SNMP credential passes / Shazzam doesn't see 161

Ronald Lucas
Tera Contributor

Using Istanbul...

Strange issue here.   When testing an SNMP credential against an IP, the credential test passes which also confirms port 161 is open between the MID server host and the target IP.   Also, using the command line utility "snmpget" on the MID server host to the target IP also confirms port 161 is open using the same SNMP community string as I'm able return a value for sysName.

However, during the Shazzam phase of discovery on that same IP from the same MID server host, there is no response on port 161 in the XML payload.  

Any suggestions on how I can troubleshoot this further?

Thanks,

Ron

10 REPLIES 10

bernyalvarado
Mega Sage

Hi Ron,



Check the ACLs on the device you're connecting to. The IPs of the MID Servers needs to be included within the ACLs on the device.



Thanks,


Berny


Hi Berny.



Since the SNMP credential test passed, wouldn't that confirm the MID server host's IP address is allowed?   Also, we retrieved sysName of the target using the command "snmpget" from the MID server host.   So there are 2 tests which confirm the MID server host is allowed.



Agreed?



Thanks,


Ron


Hi Ron,



No. Both could be successful even if a ACL has not yet been setup. You will know that an ACL has been setup when doing a quick discovery you can see that one of the probes retrieves a number of OIDs back. If the ACL has not been setup, you will see within the payload something like 0 OIDs.



Thanks,


Berny


Hi Berny.



In this case, the Shazzam probe doesn't indicate SNMP is open, closed, etc.   So no SNMP probes are ever triggered.



Here is the portion of the Shazzam input payload where I would normally see SNMP open, but you'll notice it is not mentioned:



<results active="1" alive="1" full_range="<?xml version="1.0" encoding="UTF-8"?><discovery_ranges><meta_coll><ip_list><ip>x.x.x.x</ip></ip_list></meta_coll></discovery_ranges>" probe_time="10022" range="<?xml version="1.0" encoding="UTF-8"?><discovery_ranges><meta_coll><ip_list><ip>x.x.x.x</ip></ip_list></meta_coll></discovery_ranges>" result_code="0" total="1">


<result active="true" alive="true" ip_address="x.x.x.x">


<scanner name="BannerTCP" port="22" portprobe="ssh" protocol="tcp" result="open" service="ssh">


<banner_text>SSH-2.0-OpenSSH_6.2 FIPS</banner_text>


<banner_bytes>


.53.53.48.2d.32.2e.30.2d.4f.70.65.6e.53.53.48.5f...


</banner_bytes>


</scanner>


<scanner name="NBT" port="137" portprobe="wins" protocol="udp" result="unresolved" service="ms-nb-ns"/>


<scanner name="DNS" port="53" portprobe="dns" protocol="udp" result="resolved" service="dns">


<host_names>x</host_names>


</scanner>


<scanner name="HTTP" port="80" portprobe="http" protocol="tcp" result="open" service="http">


<response_code>200</response_code>


<Server>Apache/2.4.16 (Unix) CiscoSSL/1.0.1l.4.8-fips</Server>


<http_version>HTTP/1.1</http_version>


<response_text>OK</response_text>


</scanner>


<scanner name="SLP" port="427" portprobe="slp" protocol="udp" result="timed_out" service="slp"/>


</result>



And for comparision, here is another IP with SNMP open:



<results active="1" alive="1" full_range="<?xml version="1.0" encoding="UTF-8"?><discovery_ranges><meta_coll><ip_list><ip>x.x.x.x</ip></ip_list></meta_coll></discovery_ranges>" probe_time="10020" range="<?xml version="1.0" encoding="UTF-8"?><discovery_ranges><meta_coll><ip_list><ip>x.x.x.x</ip></ip_list></meta_coll></discovery_ranges>" result_code="0" total="1">


<result active="true" alive="true" ip_address="x.x.x.x">


<scanner name="SNMP" port="161" portprobe="snmp" protocol="udp" result="open" service="snmp">


<snmp_version>3</snmp_version>


</scanner>


<scanner name="BannerTCP" port="22" portprobe="ssh" protocol="tcp" result="open" service="ssh">


<banner_text>SSH-2.0-OpenSSH_6.2 FIPS</banner_text>


<banner_bytes>


.53.53.48.2d.32.2e.30.2d.4f.70.65.6e.53.53.48.5f...


</banner_bytes>


</scanner>


<scanner name="NBT" port="137" portprobe="wins" protocol="udp" result="unresolved" service="ms-nb-ns"/>


<scanner name="DNS" port="53" portprobe="dns" protocol="udp" result="resolved" service="dns">


<host_names>x</host_names>


</scanner>


<scanner name="HTTP" port="80" portprobe="http" protocol="tcp" result="open" service="http">


<response_code>200</response_code>


<Server>Apache/2.4.16 (Unix) CiscoSSL/1.0.1l.4.8-fips</Server>


<http_version>HTTP/1.1</http_version>


<response_text>OK</response_text>


</scanner>


<scanner name="SLP" port="427" portprobe="slp" protocol="udp" result="timed_out" service="slp"/>


</result>



Thanks,


Ron