SlideShare a Scribd company logo

SNMP : Simple Network Mediated (Cisco) Pwnage

SensePost
SensePost

Presentation by Grorg Christian Pranschkle at ZaCon 2 in 2010. This presentation is about SNMP security The presentation begins with an overview of SNMP. SNMP security weaknesses and SNMP security in cisco apps are discussed. Frisk-0 a tool for SNMP Hacking developed by the presenter is also discussed.

Technology
1 of 28
Download to read offline
SNMP Simple Network Mediated (Cisco) Pwnage Georg-Christian Pranschke 9 October 2010
`whoami`   george@sensepost.com   “Cheorchie”
Agenda   How it all began…   SNMP ?   SNMP from a Security Perspective   SNMP on Cisco Appliances   Exploiting SNMP Misconfigurations   Frisk-0   Secure your SNMP enabled devices   Questions
A Long Time Ago…
How it all began…
SNMP ?
SNMP ?   Simple Network Management Protocol   Monitor and manage devices on the network   Routers   Switches   Bridges   Hubs   IP phones and cameras   Printers   Computers
SNMP ?   UDP: 161 / 162   Manager   Agent   Concepts   MIB – Message Information Block   OID – Object Identifier   PDU – Protocol Data Unit   Versions   1 and 2c vs 3
SNMP ?   Community strings   Think passwords   Read/write
SNMP from a Security Perspective
SNMP from a Security Perspective   Plain-text protocol   UDP   Spoofing   Get/Set-responses contain community string   Community Strings   Defaults: public, private, admin, snmp, snmpd …   Weak Communities: 3 characters !!!   Reuse   Community schemes   User awareness
SNMP from a Security Perspective   Information Disclosure   Internal IP Addresses   Routing Information   Running Processes   Running Services   Installed Software   Usernames   Hardware   Compromise
Cisco
Cisco Appliances S N M P TELNET SSH H T T P
Brute Forcing Cisco Appliances   TELNET   Often only password required   Only three tries – then reconnect   Enable password needs to be brute forced as well   SSH   Needs username and password (ssh -1)   Only three tries per connection   Enable password needs to be brute forced as well   HTTP(S)   Basic Authentication   Fastest so far   No enable password
Brute Forcing Cisco Appliances   SNMP   Almost as fast as we can send UDP packets !   Just community string needed !   Privileged access to the device !
SNMP on Cisco Appliances   Remote Configuration through SNMP   Setting OIDs   Configuration up- and downloads via TFTP   Running config vs Startup config
The Vigenere Cipher   Variation of a Caesar Cipher   Why such a weak cipher ?   Obfuscation at best
Exploiting SNMP Misconfigurations
If the RW community is known…
Frisk-0
The Lab Environment
Frisk-0   ”Rogue Management Interface”   Brute forces community strings   Downloads Running and Startup configurations   Extracts and decrypts all passwords and hashes   Batch mode   From targets file   Network ranges   Spoofing capabilities   “Configlets” (enable TELNET / reset passwords)   Fully automated and unattended
Frisk-0
The GREnd Finale   GRE – Generic Routing Encapsulation
Secure your SNMP enabled devices
Secure Your SNMP Enabled Devices   Do you really need SNMP ?   Do you really need a RW community ?   Set strong community strings   40+ characters ? Why not!   Access-lists   SNMP   TFTP ! (spoofing)   UDP
Questions ?

Recommended

Snort
SnortSnort
SnortMichael Boman
 
Acid
AcidAcid
AcidMichael Boman
 
Snort
SnortSnort
Snortnazzf
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tooltleroy0928
 
IPCop Firewall
IPCop FirewallIPCop Firewall
IPCop FirewallMohammed Farrah
 
Essential security for linux servers
Essential security for linux serversEssential security for linux servers
Essential security for linux serversJuan Carlos Pérez Pardo
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Snort IDS
Snort IDSSnort IDS
Snort IDSprimeteacher32
 

Recommended

Snort
SnortSnort
SnortMichael Boman
 
Acid
AcidAcid
AcidMichael Boman
 
Snort
SnortSnort
Snortnazzf
 
Brst – Border Router Security Tool
Brst – Border Router Security ToolBrst – Border Router Security Tool
Brst – Border Router Security Tooltleroy0928
 
IPCop Firewall
IPCop FirewallIPCop Firewall
IPCop FirewallMohammed Farrah
 
Essential security for linux servers
Essential security for linux serversEssential security for linux servers
Essential security for linux serversJuan Carlos Pérez Pardo
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Snort IDS
Snort IDSSnort IDS
Snort IDSprimeteacher32
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 
3.Network
3.Network3.Network
3.Networkphanleson
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
 
