>>>>>>>> get req name=hello id = 56 >>>>>>>>>>>
>>>>>>>>>>> get req name=ibm id = 59 >>>>>>>>>>>
>>>>>>>>>>> get req name=manager id = 62 >>>>>>>>>>>
>>>>>>>>>>> get req name=mngt id = 65 >>>>>>>>>>>
>>>>>>>>>>> get req name=monitor id = 68 >>>>>>>>>>>
>>>>>>>>>>> get req name=netman id = 71 >>>>>>>>>>>
>>>>>>>>>>> get req name=network id = 74 >>>>>>>>>>>
>>>>>>>>>>> get req name=none id = 77 >>>>>>>>>>>
>>>>>>>>>>> get req name=openview id = 80 >>>>>>>>>>>
>>>>>>>>>>> get req name=pass id = 83 >>>>>>>>>>>
>>>>>>>>>>> get req name=password id = 86 >>>>>>>>>>>
>>>>>>>>>>> get req name=private id = 89 >>>>>>>>>>>
>>>>>>>>>>> get req name=proxy id = 92 >>>>>>>>>>>
>>>>>>>>>>> get req name=public id = 95 >>>>>>>>>>>
<<<<<<<<<<< id =" 96" name =" public" ret ="0">>>>>>>>>>>>> send setrequest id = 96 name = public >>>>>>>>
>>>>>>>>>>> get req name=read id = 98 >>>>>>>>>>>
<<<<<<<<<<< id =" 97" name =" public" ret ="0">>>>>>>>>>>> get req name=read-only id = 101 >>>>>>>>>>>
>>>>>>>>>>> get req name=read-write id = 104 >>>>>>>>>>>
>>>>>>>>>>> get req name=root id = 107 >>>>>>>>>>>
>>>>>>>>>>> get req name=router id = 110 >>>>>>>>>>>
>>>>>>>>>>> get req name=secret id = 113 >>>>>>>>>>>
>>>>>>>>>>> get req name=security id = 116 >>>>>>>>>>>
>>>>>>>>>>> get req name=snmp id = 119 >>>>>>>>>>>
>>>>>>>>>>> get req name=snmpd id = 122 >>>>>>>>>>>
>>>>>>>>>>> get req name=solaris id = 125 >>>>>>>>>>>
>>>>>>>>>>> get req name=sun id = 128 >>>>>>>>>>>
>>>>>>>>>>> get req name=switch id = 2 >>>>>>>>>>>
>>>>>>>>>>> get req name=system id = 5 >>>>>>>>>>>
>>>>>>>>>>> get req name=tech id = 8 >>>>>>>>>>>
>>>>>>>>>>> get req name=test id = 11 >>>>>>>>>>>
>>>>>>>>>>> get req name=world id = 14 >>>>>>>>>>>
>>>>>>>>>>> get req name=write id = 17 >>>>>>>>>>>
snmp check on 127.0.0.1
sys.sysName.0:Aficio 2022
name = public readonly access
