SensePost, profile picture
Uploaded bySensePost
1,368 views

SNMP : Simple Network Mediated (Cisco) Pwnage

The document discusses the vulnerabilities of the Simple Network Management Protocol (SNMP) in Cisco devices, highlighting its use for network monitoring and management. It outlines potential security risks, including information disclosure and exploitation through misconfigurations, particularly focusing on weak community strings. The document also introduces a tool called Frisk-0 for exploiting these vulnerabilities and offers recommendations for securing SNMP-enabled devices.

Embed presentation

Downloaded 50 times
SNMP Simple Network Mediated (Cisco) Pwnage Georg-Christian Pranschke 9 October 2010
`whoami`   george@sensepost.com   “Cheorchie”
Agenda   How it all began…   SNMP ?   SNMP from a Security Perspective   SNMP on Cisco Appliances   Exploiting SNMP Misconfigurations   Frisk-0   Secure your SNMP enabled devices   Questions
A Long Time Ago…
How it all began…
SNMP ?
SNMP ?   Simple Network Management Protocol   Monitor and manage devices on the network   Routers   Switches   Bridges   Hubs   IP phones and cameras   Printers   Computers
SNMP ?   UDP: 161 / 162   Manager   Agent   Concepts   MIB – Message Information Block   OID – Object Identifier   PDU – Protocol Data Unit   Versions   1 and 2c vs 3
SNMP ?   Community strings   Think passwords   Read/write
SNMP from a Security Perspective
SNMP from a Security Perspective   Plain-text protocol   UDP   Spoofing   Get/Set-responses contain community string   Community Strings   Defaults: public, private, admin, snmp, snmpd …   Weak Communities: 3 characters !!!   Reuse   Community schemes   User awareness
SNMP from a Security Perspective   Information Disclosure   Internal IP Addresses   Routing Information   Running Processes   Running Services   Installed Software   Usernames   Hardware   Compromise
Cisco
Cisco Appliances S N M P TELNET SSH H T T P
Brute Forcing Cisco Appliances   TELNET   Often only password required   Only three tries – then reconnect   Enable password needs to be brute forced as well   SSH   Needs username and password (ssh -1)   Only three tries per connection   Enable password needs to be brute forced as well   HTTP(S)   Basic Authentication   Fastest so far   No enable password
Brute Forcing Cisco Appliances   SNMP   Almost as fast as we can send UDP packets !   Just community string needed !   Privileged access to the device !
SNMP on Cisco Appliances   Remote Configuration through SNMP   Setting OIDs   Configuration up- and downloads via TFTP   Running config vs Startup config
The Vigenere Cipher   Variation of a Caesar Cipher   Why such a weak cipher ?   Obfuscation at best
Exploiting SNMP Misconfigurations
If the RW community is known…
Frisk-0
The Lab Environment
Frisk-0   ”Rogue Management Interface”   Brute forces community strings   Downloads Running and Startup configurations   Extracts and decrypts all passwords and hashes   Batch mode   From targets file   Network ranges   Spoofing capabilities   “Configlets” (enable TELNET / reset passwords)   Fully automated and unattended
Frisk-0
The GREnd Finale   GRE – Generic Routing Encapsulation
Secure your SNMP enabled devices
Secure Your SNMP Enabled Devices   Do you really need SNMP ?   Do you really need a RW community ?   Set strong community strings   40+ characters ? Why not!   Access-lists   SNMP   TFTP ! (spoofing)   UDP
Questions ?

