SNMP : Simple Network Mediated (Cisco) Pwnage
-
Upload
sensepost -
Category
Technology
-
view
1.702 -
download
2
description
Transcript of SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP Simple Network Mediated (Cisco) Pwnage
Georg-Christian Pranschke 9 October 2010
`whoami`
[email protected] “Cheorchie”
Agenda
How it all began…
SNMP ? SNMP from a Security Perspective SNMP on Cisco Appliances Exploiting SNMP Misconfigurations Frisk-0 Secure your SNMP enabled devices
Questions
A Long Time Ago…
How it all began…
SNMP ?
SNMP ?
Simple Network Management Protocol Monitor and manage devices on the network
Routers Switches Bridges Hubs IP phones and cameras Printers Computers
SNMP ?
UDP: 161 / 162
Manager Agent
Concepts MIB – Message Information Block OID – Object Identifier PDU – Protocol Data Unit
Versions 1 and 2c vs 3
SNMP ?
Community strings Think passwords Read/write
SNMP from a Security Perspective
SNMP from a Security Perspective
Plain-text protocol
UDP Spoofing
Get/Set-responses contain community string
Community Strings Defaults: public, private, admin, snmp, snmpd … Weak Communities: 3 characters !!! Reuse Community schemes
User awareness
SNMP from a Security Perspective
Information Disclosure Internal IP Addresses Routing Information Running Processes Running Services Installed Software Usernames Hardware
Compromise
Cisco
Cisco Appliances
TELNET SSH
HTTP
SNMP
Brute Forcing Cisco Appliances
TELNET Often only password required Only three tries – then reconnect Enable password needs to be brute forced as well
SSH Needs username and password (ssh -1) Only three tries per connection Enable password needs to be brute forced as well
HTTP(S) Basic Authentication Fastest so far No enable password
Brute Forcing Cisco Appliances
SNMP Almost as fast as we can send UDP packets ! Just community string needed ! Privileged access to the device !
SNMP on Cisco Appliances
Remote Configuration through SNMP Setting OIDs Configuration up- and downloads via TFTP Running config vs Startup config
The Vigenere Cipher
Variation of a Caesar Cipher Why such a weak cipher ? Obfuscation at best
Exploiting SNMP Misconfigurations
If the RW community is known…
Frisk-0
The Lab Environment
Frisk-0
”Rogue Management Interface” Brute forces community strings Downloads Running and Startup configurations Extracts and decrypts all passwords and hashes Batch mode
From targets file Network ranges
Spoofing capabilities “Configlets” (enable TELNET / reset passwords)
Fully automated and unattended
Frisk-0
The GREnd Finale
GRE – Generic Routing Encapsulation
Secure your SNMP enabled devices
Secure Your SNMP Enabled Devices
Do you really need SNMP ? Do you really need a RW community ?
Set strong community strings 40+ characters ? Why not!
Access-lists SNMP TFTP ! (spoofing) UDP
Questions ?