Friday, June 6, 2008

SNMP Hacking

I've spent a lot of time exploring alternative attacking
methods other than the traditional flaws. One of the routes I've really enjoyed exploring has been SNMP attacks. I thought I'd give an overview for those who are not very familiar with the subject.

Simple Network Management Protocol (SNMP) is an application-layer protocol for managing TCP/IP based networks. SNMP runs over UDP (which runs over IP). Most administrators/security guys fail to understand SNMP and its security impacts.

What is SNMP Used For?
SNMP is a protocol that is simply used to manage multiple devices on enterprise networks; i.e. where the administrative software can contact each device via SNMP and retrieve its status and diagnostic information. This way an administrator can keep an eye on all of his/her devices without much effort. Also with the "write string" mentioned below they can use it to change configuration information over a large number of devices.

Does SNMP Use Authentication?
SNMP uses community strings as a key or password. Provide the right string and gain a different level of access.

By default there is the "public" string that is enabled on most servers and "private" string that is enabled on some servers. It is possible however, to brute-force SNMP community strings.

"public" and "private" strings will generally give you read-only access, however this can be fairly dangerous also (as seen in one of the examples below). Brute-forcing the write access strings is easy as SNMP is over the UDP protocol. The speed of attack can be improved significantly then one that is done over TCP and the Source IP can be easily spoofed.

OID: Is a string (series of numbers, seperated by ".") that is used to tell the device what information you want. Different devices have different OIDs.

The ThreatSNMP "walking" is very dangerous even with read-only access. Windows servers disclosed full list of user-names via SNMP walking the oid "1.3.6.1.4.1.77.1.2.25". There exist many tools intended for the purpose of bruteforcing and identifying OIDs once a weak SNMP Server is found. This can be used to identify and modify a lot of sensitive information on the device.

There are many tools that are included in the SNMPWalk kit for different purposes. I will walk through SNScan from Foundstone and SNMPWalk.

SNScanSNMP Scanner that can be used to scan IP ranges for SNMP Servers with weak strings, including a brute-force feature.

SNMPWalk
The snmpwalk command is designed to perform a sequence of chained GETNEXT requests automatically, rather than having to issue the necessary snmpgetnext requests by hand.

Simply: It is able to identify the various OID strings and retrieve their content.

Example:
D:\snmp>snmpwalk test.yash-home public
.iso.3.6.1.2.1.1.1.0 = "Linux test.yash-home 2.6.9-023stab046.2 #1 Mon Dec 10 14:51
:29 MSK 2007 i686"
.iso.3.6.1.2.1.1.2.0 = OID: .iso.3.6.1.4.1.8072.3.2.10
.iso.3.6.1.2.1.1.3.0 = Timeticks: (248307958) 28 days, 17:44:39.58
.iso.3.6.1.2.1.1.4.0 = "Root (configure /etc/snmp/snmp.local.co
nf)"
.iso.3.6.1.2.1.1.5.0 = "test.yash-home"
.iso.3.6.1.2.1.1.6.0 = "Unknown (edit /etc/snmp/snmpd.conf)"
.iso.3.6.1.2.1.1.8.0 = Timeticks: (11) 0:00:00.11
.iso.3.6.1.2.1.1.9.1.2.1 = OID: .iso.3.6.1.6.3.1
.iso.3.6.1.2.1.1.9.1.2.2 = OID: .iso.3.6.1.2.1.49
.iso.3.6.1.2.1.1.9.1.2.3 = OID: .iso.3.6.1.2.1.4
.iso.3.6.1.2.1.1.9.1.2.4 = OID: .iso.3.6.1.2.1.50
.iso.3.6.1.2.1.1.9.1.2.5 = OID: .iso.3.6.1.6.3.16.2.2.1
.iso.3.6.1.2.1.1.9.1.2.6 = OID: .iso.3.6.1.6.3.10.3.1.1
.iso.3.6.1.2.1.1.9.1.2.7 = OID: .iso.3.6.1.6.3.11.3.1.1
.iso.3.6.1.2.1.1.9.1.2.8 = OID: .iso.3.6.1.6.3.15.2.1.1
.iso.3.6.1.2.1.1.9.1.3.1 = "The MIB module for SNMPv2 entities"
.iso.3.6.1.2.1.1.9.1.3.2 = "The MIB module for managing TCP implementations"
.iso.3.6.1.2.1.1.9.1.3.3 = "The MIB module for managing IP and ICMP implementati
ons"
.iso.3.6.1.2.1.1.9.1.3.4 = "The MIB module for managing UDP implementations"
.iso.3.6.1.2.1.1.9.1.3.5 = "View-based Access Control Model for SNMP."
.iso.3.6.1.2.1.1.9.1.3.6 = "The SNMP Management Architecture MIB."
.iso.3.6.1.2.1.1.9.1.3.7 = "The MIB for Message Processing and Dispatching."
.iso.3.6.1.2.1.1.9.1.3.8 = "The management information definitions for the SNMP
User-based Security Model."
.iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (11) 0:00:00.11
.iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (11) 0:00:00.11
.iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (11) 0:00:00.11
.iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (11) 0:00:00.11
.iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (11) 0:00:00.11
.iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (11) 0:00:00.11
.iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (11) 0:00:00.11
.iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (11) 0:00:00.11
.iso.3.6.1.2.1.25.1.1.0 = Timeticks: (248309155) 28 days, 17:44:51.55
End of MIB

