I've recently been doing some internal SNMP audit work, using the Dictionary attack tool. Though this generally works well, I do have a couple of questions that I'm hoping some friendly soul might be able to answer.
Firstly after finding an insecure device with a poor read-write-all community, I was able to gather additional read/write communities. I've added these to my dictionary file but when I rerun an attack against another device, it still comes back with the read only that it had already found. I've double checked and the device does have the new read/write community, but the attack doesn't find this. Does the Dictionary attack stop when it finds the first community that hits, or does it run through the whole dictionary? If it finds multiple hits, how does it decide which to show you? Clearly I'd prefer to know if I've hit a RW that a RO. On that note it would be nice if the type of hit could be shown as an extra column.
Regarding the dictionaries themselves, I have a number of these, up to one with nearly a million entries. The tool seems to list entries alphabetically. Whilst making it easy to browse this isn't always ideal - I want the most common entries at the top ideally, for quicker matching. I'm guessing that it just wasn't intended to be used with that many entries, but it would still be nice to set a strict sort order based on the imported data.
On the same note, a suggestion for a future release would be an option that when an entry in a database hits, that it be moved to the top of the list. At present if I find a match in a large dictionary, I add it to a more manageable one that I use for broad scans. However if hits could be moved to the top for quicker hits on other devices this woulc simplify that a bit.
Anyway my main issue is the question on hitting multiple communities so if anyone has any experience with that please let me know.