SNMPv3 Authentication – Using SHA and MD5

No, that isn't possible unless they know (or obtain) the shared secret. Cisco outlines how the authentication takes place.¹

The device sending a packet calculates the hash to be sent based on the following:

• Key part 1—the configured shared secret.
• Key part 2—the local interface address from which the packet will be sent.
• Data—the EIGRP packet to be sent (prior to the addition of the IP header).

The instance you're talking about is called Pass the hash, which involves sniffing a hash, and then sending it back with the rest of the modified data without any actual knowledge of what was used to generate the hash. EIGRP would be vulnerable to this if if didn't use the local interface and the data inside the packet to generate its hashes.

So no, an attacked really couldn't perform any of this unless he had prior knowledge of the shared secret. He could, however, capture a hello packet between neighbors, and then attempt to crack it. If you're key-length and complexity are high, though, you won't have much to worry about.

¹_{Note: this is based on HMAC-SHA-256 authentication, but the same process should still be true with MD5.}

They have a pretty simple writeup over at Networklessons, but in-depth information on how it works are on Cisco's site. It can be as complicated and secure as you want it. Your 2 questions are one and the same.

A barebones config would be like this:

Create a group

R1(config)#snmp-server group MYGROUP v3 priv

Attach a user to a group

R1(config)#snmp-server user MYUSER MYGROUP v3 auth md5 MYPASS123 priv aes128 MYKEY123

If you aren't looking to restrict access to specific MIBs, then this is all you really need.