Skip to main content

PRTG Network Monitor

PRTG Network Monitor is a network monitoring software developed by Paessler AG. It is used for monitoring network performance, server health, bandwidth usage, and infrastructure components. PRTG provides a web-based interface and supports various monitoring protocols like SNMP, WMI, NetFlow, and HTTP requests.

Tech Stack of PRTG Network Monitor

  • Backend: C++, Delphi
  • Frontend: HTML, CSS, JavaScript (Web-based dashboard)
  • Database: Uses an internal proprietary database (SQLite-like) for storing monitoring data
  • Server: Runs on Windows Server, uses an embedded web server but can integrate with IIS

File Structure

C:\Program Files (x86)\PRTG Network Monitor\
│── PRTG Server.exe       # Main executable for PRTG core server  
│── PRTG Probe.exe        # Local probe for monitoring sensors  
│── PRTG Configuration.dat # Main configuration file (contains credentials, settings)  
│── PRTG Graph Data.dat   # Stores historical monitoring data  
│── Logs\                 # Log files for server and probes  
│   ├── PRTG Server Log.log   # Server logs (potential information leakage)  
│   ├── PRTG Probe Log.log    # Local probe logs  
│── Monitoring Database\  # Stores sensor data and monitoring history  
│── WebRoot\              # Web interface files (HTML, JavaScript, and templates)  
│── Custom Sensors\       # Custom scripts and sensors for monitoring  
│── Report Templates\     # Templates for generating reports  
│── Auto-Update\          # Auto-update service files  
│── Notification Templates\ # Email, SMS, and push notification configurations  
│── PRTG Installer.exe    # Installer for PRTG Network Monitor  
│── LICENSE.txt           # License and terms of use  
│── README.txt            # Basic information about PRTG

Enumeration

  • We could find PRTG Network Monitor on the internal network, which can be discovered by scanning ports on the host.
  • Default Credentials: prtgadmin:prtgadmin
  • If credentials are changed we could try bruteforcing for common passwords.
  • We can find version number in footer.

Known Vulnerability

Authenticated Command Injection (before 18.2.39)

  • If we create a new notification, the Parameter field is passed into PowerShell script directly.
  • Setup (top right) > Account Settings > Notifications
  • Then click + Add new notification
  • Fill in the Notification name, enable "Execute program", and then select a PS1 script under the "Program File" option.
  • In the "Parameter" field, add your command (e.g., a reverse shell PowerShell script, adding a new user, etc.) like: ok.txt;REVSHELL-PAYLOAD-HERE.
  • Save it and click the "Send a test notification" button.