![Page 1: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/1.jpg)
SNMP Simple Network Mediated (Cisco) Pwnage
Georg-Christian Pranschke 9 October 2010
![Page 3: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/3.jpg)
Agenda
How it all began…
SNMP ? SNMP from a Security Perspective SNMP on Cisco Appliances Exploiting SNMP Misconfigurations Frisk-0 Secure your SNMP enabled devices
Questions
![Page 4: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/4.jpg)
A Long Time Ago…
![Page 5: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/5.jpg)
How it all began…
![Page 6: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/6.jpg)
SNMP ?
![Page 7: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/7.jpg)
SNMP ?
Simple Network Management Protocol Monitor and manage devices on the network
Routers Switches Bridges Hubs IP phones and cameras Printers Computers
![Page 8: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/8.jpg)
SNMP ?
UDP: 161 / 162
Manager Agent
Concepts MIB – Message Information Block OID – Object Identifier PDU – Protocol Data Unit
Versions 1 and 2c vs 3
![Page 9: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/9.jpg)
SNMP ?
Community strings Think passwords Read/write
![Page 10: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/10.jpg)
SNMP from a Security Perspective
![Page 11: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/11.jpg)
SNMP from a Security Perspective
Plain-text protocol
UDP Spoofing
Get/Set-responses contain community string
Community Strings Defaults: public, private, admin, snmp, snmpd … Weak Communities: 3 characters !!! Reuse Community schemes
User awareness
![Page 12: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/12.jpg)
SNMP from a Security Perspective
Information Disclosure Internal IP Addresses Routing Information Running Processes Running Services Installed Software Usernames Hardware
Compromise
![Page 13: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/13.jpg)
Cisco
![Page 14: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/14.jpg)
Cisco Appliances
TELNET SSH
HTTP
SNMP
![Page 15: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/15.jpg)
Brute Forcing Cisco Appliances
TELNET Often only password required Only three tries – then reconnect Enable password needs to be brute forced as well
SSH Needs username and password (ssh -1) Only three tries per connection Enable password needs to be brute forced as well
HTTP(S) Basic Authentication Fastest so far No enable password
![Page 16: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/16.jpg)
Brute Forcing Cisco Appliances
SNMP Almost as fast as we can send UDP packets ! Just community string needed ! Privileged access to the device !
![Page 17: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/17.jpg)
SNMP on Cisco Appliances
Remote Configuration through SNMP Setting OIDs Configuration up- and downloads via TFTP Running config vs Startup config
![Page 18: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/18.jpg)
The Vigenere Cipher
Variation of a Caesar Cipher Why such a weak cipher ? Obfuscation at best
![Page 19: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/19.jpg)
Exploiting SNMP Misconfigurations
![Page 20: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/20.jpg)
If the RW community is known…
![Page 21: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/21.jpg)
Frisk-0
![Page 22: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/22.jpg)
The Lab Environment
![Page 23: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/23.jpg)
Frisk-0
”Rogue Management Interface” Brute forces community strings Downloads Running and Startup configurations Extracts and decrypts all passwords and hashes Batch mode
From targets file Network ranges
Spoofing capabilities “Configlets” (enable TELNET / reset passwords)
Fully automated and unattended
![Page 24: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/24.jpg)
Frisk-0
![Page 25: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/25.jpg)
The GREnd Finale
GRE – Generic Routing Encapsulation
![Page 26: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/26.jpg)
Secure your SNMP enabled devices
![Page 27: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/27.jpg)
Secure Your SNMP Enabled Devices
Do you really need SNMP ? Do you really need a RW community ?
Set strong community strings 40+ characters ? Why not!
Access-lists SNMP TFTP ! (spoofing) UDP
![Page 28: SNMP : Simple Network Mediated (Cisco) Pwnage](https://reader033.vdocuments.mx/reader033/viewer/2022051208/546643a1af795969458b4e01/html5/thumbnails/28.jpg)
Questions ?