SNMP Enumeration and Hacking

Captus Networks
Stop DDoS Attacks, Worms & Port Scans

See how with our live, hands-on demo & FREE Vulnerability Assessment Toolkit.

Integrated Intrusion Prevention and Traffic Shaping to Secure Mission Critical IP Networks
> Instantly Stop DDoS Attacks, Worms & Port Scans
> Automatically Control P2P, IM and Spam Traffic

Are you prepared for the next Sobig & Blaster?
FREE White Paper: click here
"Securing and Optimizing Traffic for Enterprise Networks"

09.11.03

By Mati Aharoni

SNMP (Simple Network Management Protocol) is a protocol that never seems to get the attention it deserves. As a "security expert" I am quite ashamed to say, that I was not fully aware of all the intricate possibilities that lie within SNMP, until quite recently.

Once you get your hands dirty, SNMP can get quite interesting. Personally it really reminds me of "The Matrix"…with the ability to monitor almost anything, and alert about anomalies…
For those of you not up tp par with SNMP, I strongly recommend a quick read through:

http://www.chapo.co.il/articles/snmp/
http://net-snmp.sourceforge.net/
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ ito_doc/snmp.htm

This tutorial will assume you know your stuff, but just a few basic terms (taken from chapo.co.il):

· SNMP - (Simple Network Management Protocol) - an application-layer protocol for managing TCP/IP based networks. SNMP runs over UDP (which runs over IP).

· MIB - (Management Information Base) - provides a standard representation of the SNMP agent's available information and where it is stored.

· NMS - (Network Management Station) - A device designed to poll SNMP agents for information.

· SNMP Agent - a device running some software that understands the language of SNMP. Almost any network device could potentially run SNMP, but typically you will find SNMP agents running on internetworking devices (eg. routers, hubs, switches, bridges). Some operating systems (UNIX, Windows NT) can also run SNMP agents.

The main problem with SNMP is that the authentication method (public and private community strings) is inherently weak, not to mention the fact the SNMP is based on UDP, which is prone to spoofing. So, we've got a weak protocol, often forgotten and misconfigured – a disaster just waiting to happen.
Just to get a taste of what kind on info SNMP can get, we'll use snmpwalk – a linux based tool. (I've found Win32 ports for these tools, but I strongly suggest using Linux for this tutorial).

In the first example we will use "public" (the default) community string to enumerate a Windows Machine running SNMP.

#snmpwalk -c public 192.168.0.222
(General Info)
.iso.3.6.1.2.1.1.1.0 = "Hardware: x86 Family 6 Model 
  8 Stepping 0 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0"
iso.3.6.1.2.1.6.13.1.2.192.168.0.222.139.0.0.0.0.59542 = IpAddress: 192.168.0.222
(Open Ports)
.iso.3.6.1.2.1.6.13.1.3.0.0.0.0.21.0.0.0.0.59620 = 21
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.25.0.0.0.0.18484 = 25
.iso.3.6.1.2.1.6.13.1.3.0.0.0.0.80.0.0.0.0.59465 = 80
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.119.0.0.0.0.51385 = 119
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.135.0.0.0.0.26722 = 135
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.443.0.0.0.0.2272 = 443
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.445.0.0.0.0.43190 = 445
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.563.0.0.0.0.34828 = 563
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1025.0.0.0.0.10361 = 1025
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1026.0.0.0.0.18486 = 1026
.iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1029.0.0.0.0.18510 = 1029
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.1755.0.0.0.0.10411 = 1755
.iso.3.6.1.2.1.6.13.1.3.0.0.0.0.3372.0.0.0.0.2224 = 3372
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.3389.0.0.0.0.59426 = 3389
..iso.3.6.1.2.1.6.13.1.3.192.168.0.222.139.0.0.0.0.59542 = 139
(Drives)
iso.3.6.1.2.1.25.2.3.1.3.1 = "A:\\"
.iso.3.6.1.2.1.25.2.3.1.3.2 = "C:\\ Label:  Serial Number 28a1a476"
.iso.3.6.1.2.1.25.2.3.1.3.3 = "D:\\ Label:W2KSEL_EN  Serial Number 9ac432a9"
iso.3.6.1.2.1.25.2.3.1.3.4 = "Virtual Memory"
(Processes)
iso.3.6.1.2.1.25.4.2.1.2.1 = "System Idle Process
iso.3.6.1.2.1.25.4.2.1.2.8 = "System"
iso.3.6.1.2.1.25.4.2.1.2.176 = "smss.exe"
iso.3.6.1.2.1.25.4.2.1.2.200 = "csrss.exe"
iso.3.6.1.2.1.25.4.2.1.2.224 = "winlogon.exe"
iso.3.6.1.2.1.25.4.2.1.2.252 = "services.exe"
iso.3.6.1.2.1.25.4.2.1.2.264 = "lsass.exe"
iso.3.6.1.2.1.25.4.2.1.2.380 = "termsrv.exe"
iso.3.6.1.2.1.25.4.2.1.2.500 = "svchost.exe"
iso.3.6.1.2.1.25.4.2.1.2.532 = "SPOOLSV.EXE"
iso.3.6.1.2.1.25.4.2.1.2.564 = "msdtc.exe"
.iso.3.6.1.2.1.25.4.2.1.2.668 = "svchost.exe"
iso.3.6.1.2.1.25.4.2.1.2.692 = "llssrv.exe"
iso.3.6.1.2.1.25.4.2.1.2.768 = "NSPMON.exe"
.iso.3.6.1.2.1.25.4.2.1.2.796 = "NSCM.exe"
iso.3.6.1.2.1.25.4.2.1.2.868 = "regsvc.exe"
.iso.3.6.1.2.1.25.4.2.1.2.908 = "mstask.exe"
iso.3.6.1.2.1.25.4.2.1.2.960 = "VMwareService.e"
iso.3.6.1.2.1.25.4.2.1.2.992 = "svchost.exe"
iso.3.6.1.2.1.25.4.2.1.2.1020 = "dfssvc.exe"
iso.3.6.1.2.1.25.4.2.1.2.1040 = "inetinfo.exe"
iso.3.6.1.2.1.25.4.2.1.2.1056 = "nspm.exe"
iso.3.6.1.2.1.25.4.2.1.2.1108 = "NSUM.exe"
iso.3.6.1.2.1.25.4.2.1.2.1364 = "explorer.exe"
iso.3.6.1.2.1.25.4.2.1.2.1544 = "VMwareTray.exe"
iso.3.6.1.2.1.25.4.2.1.2.1572 = "VMwareUser.exe"
iso.3.6.1.2.1.25.4.2.1.2.1600 = "cmd.exe"
iso.3.6.1.2.1.25.4.2.1.2.1616 = "mdm.exe"
iso.3.6.1.2.1.25.4.2.1.2.1660 = "mshta.exe"
iso.3.6.1.2.1.25.4.2.1.2.1712 = "snmp.exe"
iso.3.6.1.2.1.25.4.2.1.2.1724 = "snmptrap.exe"
 (Installed Apps)
iso.3.6.1.2.1.25.6.3.1.2.1 = "Sentinel 2.0"
iso.3.6.1.2.1.25.6.3.1.2.2 = "VMware Tools"
iso.3.6.1.2.1.25.6.3.1.2.3 = "WebFldrs"
#