Hacking RF based IoT devices
Hacking RF based IoT devicesHacking RF based IoT devices
Hacking RF based IoT devicesErez Metula
 
Snort
SnortSnort
SnortRahul Jain
 
Snort
SnortSnort
SnortStickman Hai
 
Ipfire open source firewall
Ipfire open source firewallIpfire open source firewall
Ipfire open source firewallsaing sab
 
SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)Michael Boman
 
Linux security-fosster-09
Linux security-fosster-09Linux security-fosster-09
Linux security-fosster-09Dr. Jayaraj Poroor
 
Sniffing in a Switched Network
Sniffing in a Switched NetworkSniffing in a Switched Network
Sniffing in a Switched Networkamiable_indian
 
A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!edwardo
 
All About Snort
All About SnortAll About Snort
All About Snort28pranjal
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesbsidesaugusta
 
Hack wifi password using kali linux
Hack wifi password using kali linuxHack wifi password using kali linux
Hack wifi password using kali linuxHelder Oliveira
 
Linux and firewall
Linux and firewallLinux and firewall
Linux and firewallMhmud Khraibene
 
Introduction To NIDS
Introduction To NIDSIntroduction To NIDS
Introduction To NIDSMichael Boman
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networksSahil Rai
 
Cracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary AttacksCracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary Attacksn|u - The Open Security Community
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network SecurityAmr Ali
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine cloudsSensePost
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summarySensePost
 

More Related Content

What's hot

Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 
Hacking RF based IoT devices
Hacking RF based IoT devicesHacking RF based IoT devices
Hacking RF based IoT devicesErez Metula
 
Ipfire open source firewall
Ipfire open source firewallIpfire open source firewall
Ipfire open source firewallsaing sab
 
SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)Michael Boman
 
Sniffing in a Switched Network
Sniffing in a Switched NetworkSniffing in a Switched Network
Sniffing in a Switched Networkamiable_indian
 
A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!edwardo
 
All About Snort
All About SnortAll About Snort
All About Snort28pranjal
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesbsidesaugusta
 
Hack wifi password using kali linux
Hack wifi password using kali linuxHack wifi password using kali linux
Hack wifi password using kali linuxHelder Oliveira
 
Introduction To NIDS
Introduction To NIDSIntroduction To NIDS
Introduction To NIDSMichael Boman
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux SecurityMichael Boman
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networksSahil Rai
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network SecurityAmr Ali
 

What's hot (20)

Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
 
3.Network
3.Network3.Network
3.Network
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
Hacking RF based IoT devices
Hacking RF based IoT devicesHacking RF based IoT devices
Hacking RF based IoT devices
 
Snort
SnortSnort
Snort
 
Snort
SnortSnort
Snort
 
Ipfire open source firewall
Ipfire open source firewallIpfire open source firewall
Ipfire open source firewall
 
SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)
 
Linux security-fosster-09
Linux security-fosster-09Linux security-fosster-09
Linux security-fosster-09
 
Sniffing in a Switched Network
Sniffing in a Switched NetworkSniffing in a Switched Network
Sniffing in a Switched Network
 
A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!A tutorial showing you how to crack wifi passwords using kali linux!
A tutorial showing you how to crack wifi passwords using kali linux!
 
All About Snort
All About SnortAll About Snort
All About Snort
 
Security Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutesSecurity Onion: peeling back the layers of your network in minutes
Security Onion: peeling back the layers of your network in minutes
 
Hack wifi password using kali linux
Hack wifi password using kali linuxHack wifi password using kali linux
Hack wifi password using kali linux
 
Linux and firewall
Linux and firewallLinux and firewall
Linux and firewall
 
Introduction To NIDS
Introduction To NIDSIntroduction To NIDS
Introduction To NIDS
 
Introduction To Linux Security
Introduction To Linux SecurityIntroduction To Linux Security
Introduction To Linux Security
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networks
 
Cracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary AttacksCracking WPA/WPA2 with Non-Dictionary Attacks
Cracking WPA/WPA2 with Non-Dictionary Attacks
 
Linux Network Security
Linux Network SecurityLinux Network Security
Linux Network Security
 

Viewers also liked

Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine cloudsSensePost
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summarySensePost
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorismSensePost
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksSensePost
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitSensePost
 
Andrew Nelson - Zabbix and SNMP on Linux
Andrew Nelson - Zabbix and SNMP on LinuxAndrew Nelson - Zabbix and SNMP on Linux
Andrew Nelson - Zabbix and SNMP on LinuxZabbix
 
