Re: news story and router passwords

[Talisker <Talisker () NETWORKINTRUSION CO UK>]

Mark

SNMP < v3 IMHO should not be used for security tools, too many networks
don't move away from the default community name and once again getting
changed community names is easy.
Brief history
v1 had trivial security
v2 had better security, however it didn't catch on
v2c was as per v2 except with v1 security !!!!!
v3 has better security again (but will it catch on - if not wait for v3c)

What's the word on the street is it catching on ????

I can recommend the 4 day LTI SNMP course it's pretty good though a little
padded to fill the time

Andy
http://www.networkintrusion.co.uk Talisker's comprehensive IDS & Scanner
List
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo


The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.





----- Original Message -----
From: "Mark Teicher" <mark.teicher () NETWORKICE COM>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Friday, October 13, 2000 4:17 AM
Subject: Re: news story and router passwords


> One can also utilize SNMP to grab pertinent information.
>
>
>   "ipAdEntAddr[\$NODEIP]",
>   "sysName",
>   "ipAdEntNetMask[\$NODEIP]",
>   "ipForwarding",
>   "sysObjectID",
>   "sysUpTime",
>   "sysLocation",
>   "sysDescr",
>
> and re-configure routers without the password if SNMP is not setup
> correctly.  But I don't know anything about SNMP.. :)
>
> At 01:30 AM 10/13/00 +0800, Lincoln Yeoh wrote:
> > At 04:35 PM 10/12/00 +0200, Vitaly Osipov wrote:
> > > Hello all,
> > >
> > > I think everybody knows that media reporting on hackers and their tools
is,
> > > ehm, very improper :)
> > > I've read one article recently
> > > http://www.denverpost.com/business/biz1012d.htm  ) in which it is
clamed
> > > that some hacker after sniffing router password changed it and made
> > > *something* after that they were not able to recover that password.
Have
> > > somebody heard of such problems (it looks like they were using cisco,
> >
> > One possible scenario:
> > The hacker could have reflashed the router or its modules with a custom
> > firmware, or just zapped the firmware. This can make password recovery
> > impossible. Custom firmware would be much harder but more scary - because
> > if the hacker does it right, you won't even notice till really bad things
> > happen. Getting and changing the router firmware usually isn't that
> > difficult, understanding it enough to make interesting changes without
> > totally breaking stuff is a bit harder. The way to fix this would be to
> > reflash the affected components with a decent release.
> >
> > If it's really a Cisco and they have a contract they could just contact
> > Cisco TAC to fix things for them, instead of being held to ransom by the
> > hacker. When a customer sent us a faulty obsolete Cisco access server -
no
> > contract, no nothing, and they bought it from someone else(!), Cisco
> > actually sent a replacement for _free_[1] within a few days! Customer
> > happy, we happy, TAC people happy, and no bets on what router that
customer
> > will be buying next....
> >
> > Cheerio,
> > Link.