SNMP Attacks

1
SNMP Attacks

• TSM 352
• System Security

2
Overview

• SNMP is a commonly used service that provides
  network management and monitoring capabilities.
• It offers the capability to poll networked
  devices and monitor data.
• Though not used nearly as much for control, SNMP
  is capable of this function.

3
SNMP History

• Originally it was for managing appliances
  routers, hubs, servers
• Today, just about any device has SNMP
  capabilities, including printers, modems,
  desktops computers.
• Started in 1988 (RFC 1067) and refined in 1989
  (RFC 1098) and 1990 (RFC 1157)
• Version 1 still most commonly used
• Work started on version 2 in 1992 (RFCs
  1441-1452), attempting to improve the security
  and authentication. Too complex, and version 2
  was abandoned.
• Version 3 started in March 1999, made several
  improvements. Allows for use of more robust
  authentication. Keeps track of time delays
  between packets, and has encryption options. Also
  allows for backward compatibility and is more
  difficult to configure and administer. Vendor
  support is growing Cisco IOS 12 versions
  support SNMPv3.

4
Some SNMP Details

• SNMP has a client/server architecture
• It uses un-encrypted text known as community
  strings for authentication
• Communications between the client and server is
  done using a message called a PDU (Protocol Data
  Unit).
• There are 4 types of messages
• GET request/reply
• GET NEXT request/reply
• SET request (client to server)
• TRAP message (server to client)

5
SNMP Commands

• The GET is used to fetch a specific value that is
  stored in a table on the server. The tables of
  information are arranged in collections that are
  related. So, often you want to pull a series of
  values out. The GET request requires that you
  specify a particular item that you want (we will
  see how, shortly).
• The GET NEXT request is easier to use, since no
  additional parameters are required. It retrieves
  the next item in the data base
• SET also requires the client to specify which
  parameter, and additionally what value is to be
  put into the parameter.
• The TRAP is a message from the server to a client
  that is invoked by a particular threshold being
  reached.

6
The MIB

• The database that contains all of the values is
  called the Management Information Base (MIB).
• The MIB values are referenced using a series of
  dotted integers. These are arranged in a
  hierarchical nature similar to IP addresses.
• A sample request might be 1.3.6.1.2.1.1.1, which
  is requesting the system description.

7
SNMP Architecture

• SNMP System comprised of two basic elements
• Management Stations (clients)
• Network Elements (servers)
• SNMP is actually the protocol that allows the two
  elements to communicate
• Designed to be simple (hence its name)
• Uses UDP Ports 161 and 162.

8
The SNMP Message

• Broken into two units
• Authentication Header
• Version number
• Community String
• Protocol Data Unit (PDU)
• Request or Response
• Actual Data (sometimes set to null)
• Several SET or GET commands can be carried in a
  single PDU.

9
The MIB

• There are two types
• Standard MIBs The types of variables that are
  common to all similar systems
• Private MIBs The types of variables that are
  specific to one type of system
• Stored in a tree-like structure, with roots,
  branches, and leaves where the leaves are the
  actual objects, or variables.
• Each branch along the path to a leaf is assigned
  an integer, called an object identifier (OID).
• The first MIBs were defined and published in
  1990 in RFC 1156.

10
SNMP Access

• SNMP uses what is called a community string for
  access. This is really nothing more than a
  password, although not called password, probably
  because there is no user id to go with it hence
  the name community.
• There are typically two separate community
  strings used one for reading data and another
  for writing. These are known as the read
  community string and the write community
  string.
• SNMP is often installed by default on appliances
  and is running without the administrators
  knowledge.
• Administrator may be aware of its existence, but
  not aware of the community strings

11
SNMP Authentication

• The SNMP community string is in the
  Authentication header of the SNMP packet
• There are two levels of community access
• A community string can be assigned read-only
  access or read/write access.
• The standard default values of most SNMP
  implementations are public for read only, and
  private for read/write.
• The SNMP agent can also be set to only accept
  requests from a particular set of IP addresses.

12
Exploiting SNMP

• As already mentioned, the community strings are
  often assigned as public and private and many
  admins dont even recognize that the SNMP agents
  are running.
• Even if the community strings have been changed,
  usually SNMP activity is not logged so brute
  force guessing can go on undetected.
• In addition, dont forget that these strings are
  passed in clear text making them good targets
  for sniffing.
• Imagine what an attacker with the R/W string can
  do pretty much any configuration of the device
  at all particularly with appliances, such as
  routers.
• Keep in mind that the SNMP agent can be set to
  only respond to particular IPs, but since SNMP
  is UDP, it is easy to spoof an IP address. (Of
  course you wont get replies, so doing GETs does
  no good, but PUTs would still be effective.)

13
Defending SNMP

• Dont run SNMP unless you need it
• Check ALL devices and servers for it running
  (scan your network for ports 161 and 162 dont
  forget, you need UDP scan!)
• Treat all community strings as you would
  passwords remember you probably wont have
  auditing capabilities or lockout capabilities
• Use a simple snmp client to verify community
  strings
• Do not use the same strings on all devices
• Filter SNMP ports on border routers
• Set IP restrictions on SNMP agents
• Watch for sniffers

14
SNMP Clients

• There are numerous SNMP clients (and agents for
  that matter) that vary considerably in terms of
  ease of use and cost.
• For the most part, they all have the same
  functionality. There is a simple DOS command
  (snmputil) that can be used to retrieve or set
  any SNMP variable on a remote machine. This
  utility comes with the NT/2K Resource kit, along
  with a low-end GUI version, called snmputilg.
• The trick to using the simple, free SNMP clients
  is in knowing about the MIB structure. There are
  thousands of MIB databases out there, and knowing
  which ones you need for a particular appliance or
  operating system is important.

15
The WALK function

• Even the simplest of the SNMP clients allow a
  user function known as the walk function.
• This function allows the user to specify a
  starting point in the MIB tree. Then the GET NEXT
  function is used to retrieve all values down all
  branches of the tree from the specified starting
  point.
• This type of request can result in a lot of
  replies.
• The WALK function simply continues to send a GET
  NEXT command until an error reply indicates that
  there is no value for the request.

16
Examples

• Using snmputil
• C\gtsnmputil get 216.249.153.254 public
  .1.3.6.1.2.1.1.1
• C\gtsnmputil walk 216.249.153.254 public
  .1.3.6.1.4.1 gt walk1.txt
• Using snmputilg
• One value
• Get next values
• Walking the Lanmanager branch
• Using GETIF
• Show grouped gets
• Show SET