Re: snmp

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <20040922220703.54373.qmail () web51105 mail yahoo com>

> One of the sysadmins told me that they use in one of
> the networks Snmp and that the community is public.
>
> I want to pen test this issue meaning that I want to
> find ways to retrieve from the devices info, and show
> the IT manager that he must change the community.

Well, I think maybe you're taking the wrong approach.  

First off, there are a great many tools that you can use to assist you with this issue...Perl, FoundStone's snscan.exe, 
IP Browser, etc.  

Second, you need to consider what kind of message you're trying to get across.  Is the issue that you're trying to 
address one of the use of SNMP, the use of default community strings, or what?  Before you go making your argument to 
the IT Manager, it might be a good idea to have your ducks all in a row...many a security guy has been shot down and 
laughed at b/c they took too narrow and too technical a focus.

Some things to consider:
1.  In the infrastructure, what is the issue?  If SNMP is blocked at the perimeter, and no one from the Internet can 
arbitrarily access SNMP on your internal network (or whereever it's running), what is your concern?

2.  If you're looking at this from a Least Privilege perspective, and the service isn't being used...by all means, 
disable it.

3.  If you're concerned about the use of default community strings, then raise the issue that way...particularly if 
your company's policy is to not use any default passwords or community strings.  

4.  Do some checking first, before you make your agrument/recommendations.  Are any other settings in use?  For 
example, on Win2K, the default read-only community string is "public", but the service does not install out-of-the-box 
w/ a read-write community string...so while the values can be read, they can't be altered.  Also, on most SNMP 
implementations that I'm familiar with (most notably Microsoft and Cisco), you can designate from which management 
hosts to accept queries.

> The reason that I want to do It my self is that I
> don't believe in the way that is just going to him and
> tell him..." its written in the internet that we must
> change public community to something else. 

If I were your IT Manager, I'd immediately think that you were not only trying to make a fool out of me and usurp some 
of my "power", but that you were also, as they say in boxing, leading with your chin (ie, just begging to be knocked 
out).  Be very careful about getting into a turf war with someone, particularly your IT Manager.  I say this, b/c if 
you go to anyone in your company and tell them that they have to fix something for no other reason than b/c it says so 
on the Internet...well, I think that the assembled masses reading this list would agree that that will only lead to 
failure.

HTH,

H. Carvey
http://www.windows-ir.com
http://groups.yahoo.com/group/windowsir/

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------