SNMP basically known as simple network management protocol is one of the most commonly used network protocols to manage the network devices like routers , switches , firewall and other network devices. This articles deals with discussion of details of snmp and how it snmp can be used to compromise the remote machine and the network level threat associated with this protocol.
Any device within a network that are managed by snmp are known as managed devices. Through snmp network admins can manage the entire corporate network infrastructure, its activity, outages and etc..
From the point of breaking into the systems this protocol is very critical as it enables direct access to those devices to gain information. Starting with some basics about snmp we will proceed towards its exploitation.
Basics:
Various versions of snmp are SNMPV1,SNMPv2c and SNMPv3. Snmp version1 is considered to be the most insecure in terms in secure cryptographic transfer of security keys, request handling and trap handling. SNMPv2 is improved version of snmpv1.Later on SNMPv3 was introduced and considered as most secure version of snmp . However though it may seem that snmpv1 is outdated but till today it is most widely used snmp protocol to manage router , switches, windows xp/2003 and other network devices. It is default snmp version which is enabled in these devices and network admins are too lazy to change this.
Management Information base: When snmp queries a particular device for handling it , then snmp agent installed on that devices actually refers to its information database regarding that devices stored in its MIB and then replies back to snmp server. To be more clear MIB is standard created by IEETF in its RFC’s and contains information about devices along with its configuration. Within MIB , to access a particular piece of information can be done via OID , object identifier . OID are series of dotted numerals use to refer to particular piece of information in MIB tree. Naming OID in numerical form simply makes it easy to refer to particular information about device. It serves as address to locate the piece of information like Owner name of device in the entire MIB tree. Accessing the MIB tree is possible with help of some built in utility like snmpwalk , will be discussed later in this article.
Authentication : Access to snmp service is possible using two snmp keys basically known as read and write string. Most commonly used and default read string is known as public and write string is known as private. After obtaining the community string for read and write the attacker can control al managed devices and can obtain bulk of information about the managed devices and can change routing configuration of the device.
Breaking the Authentication : The most widely used technique to break the snmp community string of device is brute-forcing the community string. Snmp –login utility in metasploit module provides list of community string that are used to brute force the actual community string for the device. Admsnmp is also one of the more popular tool used to obtain snmp information about the device.
Beside the predefined list of community strings , a more sophisticated and custom list can be fed to the tool to break the community string. Below figure shows how snmp-login utility can be used to break community string.
In the above image community string was easily discoverable and happened to be the default community string. ie public for read access and private for write access.After guessing default read write community string an attacker can alter the MIB database and snmp configuration settings thereby gaining complete access to snmp service.
Obtaining intelligent information using SNMP
After the attacker has compromised READ-WRITE community string it becomes very easy to obtain information about managed devices.Level of information achieved vary from details of hardware attached to device to list of process running on remote machine .Such a fine grained information is worth valuable and provide the road map to obtain further level of access on the systems.
Snmp_enum utility
Snmp_enum is inbuit utility in metasploit used to obtain crucial system information after the Read-Write community string is obtained. Snmp_enum utility takes remote address and community string as input and authenticates the remote system with provided community string , after the authentication crucial information like network information, system hardware information, Routing information, Network information, Applications running on that system, Processes executing on the remote machine, shares and users available on the remote system. From the point of view of exploit such information can provide complete access to the remote machine.
Snmp_enumshares :
It is also a metasploit built in utility that can be used to obtain the share information on remote machines .It takes remote address as input and community string. Result provides the details of shared file and folders over the remote system.
The above utility provides the detailed blueprint of remote machine containing all the above mentioned information.
Snmp_enumusers:
It Is one of the most important utility of metasploit that provides user information on remote snmp managed systems. Such information provides valid user acct names on the system. An attacker who looks to brute force a system is relieved of the task of finding valid user names . He just need to brute force the passwords which are often same as usernames of system.
snmp-walk , snmp-get , snmp-set utility :
snmp-walk is another useful snmp utility used to walk the management information base of any organization if community strings are discoverd. It provides the complete details of each object identifier in Managment information base through series of GETNEXT request .
It can also be used to query a particular object identifier.
#snmp-walk -c private -v 2c 172.35.0.174
SNMPv2-MIB::sysDescr.0 = HP-UX net-snmp B.10.20 A 9000/715
SNMPv2-MIB::sysObjectID.0 = OID: enterprises.ucdavis.ucdSnmpAgent.hpux10
SNMPv2-MIB::sysUpTime.0 = Timeticks: (586998396) 67 days, 22:33:03.96
SNMPv2-MIB::sysContact.0 = Wes Hardaker wjhardaker@ucdavis.edu
SNMPv2-MIB::sysName.0 = net-snmp
SNMPv2-MIB::sysLocation.0 = UCDavis
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORID.1 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.2 = OID: IF-MIB::ifMIB
SNMPv2-MIB::sysORID.4 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.5 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORDescr.1 = The Mib module for SNMPv2 entities.
SNMPv2-MIB::sysORDescr.2 = The MIB module to describe generic objects for network interface sub-layers
SNMPv2-MIB::sysORDescr.4 = The MIB module for managing IP and ICMP implementations
SNMPv2-MIB::sysORDescr.5 = The MIB module for managing UDP implementations
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (82) 0:00:00.82
SNMPv2-MIB::sysORUpTime.2 = Timeticks: (81) 0:00:00.81
SNMPv2-MIB::sysORUpTime.4 = Timeticks: (83) 0:00:00.83
SNMPv2-MIB::sysORUpTime.5 = Timeticks: (82) 0:00:00.82
snmp-translate :
It is another handy utility which takes numeric OID's as input and outputs their corresponding textual name in managment information base
#snmp-translate .1.3.6.1.2.1.1.3.0
SNMPv2-MIB::sysUpTime.0
.1.3.6.1.2.1.1.3.0 represents the SNMPv2-MIb::sysUpTime --> system up time
snmp-set:
It is utility that performs write operation over snmp MIB database. To perform this operation attacker or network admin need to have
write access or snmp write community string.
#snmpset -v 2c -c private 172.35.0.174 SNMPv2-MIB::sysContact.o s "owned by shell"
Here snmp version 2 community string private is used to update OID sysContact of network device. So if an attacker gains
access to write community string the consequences can be severe.
This is how snmp vulnerability assessment exploitation works and can cause serious consequences if community strings nailed by the attacker
using a exhaustive word list .There fore to prevent such data breaches network admins should configure a hard to guess community strings that is unique and difficult to brute force.