COMMAND
SNMP
SYSTEMS AFFECTED
Systems using SNMP (v1?)
PROBLEM
The following text is in great way based on Paul Danckaert's post.
Would you like to be able to identify all of the hosts on a
network, without having to even send a packet to the local
ethernet? Would you like to have a complete listing of exactly
what hardware is on a network? Would you like to shut down
network connections, modems, and other intelligent devices?
Well, you can. And the protocol that will bring it to you is..
SNMP.
SNMP, or the Simple Network Management Protocol, is a protocol
designed for monitoring and controlling devices on a network. It
can be used to find out how much traffic flows through various
interfaces of a router and look for network congestion, or to
monitor host-specific information on other devices. Historically
it has been used mainly by graphical network management software
packages, like SunNet Manager for laying out and controlling a
large distributed network.
Access control in SNMP is done via community strings, which is
essentially a shared secret. (A similar setup is with NIS where
clients need to know the NIS domain name in order to transfer
maps.) Almost all SNMP manageable devices use the default
community "public" for read-only access to a device. Some others
will enable an additional "private" community for read-write
access to the SNMP device. (Other devices use other pairs, such
as read and write, etc..)
To perform a query, a user simply has to send a udp packet to the
destination host with the community string, and a variable to
query for. For example:
pauld@lemur.org> snmpget myrouter public system.sysDescr.0
Name: system.sysDescr.0 -> OCTET STRING- (ascii): Cisco Internetwork
Operating System Software .IOS (tm) GS Software (GS3), Version 10.0(13),
RELEASE SOFTWARE (fc1).Copyright (c) 1986-1994 by cisco Systems,
Inc..Compiled Tue 20-Feb-96 20:35 by bud
In this example, we used the CMU (or UCDavis) SNMP utilities to
query a router for its description.
The problem with SNMP is that people don't consider it when
securing a site very often, or to the extent that it should be
examined. People will leave routers, modems, hubs, and other
devices with readable and writable communities enabled. These
allow remote users to query devices on local networks and
discover quite a bit of information about local systems and
network layouts. Consider the following situations:
Scenario 1:
A remote user wants to gain access to a network, but wants to
break into a machine that would serve the most use. For
example, breaking into a machine located on a network that is
used for connecting routers, and allows the most profitable
password sniffing. By making a few SNMP queries to routers, the
network topology can be easily mapped out, and attacks can be
concentrated in the best places.
Scenario 2:
A user on the local network is running an NT fileserver, with
default SNMP enabled. By sending a query to the host a user can
discover the "real" NT system name, used in file sharing. (It
does not need to be the hostname, and frequently is not.
Without this name, you are not able to get filesharing access.)
By using a remote PC (or samba on a UNIX machine), the server
can be scanned easily, checking for open fileshares. If
desired, a quick password guessing attack can also be performed.
Scenario 3:
A remote user can iteratively scan remote addresses, looking for
SNMP managable devices. Scanning a network and asking each host
for its system.sysDescr.0 (system description) will produce a
nice list of each system and OS on the network that is
manageable. Many PCs, Macs, UNIX systems, Xterminals, modems,
terminal servers, printers, print servers, hubs, switches, and
routers all have a default public community and allow easy
browsing.
Scenario 4:
The above situations have been more passive and mainly
information gathering, but denial of service attacks are quite
reasonable. If a writable community string is found, the system
settings may be modified. Network interfaces can be shut down,
modems disconnected, and routing tables modified.
One interesting attack could be used in conjunction with network
spoofing. If the interface on a hub or router for a machine
could be shut down, spoofed packets from that machine be sent,
and the interface restored, blocking unwanted responses from that
machine is easily taken care of. (This would be in the tcp
sequencing attack, where the spoofed host is flooded with opening
connections to prevent a response at an inopportune time.)
SOLUTION
If I'm not wrong, these are problems with SNMP v1 which is
oldtimer by now, but as you know oldtimers rules. A good
starting point with a lot more info about it and solutions is
Phrack magazine issue 50:
http://www.phrack.org