Zabbix 3.0 and beyond - FISL 2015
Zabbix 3.0 and beyond - FISL 2015Zabbix 3.0 and beyond - FISL 2015
Zabbix 3.0 and beyond - FISL 2015Zabbix
 
CCNAv5 - S4: Chapter8 monitoring the network
CCNAv5 - S4: Chapter8 monitoring the networkCCNAv5 - S4: Chapter8 monitoring the network
CCNAv5 - S4: Chapter8 monitoring the networkVuz Dở Hơi
 

Viewers also liked (10)

Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
 
Andrew Nelson - Zabbix and SNMP on Linux
Andrew Nelson - Zabbix and SNMP on LinuxAndrew Nelson - Zabbix and SNMP on Linux
Andrew Nelson - Zabbix and SNMP on Linux
 
Zabbix 3.0 and beyond - FISL 2015
Zabbix 3.0 and beyond - FISL 2015Zabbix 3.0 and beyond - FISL 2015
Zabbix 3.0 and beyond - FISL 2015
 
CCNAv5 - S4: Chapter8 monitoring the network
CCNAv5 - S4: Chapter8 monitoring the networkCCNAv5 - S4: Chapter8 monitoring the network
CCNAv5 - S4: Chapter8 monitoring the network
 

Similar to SNMP : Simple Network Mediated (Cisco) Pwnage

2010 za con_georg-christian_pranschke
2010 za con_georg-christian_pranschke2010 za con_georg-christian_pranschke
2010 za con_georg-christian_pranschkeJohan Klerk
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptIwan89629
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigationsMukesh Chaudhari
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdftehkotak4
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon
 
Oracle Database Appliance RAC in a box Some Strings Attached
Oracle Database Appliance RAC in a box Some Strings AttachedOracle Database Appliance RAC in a box Some Strings Attached
Oracle Database Appliance RAC in a box Some Strings AttachedFuad Arshad
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSChris Sistrunk
 
IPv6-Hardening.pdf
IPv6-Hardening.pdfIPv6-Hardening.pdf
IPv6-Hardening.pdfMustafazer21
 
SNMP Network Tracker Project
SNMP Network Tracker ProjectSNMP Network Tracker Project
SNMP Network Tracker ProjectPraveen Mathews
 
Security Onion: Peel Back the Layers of Your Network in Minutes
Security Onion: Peel Back the Layers of Your Network in MinutesSecurity Onion: Peel Back the Layers of Your Network in Minutes
Security Onion: Peel Back the Layers of Your Network in MinutesGreat Wide Open
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?EnergySec
 
How Secure is TCP/IP - A review of Network Protocol
How Secure is TCP/IP - A review of Network ProtocolHow Secure is TCP/IP - A review of Network Protocol
How Secure is TCP/IP - A review of Network Protocolssuserc49ec4
 
Ceh V5 Module 07 Sniffers
Ceh V5 Module 07 SniffersCeh V5 Module 07 Sniffers
Ceh V5 Module 07 SniffersMina Fawzy
 

Similar to SNMP : Simple Network Mediated (Cisco) Pwnage (20)

2010 za con_georg-christian_pranschke
2010 za con_georg-christian_pranschke2010 za con_georg-christian_pranschke
2010 za con_georg-christian_pranschke
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigations
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificatesDevSecCon London 2018: Get rid of these TLS certificates
DevSecCon London 2018: Get rid of these TLS certificates
 
Oracle Database Appliance RAC in a box Some Strings Attached
Oracle Database Appliance RAC in a box Some Strings AttachedOracle Database Appliance RAC in a box Some Strings Attached
Oracle Database Appliance RAC in a box Some Strings Attached
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
IPv6-Hardening.pdf
IPv6-Hardening.pdfIPv6-Hardening.pdf
IPv6-Hardening.pdf
 
SNMP Network Tracker Project
SNMP Network Tracker ProjectSNMP Network Tracker Project
SNMP Network Tracker Project
 
Security Onion: Peel Back the Layers of Your Network in Minutes
Security Onion: Peel Back the Layers of Your Network in MinutesSecurity Onion: Peel Back the Layers of Your Network in Minutes
Security Onion: Peel Back the Layers of Your Network in Minutes
 
Windows network
Windows networkWindows network
Windows network
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
How Secure is TCP/IP - A review of Network Protocol
How Secure is TCP/IP - A review of Network ProtocolHow Secure is TCP/IP - A review of Network Protocol
How Secure is TCP/IP - A review of Network Protocol
 
