Scanning SNMP
Simple Network Management Protocol (SNMP) is built in to virtually every network device. Network management programs (such as HP OpenView and LANDesk) use SNMP for remote network host management. Unfortunately, SNMP also presents security vulnerabilities.
Vulnerabilities
The problem is that most network hosts run SNMP enabled with the default read/write community strings of public/private. The majority of network devices I come across have SNMP enabled and don’t even need it.
If SNMP is compromised, a hacker may be able to gather such network information as ARP tables, usernames, and TCP connections to attack your systems further. If SNMP shows up in port scans, you can bet that a malicious attacker will try to compromise the system.
Here are some utilities for SNMP enumeration:
- The commercial tools NetScanTools Pro and Essential NetTools
- Free Windows GUI-based Getif
- Free Windows text-based SNMPUTIL
( www.wtcs.org/snmp4tpc/FILES/Tools/SNMPUTIL/SNMPUTIL.zip )
You can use Getif to enumerate systems with SNMP enabled, as shown in Figure.
Figure : General SNMP information gathered by Getif.
In this test, I was able to glean a lot of information from a wireless access point, including model number, firmware revision, and system uptime. All this could be used against the host if an attacker wanted to exploit a known vulnerability in this particular system. By digging in further, I was able to discover several management interface usernames on this access point, as shown in Figure . You certainly don’t want to show the world this information.
Figure : Management interface user IDs gleaned via Getif’s SNMP browsing function.
Countermeasures against SNMP attacks
- Always disable SNMP on hosts if you’re not using it — period.
- Block the SNMP ports (UDP ports 161 and 162) at the network perimeter.
- Change the default SNMP community read string from public and the default community write string from private to another long and complex value that’s virtually impossible to guess.