The identification of the SNMP community string can yield a wealth of information about the wireless device and potentially a way to change the configuration via the 'write' community string. In this section, we will use a tool, onesixtyone, included in Kali to attempt to brute force these community strings. Of course, in order to use this tool, you will need to be able to reach the administrative interface of the access point or wireless router. You will not be able to accomplish this without first being connected to the wired or wireless network hosted by the AP. Follow these steps:
- Similar to our attack on SSH, you will need a dictionary file to brute force the community strings. There are several examples on the Internet that can be readily obtained for this purpose or you can use a general word list or dictionary file. The benefit of a specialized word list is that it could reduce the amount of time required to find the SNMP community string. The file we will use is located at https://github.com/rustyrobot/fuzzdb/blob/master/wordlists-misc/wordlist-common-snmp-community-strings.txt.
#wget https://raw.githubusercontent.com/rustyrobot/fuzzdb/blob/master/wordlists-misc/wordlist-common-snmp-community-strings.txt - Set up your files that will be used with onesixtyone. Move the downloaded file to a
strings.txtfile and add the host you will be brute forcing to ahosts.txtfile:#echo 192.168.0.254 >> hosts.lst #mv wordlist-common-snmp-community-strings.txt strings.txt
- Execute
onesixtyonewith the parameters, as stated in the following table:-c
Filename that contains the community string values to test
-i
Input of the filename that contains the list of hosts to test
-o
Output file to log the results
This will run through all of the community strings in the file you specified against the host or hosts in the host.lst file. log.txt will indicate any information that is returned from the device and any matching community strings.
