Cyber Security Awareness Month - Day 12 Ports 161/162 Simple Network Management Protocol (SNMP)

Published: 2009-10-11
Last Updated: 2009-10-12 00:19:13 UTC
by Mark Hofman (Version: 1)
2 comment(s)

SNMP has to be one of my favourite protocols when doing internal pentesting.  Mainly because I know that there will be a bunch of devices that are configured to use it, in fact almost everything connected to the network that isn't a workstation is likely to have SNMP open.  Secondly because the "password" or more correctly the community string is likely to be "public".  If it isn't then it is often trivial to find.  Once you have the community string, then it is a just a matter of asking the devices nicely to give up their configuration details and you quickly have a good picture of what the network looks like.  If you are lucky you can reconfigure the devices as well. 

SNMP is used to monitor network connected devices.  It consists of a manager and a number of agents.  The manager at regular intervals polls the agents on port UDP/161 and queries the Management Information Bases (MIB) for the device.  The MIB is effectively a hierarchical database structure for information on the device, e.g. serial numbers are in a specific location, nic statistics, etc. 

SNMP-TRAP allows the agent to send information about itself to the manager on port UDP/162.   TCP can be used for both 161/162, but UDP tends to be more common.

Typically the agents are configured in read-only or read-write mode.  The difference between the two is determined by the community string used. 

There are several versions of SNMP  V1, V2c and V3.   V3 introduces encryption, message integrity and better authentication than can be provided by the community string. 

There are a few challenges when using SNMP.  

  • With the exception of V3, information is exchanged in clear and can be sniffed. 
  • All versions are susceptible to password guessing attacks.
  • Whilst V3 is the right version to use, many devices are only capable of using V2c or even V1 so you have to live with the insecurity
  • When UDP is used, packets can be spoofed (what will the effect be on your SNMP-TRAP server when it receives thousands of TRAPs per second?)

There have been a few security advisories relating to SNMP over the years, it tends to be an internal issue.  However if you accept SNMP queries from the internet you may be leaking more information than you thought.  In fact in a previous life we used "public" IP addresses on an internal network segment.  When mapping the internal network using SNMP, using one of the monitoring tools and due to a configuration challenge (yes we let SNMP out of the network), the SNMP requests didn't end up on the internal network, but on the Internet.  The following Monday morning we had a great network map of a network somewhere in Europe.  I'd like to think people have learnt since then, but ....

For more information have a look at the wikipedia entry which is quite good or you can always read the many RFC associated with SNMP (1155, 1156, 1157, 1441, 1213, 3410-18, 3584 & 3826).

Mark - Shearwater

2 comment(s)

Comments

I say it's best to use SNMP but config snmp-enabled devices to only accept queries from management station IPs, when possible, in addition to changing all communities, and ideally use a special dedicated management PVLAN for network devices such as routers, with physical security between the two networks.

SNMP sets are UDP packets, so the management workstation IP may be spoofed by an attacker, also, physical security is a must when using read/write snmp, and this is often overlooked..

Physical security in this case means something like firewall blocks all SNMP, and all your NMS servers have two NICs on it, one to provide access to SNMP, and the other to provide admin management of the NMS servers.


I always thought SNMP stood for "Security Not My Problem" ;-)

Diary Archives