More Related Content

ODP
Snort
byMichael Boman
 
ODP
Acid
byMichael Boman
 
PPTX
Snort
bynazzf
 
PPTX
Brst – Border Router Security Tool
bytleroy0928
 
PDF
IPCop Firewall
byMohammed Farrah
 
PPTX
Essential security for linux servers
byJuan Carlos Pérez Pardo
 
PPT
Intrusion Detection System using Snort
bywebhostingguy
 
PPTX
Snort IDS
byprimeteacher32
 
Snort
byMichael Boman
 
Acid
byMichael Boman
 
Snort
bynazzf
 
Brst – Border Router Security Tool
bytleroy0928
 
IPCop Firewall
byMohammed Farrah
 
Essential security for linux servers
byJuan Carlos Pérez Pardo
 
Intrusion Detection System using Snort
bywebhostingguy
 
Snort IDS
byprimeteacher32
 

What's hot

PPT
Anton Chuvakin on Honeypots
byAnton Chuvakin
 
PPT
3.Network
byphanleson
 
PDF
Database Firewall with Snort
byNarudom Roongsiriwong, CISSP
 
PDF
Hacking RF based IoT devices
byErez Metula
 
PPT
Snort
byRahul Jain
 
PPT
Snort
byStickman Hai
 
PPTX
Ipfire open source firewall
bysaing sab
 
ODP
SoHo Honeypot (LUGS)
byMichael Boman
 
PPT
Linux security-fosster-09
byDr. Jayaraj Poroor
 
PPT
Sniffing in a Switched Network
byamiable_indian
 
PDF
A tutorial showing you how to crack wifi passwords using kali linux!
byedwardo
 
PPTX
All About Snort
by28pranjal
 
PDF
Security Onion: peeling back the layers of your network in minutes
bybsidesaugusta
 
PDF
Hack wifi password using kali linux
byHelder Oliveira
 
PPTX
Linux and firewall
byMhmud Khraibene
 
ODP
Introduction To NIDS
byMichael Boman
 
ODP
Introduction To Linux Security
byMichael Boman
 
PDF
Cracking WPA/WPA2 with Non-Dictionary Attacks
byn|u - The Open Security Community
 
ODP
Linux Network Security
byAmr Ali
 
Anton Chuvakin on Honeypots
byAnton Chuvakin
 
3.Network
byphanleson
 
Database Firewall with Snort
byNarudom Roongsiriwong, CISSP
 
Hacking RF based IoT devices
byErez Metula
 
Snort
byRahul Jain
 
Snort
byStickman Hai
 
Ipfire open source firewall
bysaing sab
 
SoHo Honeypot (LUGS)
byMichael Boman
 
Linux security-fosster-09
byDr. Jayaraj Poroor
 
Sniffing in a Switched Network
byamiable_indian
 
A tutorial showing you how to crack wifi passwords using kali linux!
byedwardo
 
All About Snort
by28pranjal
 
Security Onion: peeling back the layers of your network in minutes
bybsidesaugusta
 
Hack wifi password using kali linux
byHelder Oliveira
 
Linux and firewall
byMhmud Khraibene
 
Introduction To NIDS
byMichael Boman
 
Introduction To Linux Security
byMichael Boman
 
Cracking WPA/WPA2 with Non-Dictionary Attacks
byn|u - The Open Security Community
 
Linux Network Security
byAmr Ali
 

Viewers also liked

PPTX
Threats to machine clouds
bySensePost
 
PPT
Major global information security trends - a summary
bySensePost
 
PDF
Putting the tea back into cyber terrorism
bySensePost
 
PPTX
ZaCon 2015 - Zombie Mana Attacks
bySensePost
 
PPTX
Offence oriented Defence
bySensePost
 
PPTX
Improvement in Rogue Access Points - SensePost Defcon 22
bySensePost
 
PDF
Introducing (DET) the Data Exfiltration Toolkit
bySensePost
 
PDF
Andrew Nelson - Zabbix and SNMP on Linux
byZabbix
 
PDF
Zabbix 3.0 and beyond - FISL 2015
byZabbix
 
Threats to machine clouds
bySensePost
 
Major global information security trends - a summary
bySensePost
 
Putting the tea back into cyber terrorism
bySensePost
 
ZaCon 2015 - Zombie Mana Attacks
bySensePost
 
Offence oriented Defence
bySensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
bySensePost
 
Introducing (DET) the Data Exfiltration Toolkit
bySensePost
 
Andrew Nelson - Zabbix and SNMP on Linux
byZabbix
 
Zabbix 3.0 and beyond - FISL 2015
byZabbix
 

Similar to SNMP : Simple Network Mediated (Cisco) Pwnage

PDF
2010 za con_georg-christian_pranschke
byJohan Klerk
 
PPT
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
byPositive Hack Days
 
PDF
An Express Guide ~ SNMP for Secure Rremote Resource Monitoring
byAbhishek Kumar
 
