Penetration Testing mailing list archives
Re: SNMP False Positives
From: Ben Klang <ben.klang () transchannel com>
Date: 12 Apr 2002 16:42:05 -0400
I have noticed similar responses from our HP-UX boxes. This includes HP-UX 10.20 and 11.00. Nessus reported that any string sent was a valid community name. -BAK On Thu, 2002-04-11 at 15:26, Cox, Michael wrote:
I'm getting a lot of "default community string enabled" false positives from Nessus, Retina, and verified with SNMPing. On certain boxes, Nessus and Retina report that every string they check is enabled. When running SNMPing and "pinging" a Solaris 8 box I am told the service is enabled and available. I get this response no matter what community string I use. The output from tcpdump is below which seems to say that the requested object doesn't exist. Can anyone help me out here and explain this? I've seen this 20-30 times (and I think they are all Solaris boxes, but I need to double-check). I'm guessing that they (Sun) don't implement the standard MIB II variables, or something, since the request is just asking for the system name. The tools must have been written to look for any GetResponse, even if it is an error. Of course, that raises the question of why Solaris is sending anything, even errors, to invalid communities; any request from an invalid community should be dropped. Or, maybe I'm barking up the wrong tree entirely, and someone will have a better answer. Many thanks in advance! Mike windump: listening on\Device\Packet_{BFF5A60B-F6E6-42FC-B01E-6C4CBD86B5FC} 15:20:46.996306 arp who-has hogan.itg.ti.com tell cna9815016 15:20:46.996718 arp reply hogan.itg.ti.com is-at 0:3:ba:8:50:3c 15:20:46.996731 cna9815016.1734 > hogan.itg.ti.com.161: |30|26|02|01SNMPv1 |04| 06C=abc123 |a0|19GetRequest(25)|02|01|02|01|02|01|30|0e |30|0c|06|08system.sysNa me.0|05|00 (ttl 128, id 5981, bad cksum 0!) 15:20:46.997434 hogan.itg.ti.com.161 > cna9815016.1734: |30|26|02|01SNMPv1 |04| 06C=abc123 |a2|19GetResponse(25)|02|01|02|01 noSuchName|02|01@1|30|0e |30|0c|06| 08system.sysName.0=|05|00 (DF) (ttl 255, id 25971) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- SNMP False Positives Cox, Michael (Apr 12)
- Re: SNMP False Positives Ben Klang (Apr 12)
- <Possible follow-ups>
- RE: SNMP False Positives Leif Sawyer (Apr 15)