SNMP v1, v2c, and v3

The book pictured at left spends more time on SNMP v1 and v2c than it does on SNMP v3. For example, it provides packet captures for v1 and v2c but not v3.

SNMP v1 is everywhere, but we should use SNMP v3 where possible.

I thought it would be helpful to show all three formats in one place.

Here is my snmpd.conf for SNMP v1 and v2c.

###########################################################################
#
# snmpd.conf
#
# - created by the snmpconf configuration program
#
###########################################################################
# SECTION: Access Control Setup
#
# This section defines who is allowed to talk to your running
# snmp agent.

# rwuser: a SNMPv3 read-write user
# arguments: user [noauth|auth|priv] [restriction_oid]

rocommunity read
rwcommunity write

This is the syntax for a SNMP v1 snmpget.

orr:/home/richard$ snmpget -v 1 -c read 127.0.0.1 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING: somewhere

Here is the SNMP v1 get.

Simple Network Management Protocol
version: version-1 (0)
community: read
data: get-request (0)
get-request
request-id: 623181039
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
Item
name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
valueType: unSpecified (1)
unSpecified

0000 02 00 00 00 45 00 00 45 8f d7 00 00 40 11 ec ce ....E..E....@...
0010 7f 00 00 01 7f 00 00 01 c7 4c 00 a1 00 31 d6 36 .........L...1.6
0020 30 27 02 01 00 04 04 72 65 61 64 a0 1c 02 04 25 0'.....read....%
0030 24 fc ef 02 01 00 02 01 00 30 0e 30 0c 06 08 2b $........0.0...+
0040 06 01 02 01 01 06 00 05 00 .........

Here is the SNMP v1 response.

Simple Network Management Protocol
version: version-1 (0)
community: read
data: get-response (2)
get-response
request-id: 623181039
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
Item
name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
valueType: value (0)
value: simple (4294967295)
simple: string-value (1)
Value: STRING: somewhere

0000 02 00 00 00 45 00 00 4e 8f d8 00 00 40 11 ec c4 ....E..N....@...
0010 7f 00 00 01 7f 00 00 01 00 a1 c7 4c 00 3a 01 f8 ...........L.:..
0020 30 30 02 01 00 04 04 72 65 61 64 a2 25 02 04 25 00.....read.%..%
0030 24 fc ef 02 01 00 02 01 00 30 17 30 15 06 08 2b $........0.0...+
0040 06 01 02 01 01 06 00 04 09 73 6f 6d 65 77 68 65 .........somewhe
0050 72 65 re

This is the syntax for a SNMP v2c snmpget.

orr:/home/richard$ snmpget -v 2c -c read 127.0.0.1 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING: somewhere

Here is the SNMP v2c get.

Simple Network Management Protocol
version: v2c (1)
community: read
data: get-request (0)
get-request
request-id: 1664713700
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
Item
name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
valueType: unSpecified (1)
unSpecified

0000 02 00 00 00 45 00 00 45 8f f5 00 00 40 11 ec b0 ....E..E....@...
0010 7f 00 00 01 7f 00 00 01 d6 21 00 a1 00 31 bc 9c .........!...1..
0020 30 27 02 01 01 04 04 72 65 61 64 a0 1c 02 04 63 0'.....read....c
0030 39 83 e4 02 01 00 02 01 00 30 0e 30 0c 06 08 2b 9........0.0...+
0040 06 01 02 01 01 06 00 05 00 .........

Here is the SNMP v2c response.

Simple Network Management Protocol
version: v2c (1)
community: read
data: get-response (2)
get-response
request-id: 1664713700
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
Item
name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
valueType: value (0)
value: simple (4294967295)
simple: string-value (1)
Value: STRING: somewhere

0000 02 00 00 00 45 00 00 4e 8f f6 00 00 40 11 ec a6 ....E..N....@...
0010 7f 00 00 01 7f 00 00 01 00 a1 d6 21 00 3a e8 5d ...........!.:.]
0020 30 30 02 01 01 04 04 72 65 61 64 a2 25 02 04 63 00.....read.%..c
0030 39 83 e4 02 01 00 02 01 00 30 17 30 15 06 08 2b 9........0.0...+
0040 06 01 02 01 01 06 00 04 09 73 6f 6d 65 77 68 65 .........somewhe
0050 72 65 re

To use SNMP v3, use a snmpd.conf like this. Notice the lack of community strings.

rwuser richard priv
createUser richard MD5 bejtlichpass DES bejtlichpass

This is the syntax for a SNMP v3 snmpget.

orr:/home/richard$ snmpget -v 3 -u richard -l authPriv -a MD5 -A bejtlichpass -x DES
-X bejtlichpass 127.0.0.1 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING: somewhere