PDF
IPv6-Hardening.pdf
byMustafazer21
 
PDF
Cisco Equipment Security
byConferencias FIST
 
PPT
CCNA Security - Chapter 2
byIrsandi Hasan
 
PDF
Hackerworkshop exercises
byHenrik Kramshøj
 
PDF
CISSP Week 7
byjemtallon
 
PPTX
Cisco Malware: A new risk to consider in perimeter security designs
byManuel Santander
 
PDF
CCNA4v5 Chapter 8 - Monitoring the Netwok
byAhmed Gad
 
DOCX
Ccna security comparison
bythongams2000
 
PPTX
Network security
bySidiq Dwi Laksana
 
PDF
Designing.and.implementing.linux
bygavin shaw
 
PPTX
Ccnas v11 ch02_eb
byEdgar Benavente
 
PPTX
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
byHoneywell
 
PDF
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
byEC-Council
 
DOC
Centralized monitoring station for it computing and network infrastructure1
byMOHD ARISH
 
DOCX
Snmp vulnerability assessment
bySupriya G
 
PDF
INE-Security+-Domain-4-Security-Operations-I-Course-File.pdf
byahmedhossami778
 
PPTX
501 ch 3 network technologies tools
bygocybersec
 
2010 za con_georg-christian_pranschke
byJohan Klerk
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
byPositive Hack Days
 
An Express Guide ~ SNMP for Secure Rremote Resource Monitoring
byAbhishek Kumar
 
IPv6-Hardening.pdf
byMustafazer21
 
Cisco Equipment Security
byConferencias FIST
 
CCNA Security - Chapter 2
byIrsandi Hasan
 
Hackerworkshop exercises
byHenrik Kramshøj
 
CISSP Week 7
byjemtallon
 
Cisco Malware: A new risk to consider in perimeter security designs
byManuel Santander
 
CCNA4v5 Chapter 8 - Monitoring the Netwok
byAhmed Gad
 
Ccna security comparison
bythongams2000
 
Network security
bySidiq Dwi Laksana
 
Designing.and.implementing.linux
bygavin shaw
 
Ccnas v11 ch02_eb
byEdgar Benavente
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
byHoneywell
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
byEC-Council
 
Centralized monitoring station for it computing and network infrastructure1
byMOHD ARISH
 
Snmp vulnerability assessment
bySupriya G
 
INE-Security+-Domain-4-Security-Operations-I-Course-File.pdf
byahmedhossami778
 
501 ch 3 network technologies tools
bygocybersec
 

More from SensePost

PDF
objection - runtime mobile exploration
bySensePost
 
PPTX
Vulnerabilities in TN3270 based Application
bySensePost
 
PDF
Ruler and Liniaal @ Troopers 17
bySensePost
 
PDF
Heartbleed Overview
bySensePost
 
PDF
Botconf 2013 - DNS-based Botnet C2 Server Detection
bySensePost
 
PPTX
Rat a-tat-tat
bySensePost
 
PDF
Hacking Z-Wave Home Automation Systems
bySensePost
 
PPTX
Inside .NET Smart Card Operating System
bySensePost
 
PPT
Its Ok To Get Hacked
bySensePost
 
PPT
Web Application Hacking
bySensePost
 
PPT
Attacks and Defences
bySensePost
 
PDF
Corporate Threat Modeling v2
bySensePost
 
PPTX
State of the information security nation
bySensePost
 
PPS
OK I'm here, so what's in it for me?
bySensePost
 
PPT
Security threats facing SA businessess
bySensePost
 
PPT
Security in e-commerce
bySensePost
 
PDF
Penetration testing and social engineering
bySensePost
 
PDF
Getting punched in the face
bySensePost
 
PDF
The jar of joy
bySensePost
 
PPTX
Web 2.0 security woes
bySensePost
 
objection - runtime mobile exploration
bySensePost
 
Vulnerabilities in TN3270 based Application
bySensePost
 
Ruler and Liniaal @ Troopers 17
bySensePost
 
Heartbleed Overview
bySensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
bySensePost
 
