Bugtraq mailing list archives
SNMP Information
From: pauld () LEMUR ORG (Paul Danckaert)
Date: Mon, 14 Apr 1997 12:18:55 -0400
Would you like to be able to identify all of the hosts on a network, without having to even send a packet to the local ethernet? Would you like to have a complete listing of exactly what hardware is on a network? Would you like to shut down network connections, modems, and other intelligent devices? Well, you can. And the protocol that will bring it to you is.. SNMP. Background: SNMP, or the Simple Network Management Protocol, is a protocol designed for monitoring and controlling devices on a network. It can be used to find out how much traffic flows through various interfaces of a router and look for network congestion, or to monitor host-specific information on other devices. Historically it has been used mainly by graphical network management software packages, like SunNet Manager for laying out and controlling a large distributed network. Access control in SNMP is done via community strings, which is essentially a shared secret. (A similar setup is with NIS where clients need to know the NIS domain name in order to transfer maps.) Almost all SNMP manageable devices use the default community "public" for read-only access to a device. Some others will enable an additional "private" community for read-write access to the SNMP device. (Other devices use other pairs, such as read and write, etc..) To perform a query, a user simply has to send a udp packet to the destination host with the community string, and a variable to query for. For example: pauld () lemur org> snmpget myrouter public system.sysDescr.0 Name: system.sysDescr.0 -> OCTET STRING- (ascii): Cisco Internetwork Operating System Software .IOS (tm) GS Software (GS3), Version 10.0(13), RELEASE SOFTWARE (fc1).Copyright (c) 1986-1994 by cisco Systems, Inc..Compiled Tue 20-Feb-96 20:35 by bud In this example, we used the CMU (or UCDavis) SNMP utilities to query a router for its description. For further information about SNMP, there are many excellent network management sites on the net at: http://www.yahoo.com/Computers_and_Internet/Software/Protocols/SNMP___Simple_Network_Management_Prot_Management_Protocol/ http://www.cis.ohio-state.edu/hypertext/faq/bngusenet/comp/protocols/snmp/top.html http://www.inforamp.net/~kjvallil/t/snmp.html Security Issues: The problem with SNMP is that people don't consider it when securing a site very often, or to the extent that it should be examined. People will leave routers, modems, hubs, and other devices with readable and writable communities enabled. These allow remote users to query devices on local networks and discover quite a bit of information about local systems and network layouts. Consider the following situations: Scenario 1: A remote user wants to gain access to a network, but wants to break into a machine that would serve the most use. For example, breaking into a machine located on a network that is used for connecting routers, and allows the most profitable password sniffing. By making a few SNMP queries to routers, the network topology can be easily mapped out, and attacks can be concentrated in the best places. Scenario 2: A user on the local network is running an NT fileserver, with default SNMP enabled. By sending a query to the host a user can discover the "real" NT system name, used in file sharing. (It does not need to be the hostname, and frequently is not. Without this name, you are not able to get filesharing access.) By using a remote PC (or samba on a UNIX machine), the server can be scanned easily, checking for open fileshares. If desired, a quick password guessing attack can also be performed. Scenario 3: A remote user can iteratively scan remote addresses, looking for SNMP managable devices. Scanning a network and asking each host for its system.sysDescr.0 (system description) will produce a nice list of each system and OS on the network that is manageable. Many PCs, Macs, UNIX systems, Xterminals, modems, terminal servers, printers, print servers, hubs, switches, and routers all have a default public community and allow easy browsing. Scenario 4: The above situations have been more passive and mainly information gathering, but denial of service attacks are quite reasonable. If a writable community string is found, the system settings may be modified. Network interfaces can be shut down, modems disconnected, and routing tables modified. One interesting attack could be used in conjunction with network spoofing. If the interface on a hub or router for a machine could be shut down, spoofed packets from that machine be sent, and the interface restored, blocking unwanted responses from that machine is easily taken care of. (This would be in the tcp sequencing attack, where the spoofed host is flooded with opening connections to prevent a response at an inopportune time.) Summary: These are just a few basic uses for SNMP probing when attacking a network... many others are quite possible. The goal of this is to make people think a bit more about networks as a whole.. not as isolated hosts. When looking at security, people toss tcp wrapper on a host and call it secure. Little effort is expended looking at *all* active hosts on a network, and looking at possible vulnerabilities they may introduce to a network. To demonstrate some of these attacks (in an information gathering sense), I will post some of the tools I use on my web server in a few days. These use the SNMP module for Perl5 (found on any CPAN archive) or the CMU/UCD snmp utilities, and will gather information from networks and routers. They are basic information gathering tools, but can be used for gaining quite a good idea of what machines and machine configurations exist on the remote network. The files can be found on: http://www.lemur.org/security/. Please give me feedback on problems or ideas with these applications, and I will post improvements. Thanks, Paul Danckaert pauld () lemur org
Current thread:
- Re: 2nd Linux kernel patch to remove stack exec Greg Stark (Apr 14)
- Re: 2nd Linux kernel patch to remove stack exec David S. Miller (Apr 14)
- non-executable stack Theodore Y. Ts'o (Apr 14)
- SNMP Information Paul Danckaert (Apr 14)
- Re: SNMP Information G P R (Apr 14)
- Re: 2nd Linux kernel patch to remove stack exec Solar Designer (Apr 14)
- <Possible follow-ups>
- Re: 2nd Linux kernel patch to remove stack exec Miguel de Icaza (Apr 14)
- Re: 2nd Linux kernel patch to remove stack exec David S. Miller (Apr 14)