We see that a simple walk on the standard MIB tree wield a whopping amount of information. By using specific vendor private mibs, more information can be found – as can be seen by using Filip Waeytens' tool – SNMPEnum. Notice that "windows.txt" contains private MIB values for Microsoft Products.

# perl snmpenum.pl
Usage: perl enum.pl <IP-address> <community> <configfile>
# perl snmpenum.pl 192.168.0.222 windows.txt	

SERVICES

Server
Alerter
Event Log
Messenger
DNS Client
DHCP Client
Workstation
SNMP Service
Plug and Play
…..
World Wide Web Publishing Service
Distributed Transaction Coordinator
Simple Mail Transport Protocol (SMTP)
Network News Transport Protocol (NNTP)
Windows Management Instrumentation Driver Extensions

DISKS

A:\
C:\ Label:  Serial Number 28a1a476
D:\ Label:W2KSEL_EN  Serial Number 9ac432a9
Virtual Memory

LISTENING TCP PORTS

21
25
80
119
135
443
445
563
1025
1026
1029
1755
3372
3389



                     
                      
                    
                     
                      
                    
                     
                      
                    
                     
                      
                    
                  
              
            



UPTIME

16 minutes, 52.92

LISTENING UDP PORTS

135
161
162
445
1028
1030
1755
3456

USERS

Guest
IUSR_LAB-SP3
IWAM_LAB-SP3
Administrator
TsInternetUser
NetShowServices

DOMAIN

WORKGROUP

SYSTEM INFO

Hardware: x86 Family 6 Model 8 Stepping 0 AT/AT COMPATIBLE - 
   Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)

HOSTNAME

UPnP security threat?

Hi,
Can UPnP be considered as security threat?

I mean, it can programaticaly open a hole in a firewall... then any clever virus can do the same.

Posted by: borko

View Post | Click To Comment

LAB-SP3

RUNNING PROCESSES

System Idle Process
System
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
termsrv.exe
svchost.exe
…
cmd.exe
mdm.exe
mshta.exe
snmp.exe
snmptrap.exe

INSTALLED SOFTWARE

Sentinel 2.0
VMware Tools
WebFldrs

SHARES

MyShare
C:\Documents and Settings\Administrator\Desktop\MyShare

Surprised? Yes…SNMP is a powerful enumeration tool. However, a common misconception is that SNMP is "read only", and that no actual changes can be made using SNMP. This couldn't be further from the truth as we will see in this next example...

Click Here to Read the Full Article

About the Author:
Mati Aharoni, MCSES, MCT, CCNA, CCSA, CISSP
Visit the Security through Hacking Web site at http://www.mutsonline.com for additional information.

Read this newsletter at: http://www.securitypronews.com/2003/0911.html

WebmasterFree Downloads