RE: How to exploit snmp

["Clement Dupuis" <cdupuis () cccure org>]

Good day Kevin,

The great thing about SNMP is the fact that it allow you to query the remote
host and get tons of information about that host.  If it is a windows host
for example, you could see what patches have been applied, when the computer
was last rebooted, how many interface there is on the box, what are the
routing in place, etc... etc... etc...

What you wish to do now is to use a tool such as SNMPwalk or solarwinds SNMP
walk (commercial but there is a 30 demo available) or the freeware from the
supplemental tools for windows.  Any of these tools can help you milk the
information from the remote host.

If a host has not been rebooted for months, you know that no patch has been
applied for months as well.

Other issues are that it uses UDP which can be spoofed.  It is a nice way to
create havoc within a network.  It also sends the community string in clear
text if you have the ability to sniff, so even if you change them for a hard
to guess string, it could still be gathered.  If you use SNMP V3, then you
have more security features that you could use to better protect, however
very few people are using V3 across the board.

Take care

Clement
 

Clément Dupuis, CD
President/Security Evangelist/Chief Learning Officer (CLO)
CCCure Enterprise Security & Training Inc.
CISSP, GCFW, GCIA, Security+, CEH, CCSA, MBNS, MBIS, MBHS, CCSE, ACE
Tel: 954 364 8410 (Florida)
Tel: 514 907 1671 (Montreal)
Tel: 418 907 0263 (Quebec)
Fax: 636 773 6328 

Maintainer of :

The CISSP and SSCP Open Study Guides Web Site
http://www.cccure.org    

The Professional Security Testers Warehouse
http://www.professionalsecuritytesters.org   
  

> -----Original Message-----
> From: Kevin Wood [mailto:kwood () exchangesolutions com]
> Sent: Thursday, July 21, 2005 9:28 AM
> To: Juan B; security-basics () securityfocus com
> Subject: RE: How to exploit snmp
>
> By default the community string is set to public..It is generally
> considered to be a bad idea to leave the community name set to public
> because it allow people to query using snmp and get information about
> your server..You should change the name and if possible have a change
> processes in place that changes the community name once in a while..
>
> -----Original Message-----
> From: Juan B [mailto:juanbabi () yahoo com]
> Sent: July 18, 2005 12:15 PM
> To: security-basics () securityfocus com
> Subject: How to exploit snmp
>
>  HI
> using nessus I found that one of the machines in the network. maybe an
> ADSL router has the snmp community private or public. nessus also
> reffered to CVE:
> CAN-1991-0517,CAN 1991-0186,CAN 1999-0254,CAN
> 1999-0516
> BID 11237,10576,117,2112,6825,7212,7317,9681,986
> other references: IAVA-2001-B-001
>
> How according to  nessus output I find an exploit? I want to see for my
> self why private/public community names are not good.
>
> I am using Whoppix how I can find expolits there?
>
> thanks very much.
> Juan
>
>
>
> I tried to find with the ./find-sploits exploits for snmp but dont know
> which to use.
>
> thanks very much.
>
> Juan
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com