SNMP - is it just a question of changing default password?

resilientresilient Member Posts: 14 ■□□□□□□□□□
I keep hearing and reading that if SNMP is left with the defaults then machines (and data) can easily be pwned. The question I have is that is that really the only issue? If the password strings are changed then all is well right?

Comments

  • beadsbeads Senior Member Member Posts: 1,511 ■■■■■■■■■□
    Limiting who you accept SNMP requests from certain IPs if not certain machines would be a good start, wouldn't it? I mean what does Joe's guest machine on the guest network need to scan for SMNP for in the first place and why? Limit access to that or those very few machines that collect SMNP traffic only and most of the problem goes away.

    - b/eads
  • nebula105nebula105 Member Posts: 60 ■■■□□□□□□□
    resilient wrote: »
    I keep hearing and reading that if SNMP is left with the defaults then machines (and data) can easily be pwned. The question I have is that is that really the only issue? If the password strings are changed then all is well right?

    I believe what you're talking about is SNMP v1 and SNMP v2c.


    Changing the default string in SNMP v1

    By changing the default strings, sure; it might stop a regular IT/Security administrator whom might not bother guessing the changed string.

    But that doesn't stop a persistent attacker from downloading a dictionary and loading up Hydra or any other related password brute forcing tool to brute force their way through.

    That also doesn't stop someone from sniffing the network and obtaining the cleartext SNMP traffic.


    Changing the default string, and limiting certain IPs via SNMP v2c

    Similarly for SNMP v2c, you could change the string and limit specific IP addresses to poll your device.

    It's more difficult to poll your device now.

    But that still doesn't stop a persistent attacker from sniffing the traffic and obtaining the IP address and SNMP community string in cleartext.

    That also doesn't stop a persistent attacker from brute forcing the community string (after spoofing the IP address).


    That's why SNMPv3 came about, with encryption, a username and password.

    If you want to know why SNMP is an extremely useful enumeration tool for attackers, simply enable SNMP on your Windows machine without changing any settings.

    Then login to Kali, launch a shell and type "snmp-check x.x.x.x", where x.x.x.x is your Windows machine with SNMP enabled.

    Look at the results and feel the goosebumps.


    Problems with Disabling SNMP and Printers

    Also; please consider the problems of disabling SNMP, especially on printers and copiers.

    If you have a company laptop with a business-grade printer installed on a Windows PC:

    Launch Devices and Printers > right click a printer > Printer Properties > Ports > click on the active port > click Configure Port

    What do we have here; SNMP settings!

    Disabling SNMP on the printer will immediately cause every single PC to stop connecting to the printer, because PCs poll printers via SNMP to see if they're alive. You would have to disable these SNMP settings on all connected PCs, before disabling SNMP on the printers.

    Now think of the amount of printers and PCs an organization might have; and the amount of effort goes exponential :)


    Why not just leave SNMP running then since it's a pain to disable?

    Why lock the door but leave the windows unlocked?

    See, think of it as an attacker.

    My perception, is that IT Security personnel are trained to look out for large amounts of ping scans to identify a malicious host that's attempting to footprint a network.

    But some of these personnel may not be trained in identifying or configuring their tools for checking SNMP polls. Some of them might not even know about the dangers of SNMP and leave it alone; unsure, thinking that it's legitimate traffic going to a management tool.

    Also, PCs and printers are usually on one subnet, while servers, firewalls and network devices are on another subnet.

    If you're scanning a network via SNMP and find printers on 10.10.x.x, and 10.12.x.x, you can safely assume those are user subnets.

    But what does this mean for 10.11.x.x? It's more likely that you'll find servers and access to networking devices in 10.11.x.x.


    Hope this helps :)
  • ErtazErtaz Member Posts: 934 ■■■■■□□□□□
    Great write up. It's also an additional justification for a centralized print server from not only an ease of management point of view but from a security and access one as well.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,954 Admin
    It's worth noting that SNMP community strings are often mistakenly described as passwords. Community strings are used to define administrative boundaries for SNMP-managed devices. They are analogous to domain and workgroup names in Windows. SNMPv1 uses no passwords, while SNMPv2 and SNMPv3 do.
  • VeritiesVerities Member Posts: 1,162
    I'll lump in Linux to the discussion; if you keep the default configuration of SNMP on a RHEL/CentOS system (can't speak to other distros), it is susceptible to public views which means SNMP walks can be performed by anyone. Limiting the community string as JD said would be step 1, while step 2 would be configuring SNMPv3 with username/password with AES encryption, and step 3 adding only authorized hosts to /etc/hosts.allow. With those three configuration settings you would have the most ideal setup for SNMP monitoring for a Linux based host.
Sign In or Register to comment.