A useful mechanism for enumeration a target system is the Simple Network Management Protocol (SNMP). This protocol is in place to assist in the management of devices such as routers, switches, printers and most other devices. It will allow for gaining a wealth of information about the target device like IP addresses, hostnames, memory usage, running processes and almost anything else. Recent versions also includes a feature that would allow a network administrator to change and update settings on a target device.
SNMP is an application layer protocol that functions using UDP and it works across platforms, meaning it can be accessed on most modern operating systems including Microsoft Windows, Linux, Unix and most firmware running in special devices. This includes firmware in routers, switches, printers etc.
Currently three versions of SNMP exists...
SNMPv1
This version of the protocol was introduced as a standardized way of managing network devices. While it accomplished many tasks such as introducing a standardized protocol, it had some shortcomings that were addressed in later versions. One shortcoming of this version is the complete lack of security.
SNMPv2c
This version introduced new features but is still backwards compatible with SNMPv1. This version also lacks features such as Authentication, Privacy, Authorization and access control, remote configuration and administration capabilities.
SNMPv3
This version of SNMP is the most commonly used protocol and has an increased focus on security. Authentication is in place to ensure that SNMP traps are read only by the intended recipients and encryption of the payload of the SNMP message to ensure that it cannot be read by unauthorized parties. SNMPv3 was developed to address the deficiencies related to security and administration.
SNMP enumeration for the ethical consists of leveraging the weaknesses in the protocol to reveal user accounts and other information on any target running SNMP. A process on a SNMP capable device is called the SNMP Agent and the quering software is the SNMP Management Station. All the information on the SNMP Agent is located in the Management Information Base (MIB).
The Management Information Base (MIB)
The MIB is a database that contains the information about the device that is running the SNMP agent. It is a collection of hierarchically organized information and is providing a standard representation of the SNMP Agent state and configuration. MIB elements are recognized using object identifiers (OID), which is the numeric name give to the object and begins with the root of the MIB tree. It can uniquely identify the object present in the MIB hierarchy. MIB-managed objects include scalar objects that define a single object instance and tabular objects that define groups of related object instances.
The object identifiers include the object's type, such as counter, string, or address; access level such as read or read/write; size restrictions; and range information. The MIB is used as a lookup table by the SNMP Manager for converting the OID numbers into human-readable output.
The SNMP protocol uses two passwords called Community Strings; one to read information from the agent and one that allow for both reading and writing.
Read Community String
Read/write Community String
Although these strings can be changed, they are sometimes left at the defaults. Attackers might discover this and take the opportunity to leverage this mistake. An attacker can use the default passwords for changing or viewing information for a device or system.
A wealth of information can be obtained from the MIB using SNMP, and includes the following
SNMP is an application layer protocol that functions using UDP and it works across platforms, meaning it can be accessed on most modern operating systems including Microsoft Windows, Linux, Unix and most firmware running in special devices. This includes firmware in routers, switches, printers etc.
Currently three versions of SNMP exists...
SNMPv1
This version of the protocol was introduced as a standardized way of managing network devices. While it accomplished many tasks such as introducing a standardized protocol, it had some shortcomings that were addressed in later versions. One shortcoming of this version is the complete lack of security.
SNMPv2c
This version introduced new features but is still backwards compatible with SNMPv1. This version also lacks features such as Authentication, Privacy, Authorization and access control, remote configuration and administration capabilities.
SNMPv3
This version of SNMP is the most commonly used protocol and has an increased focus on security. Authentication is in place to ensure that SNMP traps are read only by the intended recipients and encryption of the payload of the SNMP message to ensure that it cannot be read by unauthorized parties. SNMPv3 was developed to address the deficiencies related to security and administration.
SNMP enumeration for the ethical consists of leveraging the weaknesses in the protocol to reveal user accounts and other information on any target running SNMP. A process on a SNMP capable device is called the SNMP Agent and the quering software is the SNMP Management Station. All the information on the SNMP Agent is located in the Management Information Base (MIB).
The Management Information Base (MIB)
The MIB is a database that contains the information about the device that is running the SNMP agent. It is a collection of hierarchically organized information and is providing a standard representation of the SNMP Agent state and configuration. MIB elements are recognized using object identifiers (OID), which is the numeric name give to the object and begins with the root of the MIB tree. It can uniquely identify the object present in the MIB hierarchy. MIB-managed objects include scalar objects that define a single object instance and tabular objects that define groups of related object instances.
The object identifiers include the object's type, such as counter, string, or address; access level such as read or read/write; size restrictions; and range information. The MIB is used as a lookup table by the SNMP Manager for converting the OID numbers into human-readable output.
The SNMP protocol uses two passwords called Community Strings; one to read information from the agent and one that allow for both reading and writing.
Read Community String
- Configuration of the device or system can be viewed with the use of this password
- These strings are public
Read/write Community String
- Configuration of the device or system can be changed using this password
- These strings are private
Although these strings can be changed, they are sometimes left at the defaults. Attackers might discover this and take the opportunity to leverage this mistake. An attacker can use the default passwords for changing or viewing information for a device or system.
A wealth of information can be obtained from the MIB using SNMP, and includes the following
- File shares
- ARP tables
- Routing tables
- Device-specific information
- Traffic statistics