Here is the SNMP v3 get.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 235115949
msgMaxSize: 65507
msgFlags: 07
.... .1.. = Reportable: Set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: 0F7E0663
Engine ID Data: Creation Time: Aug 31, 2006 06:59:24
msgAuthoritativeEngineBoots: 25
msgAuthoritativeEngineTime: 438
msgUserName: richard
msgAuthenticationParameters: B0183A673DD87ED37B9FB3C0
msgPrivacyParameters: 0000000189C95C79
msgData: encryptedPDU (1)
encryptedPDU: 3C7F7013664F1C206DC92100AE9E2B3BC360C9839862AB8F...

0000 02 00 00 00 45 00 00 aa 8e 26 00 00 40 11 ee 1a ....E....&..@...
0010 7f 00 00 01 7f 00 00 01 ef 46 00 a1 00 96 29 52 .........F....)R
0020 30 81 8b 02 01 03 30 11 02 04 0e 03 95 ad 02 03 0.....0.........
0030 00 ff e3 04 01 07 02 01 03 04 39 30 37 04 0d 80 ..........907...
0040 00 1f 88 80 0f 7e 06 63 0c c1 f6 44 02 01 19 02 .....~.c...D....
0050 02 01 b6 04 07 72 69 63 68 61 72 64 04 0c b0 18 .....richard....
0060 3a 67 3d d8 7e d3 7b 9f b3 c0 04 08 00 00 00 01 :g=.~.{.........
0070 89 c9 5c 79 04 38 3c 7f 70 13 66 4f 1c 20 6d c9 ..\y.8<.p.fO. m.
0080 21 00 ae 9e 2b 3b c3 60 c9 83 98 62 ab 8f eb be !...+;.`...b....
0090 26 f1 d6 72 6a 5a 3a 6e ff 07 c7 dd d3 f2 b0 d4 &..rjZ:n........
00a0 f2 24 52 dc c2 ef 48 b8 c8 43 34 90 d2 98 .$R...H..C4...

Here is the SNMP v3 response.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 235115949
msgMaxSize: 65507
msgFlags: 03
.... .0.. = Reportable: Not set
.... ..1. = Encrypted: Set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: 0F7E0663
Engine ID Data: Creation Time: Aug 31, 2006 06:59:24
msgAuthoritativeEngineBoots: 25
msgAuthoritativeEngineTime: 438
msgUserName: richard
msgAuthenticationParameters: A554DADDF26EE2EC976BA9DD
msgPrivacyParameters: 0000001911E1CD8C
msgData: encryptedPDU (1)
encryptedPDU: A5CB2056AB68B85CB9AB999FB6080A3536DC086F3DF20DEC...

0000 02 00 00 00 45 00 00 b2 8e 27 00 00 40 11 ee 11 ....E....'..@...
0010 7f 00 00 01 7f 00 00 01 00 a1 ef 46 00 9e f2 fd ...........F....
0020 30 81 93 02 01 03 30 11 02 04 0e 03 95 ad 02 03 0.....0.........
0030 00 ff e3 04 01 03 02 01 03 04 39 30 37 04 0d 80 ..........907...
0040 00 1f 88 80 0f 7e 06 63 0c c1 f6 44 02 01 19 02 .....~.c...D....
0050 02 01 b6 04 07 72 69 63 68 61 72 64 04 0c a5 54 .....richard...T
0060 da dd f2 6e e2 ec 97 6b a9 dd 04 08 00 00 00 19 ...n...k........
0070 11 e1 cd 8c 04 40 a5 cb 20 56 ab 68 b8 5c b9 ab .....@.. V.h.\..
0080 99 9f b6 08 0a 35 36 dc 08 6f 3d f2 0d ec eb b3 .....56..o=.....
0090 1b 19 08 d1 cd 86 72 5e 2a 77 67 ee df f5 90 79 ......r^*wg....y
00a0 5f a0 27 db df 30 06 95 af 67 9b a9 16 8e 65 0e _.'..0...g....e.
00b0 3a 2d 75 69 d8 64 :-ui.d

As you can see, this last example is encrypted. This is the best way to deploy SNMP v3. However, you can disable the encryption by using this snmpd.conf.

rwuser richard auth
createUser richard MD5 bejtlichpass

You can run the following to generate an unencrypted SNMP v3 get.

orr:/home/richard$ snmpget -v 3 -u richard -l authNoPriv -a MD5
-A bejtlichpass 127.0.0.1 sysLocation.0
SNMPv2-MIB::sysLocation.0 = STRING: somewhere