Rat a-tat-tat
bySensePost
 
Hacking Z-Wave Home Automation Systems
bySensePost
 
Inside .NET Smart Card Operating System
bySensePost
 
Its Ok To Get Hacked
bySensePost
 
Web Application Hacking
bySensePost
 
Attacks and Defences
bySensePost
 
Corporate Threat Modeling v2
bySensePost
 
State of the information security nation
bySensePost
 
OK I'm here, so what's in it for me?
bySensePost
 
Security threats facing SA businessess
bySensePost
 
Security in e-commerce
bySensePost
 
Penetration testing and social engineering
bySensePost
 
Getting punched in the face
bySensePost
 
The jar of joy
bySensePost
 
Web 2.0 security woes
bySensePost
 

Recently uploaded

PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
How to Prepare for the RWA Tokenization Trend
byrose mason
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
Workflow and decision Automation with Flowable
bychakib ch
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
How to Prepare for the RWA Tokenization Trend
byrose mason
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 

SNMP : Simple Network Mediated (Cisco) Pwnage

  • 1.
    SNMP Simple Network Mediated(Cisco) Pwnage Georg-Christian Pranschke 9 October 2010
  • 2.
    `whoami`   george@sensepost.com   “Cheorchie”
  • 3.
    Agenda   How it all began…   SNMP ?   SNMP from a Security Perspective   SNMP on Cisco Appliances   Exploiting SNMP Misconfigurations   Frisk-0   Secure your SNMP enabled devices   Questions
  • 4.
  • 5.
    How it allbegan…
  • 6.
  • 7.
    SNMP ?   Simple Network Management Protocol   Monitor and manage devices on the network   Routers   Switches   Bridges   Hubs   IP phones and cameras   Printers   Computers
  • 8.
    SNMP ?   UDP: 161 / 162   Manager   Agent   Concepts   MIB – Message Information Block   OID – Object Identifier   PDU – Protocol Data Unit   Versions   1 and 2c vs 3
  • 9.
    SNMP ?   Community strings   Think passwords   Read/write
  • 10.
    SNMP from aSecurity Perspective
  • 11.
    SNMP from aSecurity Perspective   Plain-text protocol   UDP   Spoofing   Get/Set-responses contain community string   Community Strings   Defaults: public, private, admin, snmp, snmpd …   Weak Communities: 3 characters !!!   Reuse   Community schemes   User awareness
  • 12.
    SNMP from aSecurity Perspective   Information Disclosure   Internal IP Addresses   Routing Information   Running Processes   Running Services   Installed Software   Usernames   Hardware   Compromise
  • 13.
  • 14.
    Cisco Appliances S N M P TELNET SSH H T T P
  • 15.
    Brute Forcing CiscoAppliances   TELNET   Often only password required   Only three tries – then reconnect   Enable password needs to be brute forced as well   SSH   Needs username and password (ssh -1)   Only three tries per connection   Enable password needs to be brute forced as well   HTTP(S)   Basic Authentication   Fastest so far   No enable password
  • 16.
    Brute Forcing CiscoAppliances   SNMP   Almost as fast as we can send UDP packets !   Just community string needed !   Privileged access to the device !
  • 17.
    SNMP on CiscoAppliances   Remote Configuration through SNMP   Setting OIDs   Configuration up- and downloads via TFTP   Running config vs Startup config
  • 18.
    The Vigenere Cipher   Variation of a Caesar Cipher   Why such a weak cipher ?   Obfuscation at best
  • 19.
  • 20.
    If the RWcommunity is known…
  • 21.
  • 22.
  • 23.
    Frisk-0   ”Rogue Management Interface”   Brute forces community strings   Downloads Running and Startup configurations   Extracts and decrypts all passwords and hashes   Batch mode   From targets file   Network ranges   Spoofing capabilities   “Configlets” (enable TELNET / reset passwords)   Fully automated and unattended
  • 24.
  • 25.
    The GREnd Finale   GRE – Generic Routing Encapsulation
  • 26.
    Secure your SNMPenabled devices
  • 27.
    Secure Your SNMPEnabled Devices   Do you really need SNMP ?   Do you really need a RW community ?   Set strong community strings   40+ characters ? Why not!   Access-lists   SNMP   TFTP ! (spoofing)   UDP
  • 28.