Ceh V5 Module 07 Sniffers
Ceh V5 Module 07 SniffersCeh V5 Module 07 Sniffers
Ceh V5 Module 07 Sniffers
 

More from SensePost

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile explorationSensePost
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationSensePost
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17SensePost
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed OverviewSensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionSensePost
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tatSensePost
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsSensePost
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemSensePost
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get HackedSensePost
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application HackingSensePost
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and DefencesSensePost
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2SensePost
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nationSensePost
 
OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?SensePost
 
Security threats facing SA businessess
Security threats facing SA businessessSecurity threats facing SA businessess
Security threats facing SA businessessSensePost
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerceSensePost
 
Penetration testing and social engineering
Penetration testing and social engineeringPenetration testing and social engineering
Penetration testing and social engineeringSensePost
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the faceSensePost
 
The jar of joy
The jar of joyThe jar of joy
The jar of joySensePost
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woesSensePost
 

More from SensePost (20)

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nation
 
OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?
 
Security threats facing SA businessess
Security threats facing SA businessessSecurity threats facing SA businessess
Security threats facing SA businessess
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
 
Penetration testing and social engineering
Penetration testing and social engineeringPenetration testing and social engineering
Penetration testing and social engineering
 
Getting punched in the face
Getting punched in the faceGetting punched in the face
Getting punched in the face
 
The jar of joy
The jar of joyThe jar of joy
The jar of joy
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woes
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Recently uploaded (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

SNMP : Simple Network Mediated (Cisco) Pwnage

  • 1. SNMP Simple Network Mediated (Cisco) Pwnage Georg-Christian Pranschke 9 October 2010
  • 2. `whoami`   george@sensepost.com   “Cheorchie”
  • 3. Agenda   How it all began…   SNMP ?   SNMP from a Security Perspective   SNMP on Cisco Appliances   Exploiting SNMP Misconfigurations   Frisk-0   Secure your SNMP enabled devices   Questions
  • 4. A Long Time Ago…
  • 5. How it all began…
  • 7. SNMP ?   Simple Network Management Protocol   Monitor and manage devices on the network   Routers   Switches   Bridges   Hubs   IP phones and cameras   Printers   Computers
  • 8. SNMP ?   UDP: 161 / 162   Manager   Agent   Concepts   MIB – Message Information Block   OID – Object Identifier   PDU – Protocol Data Unit   Versions   1 and 2c vs 3
  • 9. SNMP ?   Community strings   Think passwords   Read/write
  • 10. SNMP from a Security Perspective
  • 11. SNMP from a Security Perspective   Plain-text protocol   UDP   Spoofing   Get/Set-responses contain community string   Community Strings   Defaults: public, private, admin, snmp, snmpd …   Weak Communities: 3 characters !!!   Reuse   Community schemes   User awareness
  • 12. SNMP from a Security Perspective   Information Disclosure   Internal IP Addresses   Routing Information   Running Processes   Running Services   Installed Software   Usernames   Hardware   Compromise
  • 13. Cisco
  • 14. Cisco Appliances S N M P TELNET SSH H T T P
  • 15. Brute Forcing Cisco Appliances   TELNET   Often only password required   Only three tries – then reconnect   Enable password needs to be brute forced as well   SSH   Needs username and password (ssh -1)   Only three tries per connection   Enable password needs to be brute forced as well   HTTP(S)   Basic Authentication   Fastest so far   No enable password
  • 16. Brute Forcing Cisco Appliances   SNMP   Almost as fast as we can send UDP packets !   Just community string needed !   Privileged access to the device !
  • 17. SNMP on Cisco Appliances   Remote Configuration through SNMP   Setting OIDs   Configuration up- and downloads via TFTP   Running config vs Startup config
  • 18. The Vigenere Cipher   Variation of a Caesar Cipher   Why such a weak cipher ?   Obfuscation at best
  • 20. If the RW community is known…
  • 23. Frisk-0   ”Rogue Management Interface”   Brute forces community strings   Downloads Running and Startup configurations   Extracts and decrypts all passwords and hashes   Batch mode   From targets file   Network ranges   Spoofing capabilities   “Configlets” (enable TELNET / reset passwords)   Fully automated and unattended
  • 25. The GREnd Finale   GRE – Generic Routing Encapsulation
  • 26. Secure your SNMP enabled devices
  • 27. Secure Your SNMP Enabled Devices   Do you really need SNMP ?   Do you really need a RW community ?   Set strong community strings   40+ characters ? Why not!   Access-lists   SNMP   TFTP ! (spoofing)   UDP