SNMP Attacks - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

SNMP Attacks

Description:

The GET NEXT request is easier to use, since no additional parameters are required. ... which parameter, and additionally what value is to be put into the parameter. ... – PowerPoint PPT presentation

Number of Views:104
Avg rating:3.0/5.0
Slides: 17
Provided by: johnmc1
Category:

less

Transcript and Presenter's Notes

Title: SNMP Attacks


1
SNMP Attacks
  • TSM 352
  • System Security

2
Overview
  • SNMP is a commonly used service that provides
    network management and monitoring capabilities.
  • It offers the capability to poll networked
    devices and monitor data.
  • Though not used nearly as much for control, SNMP
    is capable of this function.

3
SNMP History
  • Originally it was for managing appliances
    routers, hubs, servers
  • Today, just about any device has SNMP
    capabilities, including printers, modems,
    desktops computers.
  • Started in 1988 (RFC 1067) and refined in 1989
    (RFC 1098) and 1990 (RFC 1157)
  • Version 1 still most commonly used
  • Work started on version 2 in 1992 (RFCs
    1441-1452), attempting to improve the security
    and authentication. Too complex, and version 2
    was abandoned.
  • Version 3 started in March 1999, made several
    improvements. Allows for use of more robust
    authentication. Keeps track of time delays
    between packets, and has encryption options. Also
    allows for backward compatibility and is more
    difficult to configure and administer. Vendor
    support is growing Cisco IOS 12 versions
    support SNMPv3.

4
Some SNMP Details
  • SNMP has a client/server architecture
  • It uses un-encrypted text known as community
    strings for authentication
  • Communications between the client and server is
    done using a message called a PDU (Protocol Data
    Unit).
  • There are 4 types of messages
  • GET request/reply
  • GET NEXT request/reply
  • SET request (client to server)
  • TRAP message (server to client)

5
SNMP Commands
  • The GET is used to fetch a specific value that is
    stored in a table on the server. The tables of
    information are arranged in collections that are
    related. So, often you want to pull a series of
    values out. The GET request requires that you
    specify a particular item that you want (we will
    see how, shortly).
  • The GET NEXT request is easier to use, since no
    additional parameters are required. It retrieves
    the next item in the data base
  • SET also requires the client to specify which
    parameter, and additionally what value is to be
    put into the parameter.
  • The TRAP is a message from the server to a client
    that is invoked by a particular threshold being
    reached.

6
The MIB
  • The database that contains all of the values is
    called the Management Information Base (MIB).
  • The MIB values are referenced using a series of
    dotted integers. These are arranged in a
    hierarchical nature similar to IP addresses.
  • A sample request might be 1.3.6.1.2.1.1.1, which
    is requesting the system description.

7
SNMP Architecture
  • SNMP System comprised of two basic elements
  • Management Stations (clients)
  • Network Elements (servers)
  • SNMP is actually the protocol that allows the two
    elements to communicate
  • Designed to be simple (hence its name)
  • Uses UDP Ports 161 and 162.

8
The SNMP Message
  • Broken into two units
  • Authentication Header
  • Version number
  • Community String
  • Protocol Data Unit (PDU)
  • Request or Response
  • Actual Data (sometimes set to null)
  • Several SET or GET commands can be carried in a
    single PDU.

9
The MIB
  • There are two types
  • Standard MIBs The types of variables that are
    common to all similar systems
  • Private MIBs The types of variables that are
    specific to one type of system
  • Stored in a tree-like structure, with roots,
    branches, and leaves where the leaves are the
    actual objects, or variables.
  • Each branch along the path to a leaf is assigned
    an integer, called an object identifier (OID).
  • The first MIBs were defined and published in
    1990 in RFC 1156.

10
SNMP Access
  • SNMP uses what is called a community string for
    access. This is really nothing more than a
    password, although not called password, probably
    because there is no user id to go with it hence
    the name community.
  • There are typically two separate community
    strings used one for reading data and another
    for writing. These are known as the read
    community string and the write community
    string.
  • SNMP is often installed by default on appliances
    and is running without the administrators
    knowledge.
  • Administrator may be aware of its existence, but
    not aware of the community strings

11
SNMP Authentication
  • The SNMP community string is in the
    Authentication header of the SNMP packet
  • There are two levels of community access
  • A community string can be assigned read-only
    access or read/write access.
  • The standard default values of most SNMP
    implementations are public for read only, and
    private for read/write.
  • The SNMP agent can also be set to only accept
    requests from a particular set of IP addresses.

12
Exploiting SNMP
  • As already mentioned, the community strings are
    often assigned as public and private and many
    admins dont even recognize that the SNMP agents
    are running.
  • Even if the community strings have been changed,
    usually SNMP activity is not logged so brute
    force guessing can go on undetected.
  • In addition, dont forget that these strings are
    passed in clear text making them good targets
    for sniffing.
  • Imagine what an attacker with the R/W string can
    do pretty much any configuration of the device
    at all particularly with appliances, such as
    routers.
  • Keep in mind that the SNMP agent can be set to
    only respond to particular IPs, but since SNMP
    is UDP, it is easy to spoof an IP address. (Of
    course you wont get replies, so doing GETs does
    no good, but PUTs would still be effective.)

13
Defending SNMP
  • Dont run SNMP unless you need it
  • Check ALL devices and servers for it running
    (scan your network for ports 161 and 162 dont
    forget, you need UDP scan!)
  • Treat all community strings as you would
    passwords remember you probably wont have
    auditing capabilities or lockout capabilities
  • Use a simple snmp client to verify community
    strings
  • Do not use the same strings on all devices
  • Filter SNMP ports on border routers
  • Set IP restrictions on SNMP agents
  • Watch for sniffers

14
SNMP Clients
  • There are numerous SNMP clients (and agents for
    that matter) that vary considerably in terms of
    ease of use and cost.
  • For the most part, they all have the same
    functionality. There is a simple DOS command
    (snmputil) that can be used to retrieve or set
    any SNMP variable on a remote machine. This
    utility comes with the NT/2K Resource kit, along
    with a low-end GUI version, called snmputilg.
  • The trick to using the simple, free SNMP clients
    is in knowing about the MIB structure. There are
    thousands of MIB databases out there, and knowing
    which ones you need for a particular appliance or
    operating system is important.

15
The WALK function
  • Even the simplest of the SNMP clients allow a
    user function known as the walk function.
  • This function allows the user to specify a
    starting point in the MIB tree. Then the GET NEXT
    function is used to retrieve all values down all
    branches of the tree from the specified starting
    point.
  • This type of request can result in a lot of
    replies.
  • The WALK function simply continues to send a GET
    NEXT command until an error reply indicates that
    there is no value for the request.

16
Examples
  • Using snmputil
  • C\gtsnmputil get 216.249.153.254 public
    .1.3.6.1.2.1.1.1
  • C\gtsnmputil walk 216.249.153.254 public
    .1.3.6.1.4.1 gt walk1.txt
  • Using snmputilg
  • One value
  • Get next values
  • Walking the Lanmanager branch
  • Using GETIF
  • Show grouped gets
  • Show SET
Write a Comment
User Comments (0)
About PowerShow.com