SNMP Enumeration and Countermeasures
Why Attackers Enumerate The SNMP?
…to extract information about network resources such as hosts, routers, devices, shares, etc., and network information such as ARP tables, routing tables, device specific information, and traffic statistics.
What is a SNMP?
The Simple Network Management Protocol (SNMP) is an application layer protocol that runs on UDP. SNMP employs two components for communication the SNMP agent and the SNMP management station.
(Note: A SNMP management station may also be referred to as a Network Management Station NMS).
Nearly all network infrastructure such as Routers, switches, firewalls, and wireless access points contain a SNMP Agent.
Any request meant for any SNMP-agent devices are first sent to the SNMP management station which then communicates with the SNMP agent. On the other hand, the SNMP Agent will store information about the device status then rely it to the SNMP management station. Trap commands are used by security and network engineers to collect information about network devices. These commands can also be used to configure the the SNMP agent to send specific log events to the SNMP management system such as alerts when CPU exceed a limit within a certain space of time.
SNMP Trap Collection and Monitoring
Traps used by the SNMP agent informs the SNMP management station if anything has happened on the SNMP agent-side such as a reboot, interface failure, or any other abnormal event. SNMP trap monitoring provides a way to gather information about networking equipment, and helps ensure that it is running smoothly. Many network monitoring tools rely on SNMP logs to gain visibility into network infrastructure. Overall is important that SNMP trap logs from the many network devices are automatically feed into a centralized receiver. This can be accomplished with SIEM integration. This will ensure that selected recipients are quickly informed about detected events thereby reducing reaction times. — -SNMP is not vendor specific and SNMP traps can be integrated with any receivers.
Note: A few popular SIEM and SNMP receivers — Splunk, SolarWinds, and IBM QRadar
SNMP Enumeration Using Metasploit
SNMP sweeps are often a good indicator in finding a lot of information about a specific system, or actually compromising a system. Metasploit has a built-in auxiliary module specifically for sweeping SNMP devices.
Metasploit Scanner SNMP Auxiliary Modules
Expanding on SNMP
SNMP contains two passwords for configuring and accessing the SNMP agent from the management station. The two SNMP passwords are:
- Read community string: Configuration of the device or system can be viewed with the help of this password. These strings are public.
- Read/write community string: Configuration on the device can be changed or edited using this password. These strings are private.
When administrators leave the community strings at the default setting, attacker can use these default community strings (passwords) for changing or viewing the configuration of the device or system.
The SNMP Enumeration (the Exploit)
The Ingredients:
- Kali Linux
- Nmap
- snmp_login
- Metasploit
- snmp_enum
The Recipe:
Successfully Extracted Information:
Countermeasures
SNMP Enumeration Countermeasures
- Remove the SNMP agent or turn off the SNMP service. If shutting off SNMP is not an option, then change the default community string names
- Upgrade to an SNMP version, that encrypts passwords and messages
- Implement the Group Policy security option called “Additional restrictions anonymous connections”
- Ensure that the access to null session pipes, null session shares, and IPSec filtering is restricted
- Block access to TCP/UDP ports 161
- In Windows, do not install the management and monitoring component unless it is required (use more effective methods i.e a SIEM)
- Encrypt or authenticate using IPSEC