How is QID 78031 detected?
The first task for a scan when facing an SNMP service is to guess one or several community names which allow access to the resources.
Community name guessing is performed by a bruteforcing technique based on words in the dictionary containing:
- well known community names (like public: which grants, in almost all default Unix systems, read-only access to the database).
- forged dynamic words based on the remote host FQDN. For example, if an SNMP service has been detected on host ctrl.qualys.com, the bruteforcer module will try the words ctrl, ctrl1, ..., ctrlX and qualys, qualys1, ..., qualysX.
With each word, the bruteforcing module will try to access one specific resource in the SNMP database to check if this word is a valid community name for read access. If such a community name could be guessed, the module will try to see if write access is also granted by using the same community name.
Upon completion, the module will report the appropriate vulnerabilities, if community names could be found for the SNMP service:
- QID 78030 - Readable SNMP Information
- QID 78031 - Writeable SNMP Information
Note that when read access to an SNMP database is granted, the scan will use this community string in order to gather all valuable information that may be extracted from the SNMP database. All the data is collected and reported as Information Gathered in the scan report.
Qualys Support KnowledgeBase