Thursday, September 24, 2015

SNMP Enumeration

Discuss/describe the port scanning and/or enumeration techniques (attacks) not covered in Module 2.

How can the attacks you have described be detected and prevented?

Enhance and elaborate on the port scanning and/or enumeration techniques (attacks) covered in Module 2.

Share any additional thoughts you may have on them and explain how they can be detected and/or prevented.

A legacy protocol for performing network management, dating back to RFC 1067 from 1988, is Simple Network Management Protocol. (Case, Fedor, Schoffstall, Davin, 1988) Because the goals of this protocol was to be low in cost to develop the management software, be remotely accessible, impose few restrictions on the form of management tools, and be simply understood by developers, SNMP does succeed in being simple. (Case, Fedor, Schoffstall, Davin, 1990) This caused SNMP to become highly utilized for its ease of use for network management of "routers, switches, hubs, prints, workstations, and servers." (Jiang, 2002, p2)

SNMP network agents receive communication and commands from the management tool over UDP 161, and answer asynchronous traps on UDP 162.(Jiang, 2002) Thus, these devices can be detected through Module 2 scanning for UDP; Agents on port 161 and management devices on port 162. Once the device is located, vulnerabilities in the protocol and device implementation can be leveraged to perform the next layer of enumeration and potential attacks. As SNMP is layered on UDP, agents and management systems have to accept requests or traps without the protection of previously established or authenticated sessions.(Jiang, 2002) There is a single shared secret, the SNMP community name, which identifies both that the request is valid and what the access mode of it is, read-only or read-write. (Case et al., 1990) Unfortunately, a significant number of devices default to having "public" as a read-only community and "private" as a read-write community, which opens these devices up for remote management by any scanner.(Jiang, 2002)

SNMP Enumeration

Once a listening UDP 161 port is discovered on a network and the public community is in use, then attackers are able to extract information about network resources and network configuration information. (EC-Council, 2011) Potential types of resources that can be enumerated are devices, hosts, shares, and servers.(EC-Council, 2011) Network configuration information such as tables like ARP and routing information, statistics about traffic, or specialized device information.(EC-Council, 2011) Since some devices respond to broadcast packets this enumeration can even occur without the UDP discovery as an attacker can just send out a public request on the network broadcast address and have the vulnerable devices answer back. (Jiang, 2002)

SNMP Protection Solutions

Jiang recommends using firewalls and routers to block UDP 161 and 162 traffic, inbound and outbound, to prevent SNMP enumeration or exploitation from outside of the network. (2002) Doing so will complicate legitimate remote use, but that can be mitigated by VPNing into the network first and then performing your management through the tunnel.

Network administrators should use tools such as the SANS developed SNMPing to discover the SNMP machines that they didn't know were on their network. (Jiang, 2002) Other useful tools include OpUtils, SNScan from McAfee, and Spiceworks. (EC-Council, 2011) Nobody wants to have their network pwnd because the new printer they bought lets a hacker in via the public and private communities.

Case, J., Fedor, M., Schoffstall, M., Davin, J. (1988, August). A Simple Network Management Protocol. Network Working Group. Retrieved from

Case, J., Fedor, M., Schoffstall, M., Davin, J. (1990, August). A Simple Network Management Protocol (SNMP). Network Working Group. Retrieved from

EC-Council. (2011). Ethical Hacking and Countermeasures v8.

Jiang, G. (2002). Multiple vulnerabilities in SNMP. Computer, 35(4), 2-4.

1 comment:

  1. Is software like total network inventory and similar one helps you to prevent attacks on M2?