Tuesday, 19 April 2011

SNMP Enumeration

SNMP is simple. Managers send requests to agents, and the agents send back replies. The requests and replies refer to variables accessible to agent software.
Managers can also send requests to set values for certain variables.
Traps let the manager know that something significant has happened at the agent's end of things:
---a reboot
---an interface failure,
---or that something else that is potentially bad has happened.
Enumerating NT users via SNMP protocol is easy using snmputil
SNMP consists primarily of two objects: a manager and an agent. An agent consists of a piece of software embedded in a machine. SNMP agents exist for almost any piece of equipment. However, the installed agent doesn't do anything for the machine until queried by the manager. This is separate program that a network manager runs on their own computer that queries the agent (across the network) for information.
The default community string that provides the monitoring or read capability is often "public". The default management or write community string is often "private". The SNMP exploit takes advantage of these default community strings to allow an attacker to gain information about a device using the read community string "public", and the attacker can change a systems configuration using the write community string "private".
SNMPutil example


The security threat comes from Windows 2000 servers and workstations having SNMP support enabled and failing to change the default read-only community string 'Public'. However, changing this does not exempt it from attackers sniffing it from the network or to subjecting it to a dictionary or brute force attack. This may not seem troublesome but the Windows 2000 SNMP variables contain a wealth of information for the sniffing cracker. Some of the tables that are available when one has READ access to the SNMP tree in a Windows 2000 box are listed below:
Interface Table - This table identifies all boxes with multiple interfaces, plus useful details like their IP and MAC addresses.
Route Table and ARP Table - With access to these tables, a cracker can quickly build an accurate picture of a network and continue its search for vulnerabilities.
TCP Table and UDP Table - These will show which TCP and UDP ports are actively used, and on which ports services are listening for new clients.
Device Table and Storage Table - Knowing what hardware is attached to a Windows 2000 machine gives crackers clues about what kind of machine it is dealing with.
Process Table and Software Table - Knowing what software are installed and what software is running (DNS server, DHCP server) gives away details about how to attack the system. They even show which service packs have been installed (and missing patches)
User Table - Knowing which user names are valid on a machine makes it much easier to guess passwords and gain access to a system.
Share Table - If the cracker knows what shares are exported and used by a Windows machine, it can lead to a serious security compromise.
Here, we will look at an SNMP utility called SNMPutil.exe which is a part of the Windows 2000 resource kit. Let us take a look at what we can discover with it from the command line prompt.
In this output, the variable is called 1.3.6.1.2.1.1.2.0, and we 'get' its value, which turns out to be 1. The variable name (1.3.6.1.2.1.1.2.0) is called an object identifier or OID. An alternative to this is found in the second line of the output shown here. The 'interfaces.ifNumber.o' is the same OID, but is more easily readable. The second and third arguments to SNMPUTIL designate the host to which the SNMP request will be sent (210.212.69.129), and community (authentication string or password) to use (public). The 'public' community is the default when SNMP support is installed on a Windows 2000 host, and it allows the user to read all variables present. Since even the number of interfaces in a host is sensitive data, the threat is evident. Let us look at some of the other variables that might be of interest to an attacker and a security professional.
IpForwarding (1.3.6.1.2.1.4.1.0) - Is the host forwarding? This is not a good sign for a workstation.
IcmpInRedirects (1.3.6.1.2.1.5.7) - Is the host redirecting icmp messages?
TcpOutRsts (1.3.6.1.2.1.6.15) - A counter indicating the number of RSTs send by the box. This counter will increase rapidly when port-scanned.
UdpNoPorts (1.3.6.1.2.1.7.2) - A counter indicating traffic to ports where no service was present. Also a possible port-scan signal.
SNMP walk automates the whole process of getting the variables and can be redirected to an output file. To summarize, Snmputil can reveal details about services that are running, share names, share paths, any comments on shares, usernames and domain names etc.
SNMP Enumeration Countermeasures
Simplest way to prevent such activity is to remove the SNMP agent or turn off the SNMP service.
If shutting off SNMP is not an option, then change the default 'public' community name.
Implement the Group Policy security option called Additional restrictions for anonymous connections.
Access to null session pipes and null session shares, and IPSec filtering should also be restricted.

No comments:

Post a Comment