Some sysadmins are leaving their networks open to hacking attack by allowing Simple Network Management Protocol (SNMP) configurations to be read across the internet. Using SNMP scans, a range of devices including Windows servers, BT Voyager 2000 routers, and HP JetDirect printers might be prompted to cough up username …
Gotta love that SNMP!
Hey, didn't we already do this back in about 2001? Yeh, we did. Gotta love the internet's collective lack of anything resembling memory or the ability to learn from past mistakes!
Still, on the plus side, wideopen SNMP does let you get your hands on (the equivalent of) netstat output from the target system. I used to make a habit of tracing spammers back through chains of proxies using it :-) much to their shock and disgust.
" ... revealed that (or one in 500) 5,320 responded ... "
What IS it with El Reg in the past couple of months? Did you outsource your proofreading to an Elbonian call center staffed by illiterate pig-herders and mud-farmers or something? Or am I being too generous in assuming that you /have/ proofreading?
For security see SNMPv3
SNMPv3 has authentication and encryption functionality. You have to turn it on, but it has it.
Much ado about nothing
"sometimes it would possible to extract sensitive information such as user names and passwords"
That's a bit of a stretch. Scaremongering I'd say. Go on, show me a SNMP enabled device that coughs out usernames and passwords on demand.
@Just about everybody
What they said......
While its always nice to get vulnerabilities out in the open and publicised, sysadmins and developers persist in leaving SNMP wide open and the only remedy is strong baseline standards rigorously enforced.
Part of the problem I think is that while posters on forums like this continue to lambast end users for their muppetry, the ignorance of basic security controls by those who should know better remains staggering.
An example - two years ago I was contracting for a major telecom. In conversation with one of their web app developers (alllegedly skilled and experienced) I asked him about DDOS attacks. His response?
Heaven preserve us.........
@Much ado about nothing
"Go on, show me a SNMP enabled device that coughs out usernames and passwords on demand."
DLINK DSL 604+ router, for a start. Read access to SNMP is sufficient to escalate privs and pwn the router.
Why is this ? I hear you ask in astonishment. Well because if external SNMP is enabled, so is external telnet. In fact, most DSL 604 owners wouldn't even know that they were switched on, since the option that you would tick (and which is ticked by default, IIRC) is "Enable Remote Administration" which makes the admin web page available remotely. Oh, and disabling remote admi doesn't stop SNMP or telnet from running inside the network either. In order to do that, you have to TFTP the config files off the router, edit a couple, and then TFTP them back. And as for TFTP, well, tha'ts also a lot of fun :-)
And the SNMP read community name is the same as the telnet access password. And you can't stop this from being true.
Oh, and for some more fun, if you get the SNMP read community name (which is defaulted to public) you can read the SNMP write community name (althogh since this defaults to private...) out of DLINK's enterprise MIB using snmpwalk or similar, as well as WEP keys, ISP login details, etc, etc. *
So there you go, there's one. Some older 3Com enterprise kit did similar stuff, although I can't remember which ones off the top of my head.
Often lots of juicy inph0s in the enterprise MIBs if you look, and there's lots of old forgotten kit out there running SNMP.
Now off you pop and run nmap and snmpwalk on all your network attached kit. You'd be suprised what sort of stuff is running SNMP agents without you knowing it. Got a network printer ? Running SNMP. Switches ? Probably running SNMP unless you disabled it. PABX got an ethernet card so you can run remote admin on it ? Running SNMP.
Also, bear in mind that SNMP (at least <= v2, I've never had any kit that actually bothered to use v3) won't log failed auth attempts, either.
Go, have fun, enjoy. And then come back and tell us whether you still think it's scaremongering,
*Now then, what was that someone said about 'Hackers' not doing their own research the other day ? :)
Skully, because, well, yarr!
There ARE devices that cough up passwords via SNMP!
Just check out GNUCITIZEN's post: http://www.gnucitizen.org/blog/exploring-the-unknown-scanning-the-internet-via-snmp/
They give real examples of devices such as HP printers and BT Voyager routers and ZyXEL routers that return passwords from simple SNMP read queries.
- Analysis iPhone 6: The final straw for Android makers eaten alive by the data parasite?
- First Crack Man buys iPHONE 6 and DROPS IT to SMASH on PURPOSE
- First Fondle Register journo battles Sydney iPHONE queue, FONDLES BIG 'UN
- TOR users become FBI's No.1 hacking target after legal power grab
- Vid Reg bloke zips through an iPHONE 6 queue from ZERO to 60 SECONDS