Here is the unencrypted SNMP v3 get.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1246784484
msgMaxSize: 65507
msgFlags: 05
.... .1.. = Reportable: Set
.... ..0. = Encrypted: Not set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: 0F7E0663
Engine ID Data: Creation Time: Aug 31, 2006 06:59:24
msgAuthoritativeEngineBoots: 27
msgAuthoritativeEngineTime: 31
msgUserName: richard
msgAuthenticationParameters: 210D87D7EF2AADAD95DF201C
msgData: plaintext (0)
plaintext
contextEngineID: 80001F88800F7E06630CC1F644
data: get-request (0)
get-request
request-id: 1827121577
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
Item
name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
valueType: unSpecified (1)
unSpecified

0000 02 00 00 00 45 00 00 97 90 2f 00 00 40 11 ec 24 ....E..../..@..$
0010 7f 00 00 01 7f 00 00 01 fe c4 00 a1 00 83 a9 65 ...............e
0020 30 79 02 01 03 30 11 02 04 4a 50 6b e4 02 03 00 0y...0...JPk....
0030 ff e3 04 01 05 02 01 03 04 30 30 2e 04 0d 80 00 .........00.....
0040 1f 88 80 0f 7e 06 63 0c c1 f6 44 02 01 1b 02 01 ....~.c...D.....
0050 1f 04 07 72 69 63 68 61 72 64 04 0c 21 0d 87 d7 ...richard..!...
0060 ef 2a ad ad 95 df 20 1c 04 00 30 2f 04 0d 80 00 .*.... ...0/....
0070 1f 88 80 0f 7e 06 63 0c c1 f6 44 04 00 a0 1c 02 ....~.c...D.....
0080 04 6c e7 a9 a9 02 01 00 02 01 00 30 0e 30 0c 06 .l.........0.0..
0090 08 2b 06 01 02 01 01 06 00 05 00 .+.........

Here is the unencrypted SNMP v3 response.

Simple Network Management Protocol
msgVersion: snmpv3 (3)
msgGlobalData
msgID: 1246784484
msgMaxSize: 65507
msgFlags: 01
.... .0.. = Reportable: Not set
.... ..0. = Encrypted: Not set
.... ...1 = Authenticated: Set
msgSecurityModel: USM (3)
msgAuthoritativeEngineID: 80001F88800F7E06630CC1F644
1... .... = Engine ID Conformance: RFC3411 (SNMPv3)
Engine Enterprise ID: net-snmp (8072)
Engine ID Format: Reserved/Enterprise-specific (128): Net-SNMP Random
Engine ID Data: 0F7E0663
Engine ID Data: Creation Time: Aug 31, 2006 06:59:24
msgAuthoritativeEngineBoots: 27
msgAuthoritativeEngineTime: 31
msgUserName: richard
msgAuthenticationParameters: 539C1C59C5B2C9B47BE3112A
msgData: plaintext (0)
plaintext
contextEngineID: 80001F88800F7E06630CC1F644
data: get-response (2)
get-response
request-id: 1827121577
error-status: noError (0)
error-index: 0
variable-bindings: 1 item
Item
name: 1.3.6.1.2.1.1.6.0 (SNMPv2-MIB::sysLocation.0)
valueType: value (0)
value: simple (4294967295)
simple: string-value (1)
Value: STRING: somewhere

0000 02 00 00 00 45 00 00 a1 90 30 00 00 40 11 ec 19 ....E....0..@...
0010 7f 00 00 01 7f 00 00 01 00 a1 fe c4 00 8d cf 61 ...............a
0020 30 81 82 02 01 03 30 11 02 04 4a 50 6b e4 02 03 0.....0...JPk...
0030 00 ff e3 04 01 01 02 01 03 04 30 30 2e 04 0d 80 ..........00....
0040 00 1f 88 80 0f 7e 06 63 0c c1 f6 44 02 01 1b 02 .....~.c...D....
0050 01 1f 04 07 72 69 63 68 61 72 64 04 0c 53 9c 1c ....richard..S..
0060 59 c5 b2 c9 b4 7b e3 11 2a 04 00 30 38 04 0d 80 Y....{..*..08...
0070 00 1f 88 80 0f 7e 06 63 0c c1 f6 44 04 00 a2 25 .....~.c...D...%
0080 02 04 6c e7 a9 a9 02 01 00 02 01 00 30 17 30 15 ..l.........0.0.
0090 06 08 2b 06 01 02 01 01 06 00 04 09 73 6f 6d 65 ..+.........some
00a0 77 68 65 72 65 where

SNMP is cool. The biggest problem for SNMP v3 seems to be user and key management.

Comments

Anonymous said…
Could you do the same for traps

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics