Deploy snmpd service
yum install -y net-snmp net-snmp-utils # Start service systemctl start snmpd # Out of Service systemctl stop snmpd
snmpwalk command
The snmpwalk command is a tool for operating snmpd services. You can see that there are three version interfaces connected to snmpd through the - v parameter in - h, including:
- Only version 3 provides authentication.
- In versions 1 and 2c, you only need to specify the community parameter. Therefore, when blasting versions 1 and 2c of snmpd, you only need to blow up the community field.
[root@localhost ~]# snmpwalk -h USAGE: snmpwalk [OPTIONS] AGENT [OID] Version: 5.7.2 Web: http://www.net-snmp.org/ Email: net-snmp-coders@lists.sourceforge.net OPTIONS: -h, --help display this help message -H display configuration file directives understood -v 1|2c|3 specifies SNMP version to use -V, --version display package version number SNMP Version 1 or 2c specific -c COMMUNITY set the community string SNMP Version 3 specific -a PROTOCOL set authentication protocol (MD5|SHA) -A PASSPHRASE set authentication protocol pass phrase -e ENGINE-ID set security engine ID (e.g. 800000020109840301) -E ENGINE-ID set context engine ID (e.g. 800000020109840301) -l LEVEL set security level (noAuthNoPriv|authNoPriv|authPriv) -n CONTEXT set context name (e.g. bridge1) -u USER-NAME set security name (e.g. bert) -x PROTOCOL set privacy protocol (DES|AES) -X PASSPHRASE set privacy protocol pass phrase -Z BOOTS,TIME set destination engine boots/time
Create user
To view the parameters of the create user command:
Usage: net-snmp-create-v3-user [-ro] [-A authpass] [-X privpass] [-a MD5|SHA] [-x DES|AES] [username]
You can see that create-v3 here is the V3 version mentioned above. Only V3 provides an interface for user authentication.
Parameter Description:
- -ro: it means read only
- -A: The password for setting authentication must be longer than 8 digits, otherwise the login will prompt that the password is too short.
- -10: Set whether to encrypt the account. If this parameter is specified, you must bring it with you when logging in, otherwise an error will be reported.
- -a and - x set the password to different encryption methods (strictly speaking, MD5 is not an encryption method). If - X does not set parameters, it defaults to DES.
- username: the last is the user name. snmpd doesn't seem to provide an interface to delete or modify users. Modifying the user password is the same as creating a user. Just set the password to something else.
Note: to create a user, you must first stop the snmpd service, restart the service after the user is created, and then use the snmpwalk interface to operate.
Create and login example:
# Create an authenticated and encrypted read-write account (authPriv) net-snmp-create-v3-user -a MD5 -A password2 -X password2 -x DES user2 # Login command snmpwalk -v 3 localhost -u user2 -a MD5 -A password2 -X password2 -l authPriv -x DES .1.3.6.1.2.1.1 # Create an authenticated but unencrypted read-only account (authNoPriv) net-snmp-create-v3-user -ro -a MD5 -A password3 user3 # Login command snmpwalk -v 3 localhost -u user3 -a MD5 -A password3 -l authNoPriv -x DES .1.3.6.1.2.1.1 # Create an authenticated but unencrypted read-write account (authNoPriv) net-snmp-create-v3-user -ro -a MD5 -A password3 user3 # Login command snmpwalk -v 3 localhost -u user3 -a MD5 -A password3 -l authNoPriv -x DES .1.3.6.1.2.1.1
Except for authPriv, the login command used is actually the same whether it is a - ro account or not.
. 1.3.6.1.2.1.1 can be understood as the code of the hardware equipment on the host where the snmpd service is located. Different hardware devices have their own unique code.
Login summary
- The supplied password length is too short must be greater than or equal to 8 digits.
- If the account does not exist, an error is reported: Unknown user name. Therefore, when blasting, the blasting account number can be first, and then the nonexistent account can be excluded.
- If the password is wrong, an error will be reported: incorrect password, community or key
- If the encryption method of the account is authPriv, the parameter used in blasting can be authNoPriv, but if the - X parameter is not specified, an error will also be reported.
- If the encryption method of the account is authPriv, - A password is correct, and the password after - X is wrong, an error will be reported: Timeout: No Response from localhost.
- If the encryption method of the account is authNoPriv and the parameter used during blasting is authPriv, an error will be reported.
- If the encryption method of the account is authNoPriv and the parameter used during blasting is authNoPriv, setting the - X parameter to any value with a length greater than or equal to 8 digits has no effect.