Legal & Security Issues

SNMP – Simple Network Management Protocol

 

NAME:_________________

DATE:_________________

 

What is SNMP?

 

     SNMP or Simple Network Management Protocol is used to query networked computers and collect statistics related to each machine.  SNMP is commonly used by printers but can also be found on many popular consumer routers and other networking devices.  If not implemented correctly into a network design, SNMP can be a major security risk due to the fact that it contains detailed information about your networks inner workings.

 

     SNMP uses a native database to store the queried information.  Most SNMP enabled devices will, by default, have a publicly readable (and depending on version and implementation, sometimes even writeable!) database named ‘public’ or ‘write’.  Additional databases containing custom statistics can be created, but by default most SNMP devices just create a public profile.  Some of the commonly used names for custom SNMP profiles are

 

     Internal

     Private

     Nat

     Lan

     Vlan

    

     SNMP defines a client/server relationship. The client program (called the network manager) makes virtual connections to a server program (called the SNMP agent) which executes on a remote network device, and serves information to the manager regarding the device’s status. The database, controlled by the SNMP agent, is referred to as the SNMP Management Information Base (MIB), and is a standard set of statistical and control values.  SNMP additionally allows the extension of these standard values with values specific to a particular agent through the use of private MIBs.

 

 

 

 

 

     Over the years, SNMP has gone through several major versions, such as:

 

SNMPv1 – (RFC 1155-1157).  Useable but had some major problems that were fixed in later versions.  The only security found in v1 was password based, but the password was passed in clear text!  Sadly, if you were to do a scan of ITT Tech’s network, SNMPv1 can be found on some devices.  Just do a quick scan of 10.10.37.x and you will find them.

 

SNMPv2 – (RFC 1441-1452).  Introduction of MIB Structure, new packet types and structured mapping.  MD5 Hashing was finally introduced to provide some password security.  V2 was being implemented in all sorts of devices, but most of the devices didn’t know actually how to talk to eachother at all because there was no standard implemented into the MIB structure..

 

SNMPv3 – (RFC 2571-2575) A standardized MIB and most of the bugs fixed from previous versions.  However, it is for some reason not widely implemented due to how standardized it is.:)

 

     Back in 02/2002, the Oulu University Programming Group discovered vulnerabilities in many different server implantations which could cause anything from a server crash (if your PDC or other vital network component happens to be running SNMP, that would be bad) to full blown root compromise! The group submitted the vulnerabilities to CERT (http://www.cert.org/advisories/CA-2003-03.html) in march of 2002.  The most common and fatal vulnerability was found in an implantation by the name of NETSNMP v4.2.2.  Anyone running a UNIX/Linux box with this software installed should update to the newest version or remove the software completely unless it is needed.   

 

 

 

 

 

 

 

 

 

 

 

 

The Big Problem

 

     The big problem is that most SNMP enabled devices are using v1, which is highly insecure.  SNMP uses UDP on ports 161 and 162.  Not only is there the problem of SNMPv1 being insecure, UDP is an inherently problematic protocol to handle since spoofing UDP is so easy to do.  A packet can easily be redirected back to a unintended target without anyone knowing due to the fact that UDP is connectionless.  If someone were to spoof a packet and change the source address, the packet would be routed back to that host specified.

 

     The biggest threat that SNMP poses to your network is that it is a large store of information that a hacker would otherwise have to spend months collecting in order to get into and out of a network without getting caught.  Things like static routes, the location and type of routers and switches your LAN is using, MAC addresses, DNS & DHCP servers, PDCs, BDC’s, OS’s running on each workstation, Number of workstations, etc.  If you can think of a network related function or device, SNMP has a way to store and query the data. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Questions

 

1) Scan the 10.10.37.x network to find what devices are currently using SNMP.  List the found hosts using SNMP

 

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

 

2) Out of the hosts found, how many are using SNMPv1? V2? V3?

     # of SNMP V1 ___

     # of SNMP v2 ___

     # of SNMP v3 ___

 

3) List the names of the MIB databases found and the IP of the machine.

    

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

 

4) What type of networked devices found on the 10.10.37.x network are using SNMP?

____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

References

 

http://www.faqs.org/faqs/snmp-faq/part1/

^SNMP FAQ

 

http://www.cert.org/advisories/CA-2003-03.html

^CERT Advisory on SNMP

 

Hacking Linux Exposed 2^nd Edition

B. Hatch, J. Lee

McGraw-Hill Publishing