Webserver Security (Part I) - Remote SNMP queries (
Page 6 of 6 )
SNMP is a service which can
provide an attacker with very detailed information about the target system and
its networking environment. Many standard installations provide this service and
often it is not disabled or secured. As an added bonus, this is an UDP service,
so it will not show up in standard portscans - it is under the radar of many
system administrators.
Again we are stalking sample-university.net:
# snmpwalk center2.sample-university.net public
system.sysDescr.0 = OCTET STRING: "Fore Systems ATM Host (AIX 1 000005016600)"
system.sysObjectID.0 = OBJECT IDENTIFIER: enterprises.326.2.1
system.sysUpTime.0 = Timeticks: (0) 0:00:00
system.sysContact.0 = OCTET STRING: ""
system.sysName.0 = OCTET STRING: "center2."
system.sysLocation.0 = OCTET STRING: ""
system.sysServices.0 = INTEGER: 72
interfaces.ifNumber.0 = INTEGER: 7
interfaces.ifTable.ifEntry.ifIndex.1 = INTEGER: 1
interfaces.ifTable.ifEntry.ifIndex.2 = INTEGER: 2
interfaces.ifTable.ifEntry.ifIndex.3 = INTEGER: 3
interfaces.ifTable.ifEntry.ifIndex.4 = INTEGER: 4
interfaces.ifTable.ifEntry.ifIndex.5 = INTEGER: 5
...
We are told the type and patchlevel of the system, we get a list of all
interfaces (not shown) and we can even use SNMP to dump the complete routing
tables. This is useful to remotely gather information about the topology of the
target network and enables us to direct our attacks to the strategically
valuable hosts. Together with data taken from the DNS as shown above we will be
able to construct a complete network map for the target. If additional
management modules are being installed, we get even more important data, such as
management information about Oracle, SAP or other remotely controlled
subsystems. SNMP is being used in many routers and in RMON network probes, too.
If these are not secured properly, we are even able to get traffic measurements
from the target.
