SNMP Information

[pauld () LEMUR ORG (Paul Danckaert)]

Would you like to be able to identify all of the hosts on a network,
without having to even send a packet to the local ethernet?  Would you
like to have a complete listing of exactly what hardware is on a network?
Would you like to shut down network connections, modems, and other
intelligent devices?  Well, you can.  And the protocol that will bring it
to you is.. SNMP.


Background:

        SNMP, or the Simple Network Management Protocol, is a protocol
designed for monitoring and controlling devices on a network.  It can be
used to find out how much traffic flows through various interfaces of a
router and look for network congestion, or to monitor host-specific
information on other devices.  Historically it has been used mainly by
graphical network management software packages, like SunNet Manager for
laying out and controlling a large distributed network.

        Access control in SNMP is done via community strings, which is
essentially a shared secret.  (A similar setup is with NIS where clients
need to know the NIS domain name in order to transfer maps.)  Almost all
SNMP manageable devices use the default community "public" for read-only
access to a device.  Some others will enable an additional "private"
community for read-write access to the SNMP device.  (Other devices use
other pairs, such as read and write, etc..)

        To perform a query, a user simply has to send a udp packet to the
destination host with the community string, and a variable to query for.
For example:

pauld () lemur org> snmpget myrouter public system.sysDescr.0

Name: system.sysDescr.0 -> OCTET STRING- (ascii):       Cisco Internetwork
Operating System Software .IOS (tm) GS Software (GS3), Version 10.0(13),
RELEASE SOFTWARE (fc1).Copyright (c) 1986-1994 by cisco Systems,
Inc..Compiled Tue 20-Feb-96 20:35 by bud

        In this example, we used the CMU (or UCDavis) SNMP utilities to
query a router for its description.

        For further information about SNMP, there are many excellent
network management sites on the net at:

http://www.yahoo.com/Computers_and_Internet/Software/Protocols/SNMP___Simple_Network_Management_Prot_Management_Protocol/
http://www.cis.ohio-state.edu/hypertext/faq/bngusenet/comp/protocols/snmp/top.html
http://www.inforamp.net/~kjvallil/t/snmp.html


Security Issues:

        The problem with SNMP is that people don't consider it when
securing a site very often, or to the extent that it should be examined.
People will leave routers, modems, hubs, and other devices with readable
and writable communities enabled.  These allow remote users to query
devices on local networks and discover quite a bit of information about
local systems and network layouts.  Consider the following situations:

Scenario 1:

A remote user wants to gain access to a network, but wants to break into a
machine that would serve the most use.  For example, breaking into a
machine located on a network that is used for connecting routers, and
allows the most profitable password sniffing.  By making a few SNMP
queries to routers, the network topology can be easily mapped out, and
attacks can be concentrated in the best places.

Scenario 2:

A user on the local network is running an NT fileserver, with default SNMP
enabled.  By sending a query to the host a user can discover the "real" NT
system name, used in file sharing.  (It does not need to be the hostname,
and frequently is not.  Without this name, you are not able to get
filesharing access.)  By using a remote PC (or samba on a UNIX
machine), the server can be scanned easily, checking for open fileshares.
If desired, a quick password guessing attack can also be performed.

Scenario 3:

A remote user can iteratively scan remote addresses, looking for SNMP
managable devices.  Scanning a network and asking each host for its
system.sysDescr.0 (system description) will produce a nice list of each
system and OS on the network that is manageable.  Many PCs, Macs, UNIX
systems, Xterminals, modems, terminal servers, printers, print servers,
hubs, switches, and routers all have a default public community and allow
easy browsing.

Scenario 4:

The above situations have been more passive and mainly information
gathering, but denial of service attacks are quite reasonable.  If a
writable community string is found, the system settings may be modified.
Network interfaces can be shut down, modems disconnected, and routing
tables modified.

One interesting attack could be used in conjunction with network spoofing.
If the interface on a hub or router for a machine could be shut down,
spoofed packets from that machine be sent, and the interface restored,
blocking unwanted responses from that machine is easily taken care of.
(This would be in the tcp sequencing attack, where the spoofed host is
flooded with opening connections to prevent a response at an inopportune
time.)


Summary:

        These are just a few basic uses for SNMP probing when attacking a
network... many others are quite possible.  The goal of this is to make
people think a bit more about networks as a whole.. not as isolated hosts.
When looking at security, people toss tcp wrapper on a host and call it
secure.  Little effort is expended looking at *all* active hosts on a
network, and looking at possible vulnerabilities they may introduce to a
network.

        To demonstrate some of these attacks (in an information gathering
sense), I will post some of the tools I use on my web server in a few
days.  These use the SNMP module for Perl5 (found on any CPAN archive) or
the CMU/UCD snmp utilities, and will gather information from networks and
routers.  They are basic information gathering tools, but can be used for
gaining quite a good idea of what machines and machine configurations exist
on the remote network.  The files can be found on:
                http://www.lemur.org/security/.
Please give me feedback on problems or ideas with these applications, and
I will post improvements.

Thanks,

Paul Danckaert
pauld () lemur org