SNMP credential passes / Shazzam doesn't see 161
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2017 08:23 AM
Using Istanbul...
Strange issue here. When testing an SNMP credential against an IP, the credential test passes which also confirms port 161 is open between the MID server host and the target IP. Also, using the command line utility "snmpget" on the MID server host to the target IP also confirms port 161 is open using the same SNMP community string as I'm able return a value for sysName.
However, during the Shazzam phase of discovery on that same IP from the same MID server host, there is no response on port 161 in the XML payload.
Any suggestions on how I can troubleshoot this further?
Thanks,
Ron
- Labels:
-
Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2017 08:24 AM
Hi Ron,
Check the ACLs on the device you're connecting to. The IPs of the MID Servers needs to be included within the ACLs on the device.
Thanks,
Berny
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2017 08:36 AM
Hi Berny.
Since the SNMP credential test passed, wouldn't that confirm the MID server host's IP address is allowed? Also, we retrieved sysName of the target using the command "snmpget" from the MID server host. So there are 2 tests which confirm the MID server host is allowed.
Agreed?
Thanks,
Ron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2017 08:40 AM
Hi Ron,
No. Both could be successful even if a ACL has not yet been setup. You will know that an ACL has been setup when doing a quick discovery you can see that one of the probes retrieves a number of OIDs back. If the ACL has not been setup, you will see within the payload something like 0 OIDs.
Thanks,
Berny
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2017 09:32 AM
Hi Berny.
In this case, the Shazzam probe doesn't indicate SNMP is open, closed, etc. So no SNMP probes are ever triggered.
Here is the portion of the Shazzam input payload where I would normally see SNMP open, but you'll notice it is not mentioned:
<results active="1" alive="1" full_range="<?xml version="1.0" encoding="UTF-8"?><discovery_ranges><meta_coll><ip_list><ip>x.x.x.x</ip></ip_list></meta_coll></discovery_ranges>" probe_time="10022" range="<?xml version="1.0" encoding="UTF-8"?><discovery_ranges><meta_coll><ip_list><ip>x.x.x.x</ip></ip_list></meta_coll></discovery_ranges>" result_code="0" total="1">
<result active="true" alive="true" ip_address="x.x.x.x">
<scanner name="BannerTCP" port="22" portprobe="ssh" protocol="tcp" result="open" service="ssh">
<banner_text>SSH-2.0-OpenSSH_6.2 FIPS</banner_text>
<banner_bytes>
.53.53.48.2d.32.2e.30.2d.4f.70.65.6e.53.53.48.5f...
</banner_bytes>
</scanner>
<scanner name="NBT" port="137" portprobe="wins" protocol="udp" result="unresolved" service="ms-nb-ns"/>
<scanner name="DNS" port="53" portprobe="dns" protocol="udp" result="resolved" service="dns">
<host_names>x</host_names>
</scanner>
<scanner name="HTTP" port="80" portprobe="http" protocol="tcp" result="open" service="http">
<response_code>200</response_code>
<Server>Apache/2.4.16 (Unix) CiscoSSL/1.0.1l.4.8-fips</Server>
<http_version>HTTP/1.1</http_version>
<response_text>OK</response_text>
</scanner>
<scanner name="SLP" port="427" portprobe="slp" protocol="udp" result="timed_out" service="slp"/>
</result>
And for comparision, here is another IP with SNMP open:
<results active="1" alive="1" full_range="<?xml version="1.0" encoding="UTF-8"?><discovery_ranges><meta_coll><ip_list><ip>x.x.x.x</ip></ip_list></meta_coll></discovery_ranges>" probe_time="10020" range="<?xml version="1.0" encoding="UTF-8"?><discovery_ranges><meta_coll><ip_list><ip>x.x.x.x</ip></ip_list></meta_coll></discovery_ranges>" result_code="0" total="1">
<result active="true" alive="true" ip_address="x.x.x.x">
<scanner name="SNMP" port="161" portprobe="snmp" protocol="udp" result="open" service="snmp">
<snmp_version>3</snmp_version>
</scanner>
<scanner name="BannerTCP" port="22" portprobe="ssh" protocol="tcp" result="open" service="ssh">
<banner_text>SSH-2.0-OpenSSH_6.2 FIPS</banner_text>
<banner_bytes>
.53.53.48.2d.32.2e.30.2d.4f.70.65.6e.53.53.48.5f...
</banner_bytes>
</scanner>
<scanner name="NBT" port="137" portprobe="wins" protocol="udp" result="unresolved" service="ms-nb-ns"/>
<scanner name="DNS" port="53" portprobe="dns" protocol="udp" result="resolved" service="dns">
<host_names>x</host_names>
</scanner>
<scanner name="HTTP" port="80" portprobe="http" protocol="tcp" result="open" service="http">
<response_code>200</response_code>
<Server>Apache/2.4.16 (Unix) CiscoSSL/1.0.1l.4.8-fips</Server>
<http_version>HTTP/1.1</http_version>
<response_text>OK</response_text>
</scanner>
<scanner name="SLP" port="427" portprobe="slp" protocol="udp" result="timed_out" service="slp"/>
</result>
Thanks,
Ron
