Remote SNMP queries - Administration

SNMP is a service which can provide an attacker with very detailed information about the target system and its networking environment. Many standard installations provide this service and often it is not disabled or secured. As an added bonus, this is an UDP service, so it will not show up in standard portscans - it is under the radar of many system administrators.

Again we are stalking sample-university.net:

# snmpwalk center2.sample-university.net public
system.sysDescr.0 = OCTET STRING: "Fore Systems ATM Host (AIX 1 000005016600)"
system.sysObjectID.0 = OBJECT IDENTIFIER: enterprises.326.2.1
system.sysUpTime.0 = Timeticks: (0) 0:00:00
system.sysContact.0 = OCTET STRING: ""
system.sysName.0 = OCTET STRING: "center2."
system.sysLocation.0 = OCTET STRING: ""
system.sysServices.0 = INTEGER: 72
interfaces.ifNumber.0 = INTEGER: 7
interfaces.ifTable.ifEntry.ifIndex.1 = INTEGER: 1
interfaces.ifTable.ifEntry.ifIndex.2 = INTEGER: 2
interfaces.ifTable.ifEntry.ifIndex.3 = INTEGER: 3
interfaces.ifTable.ifEntry.ifIndex.4 = INTEGER: 4
interfaces.ifTable.ifEntry.ifIndex.5 = INTEGER: 5
...

We are told the type and patchlevel of the system, we get a list of all interfaces (not shown) and we can even use SNMP to dump the complete routing tables. This is useful to remotely gather information about the topology of the target network and enables us to direct our attacks to the strategically valuable hosts. Together with data taken from the DNS as shown above we will be able to construct a complete network map for the target. If additional management modules are being installed, we get even more important data, such as management information about Oracle, SAP or other remotely controlled subsystems. SNMP is being used in many routers and in RMON network probes, too. If these are not secured properly, we are even able to get traffic measurements from the target.

>>> More Site Administration Articles          >>> More By Kristian Kohntopp

blog comments powered by Disqus