D:\snmp>snmpwalk testios.yash public
.iso.3.6.1.2.1.1.1.0 = "Cisco Internetwork Operating System Software ..IOS (tm)
7200 Software (C7200-IK9O3S-M), Version 12.3(9b), RELEASE SOFTWARE (fc1)..Copyri
ght (c) 1986-2004 by cisco Systems, Inc...Compiled Wed 18-Aug-04 15:31 by dchih"

...... followed by a long list of information such as processes, users, modules, ports, etc.

D:\snmp>snmpwalk hp.yash public
.iso.3.6.1.2.1.1.1.0 = "HP-UX gedis1 B.10.20 A 9000/803 2013446997"
.iso.3.6.1.2.1.1.2.0 = OID: .iso.3.6.1.4.1.11.2.3.2.3
.iso.3.6.1.2.1.1.3.0 = Timeticks: (2955823000) 342 days, 2:37:10.00

D:\snmp>snmpwalk snmp.yash public
.iso.3.6.1.2.1.1.1.0 = "Sun SNMP Agent, Sun-Fire-480R"
.iso.3.6.1.2.1.1.2.0 = OID: .iso.3.6.1.4.1.42.2.1.1
.iso.3.6.1.2.1.1.3.0 = Timeticks: (422632606) 48 days, 21:58:46.06
.iso.3.6.1.2.1.1.4.0 = "System administrator"
.iso.3.6.1.2.1.1.5.0 = "mu-me01-ns-ctm001"
.iso.3.6.1.2.1.1.6.0 = "System administrators office"

D:\snmp>snmpwalk win.yash public
.iso.3.6.1.2.1.1.1.0 = "Hardware: x86 Family 15 Model 4 Stepping 1 AT/A
T COMPATI
BLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)"
.iso.3.6.1.2.1.1.2.0 = OID: .iso.3.6.1.4.1.311.1.1.3.1.2
.iso.3.6.1.2.1.1.3.0 = Timeticks: (466602853) 54 days, 0:07:08.53

Anyway as you can see a LOT of information was revealed via SNMPWalking; and in the case of many other devices much more sensitive information can be disclosed.

For e.g:
Windows servers return the full list of user names by snmwalking the OID 1.3.6.1.4.1.77.1.2.25.

BT Voyager 2000 router leaking the ISP credentials including the password.

HP JetDirect printers leaking the admin password via SNMP read access (using OIDs .iso.3.6.1.4.1.11.2.3.9.4.2.1.3.9.1.1.0 and .1.3.6.1.4.1.11.2.3.9.1.1.13.0).

Dynamic DNS credentials disclosure on ZyXEL Prestige routers via the OID 1.3.6.1.4.1.890.1.2.1.2.6.0.

SNMP servers contain a lot of information, in many cases revealing passwords and other sensitive information. However most security consultants are unaware of what SNMP Security is and how it can be used by hackers to manipulate your networks and systems.

I am working on a paper on SNMP Security that will be published soon on Security Brigade's Website.

1 comments:

hardwire187 said...

Excellent! Thank you...