Network discovery and the Simple Network Management Protocol

Few organizations know about one of the most common backdoors into large networks: Simple Network Management Protocol.

There is a backdoor into many large networks that few organisations seem to recognise or understand – Simple Network Management Protocol (SNMP).

SNMP is the Internet standard protocol developed to manage nodes or connection points, like servers, workstations, routers, switches and hubs, on an IP network, monitoring for conditions that may require assistance from an administrator. The protocol also provides the opportunity for someone to control your network, eavesdrop on traffic and steal valuable data, which we'll cover shortly.

By default, SNMP is generally enabled on routers, switches and sometimes even servers. Any organization using network management software like Hewlett-Packard Co.'s OpenView or IBM Tivoli uses SNMP. Even if an enterprise does not use any network management tools, SNMP is likely to be in use somewhere on the network.

There are two passwords (called "community strings") that can be used to take advantage of SNMP: the read string, which has a default value of "public" and the read/write string, which is set to "private." Most people never change these defaults. Armed with this knowledge, an attacker can view, alter or remotely control many SNMP-enabled devices.

When a device is plugged into the network, a DHCP server will typically issue it an IP address. At the same time, the server also gives a "default gateway" address, which is the router address that a device needs in order to view the rest of the network. Type "ipconfig –all" at a command prompt to see these settings. If this default gateway address is then fed into a network discovery tool like SolarWinds Inc.'s Network Sonar, and if the router is set up in a default fashion, you will soon have a list of every router and switch on your network.

Once someone knows the SNMP read/write string, he or she can also download the router configuration details from each of the routers and frequently read administrative passwords, enabling someone with malicious intent to take control of the network infrastructure.

SNMP isn't merely a vulnerability in regard to network devices. If you have Windows servers running SNMP (and chances are you do), then you can list the name of every user and group on that server, irrespective of your "null sessions" settings. This is an excellent starting point for password guessing and dictionary attacks. A malicious attacker can often guess the passwords for a number of user accounts once he or she knows the account names to target. When testing networks, we use this technique to achieve a foothold into the Windows domain, from which it is sometimes possible to gain full Domain Admin privilege. You can also map out your Windows domain, discover server names and even see what hardware is in use.

Mitigation of SNMP-related threats should begin with a network device audit or discovery exercise. Network discovery can provide valuable information on network weaknesses such as poor SNMP strings and default configurations as well as a remediation plan for a networks team. Understanding how these and other default infrastructure configurations can provide unrestricted access to a network, is a major weapon in the battle against hackers and insiders who would otherwise exploit poor configuration to intercept sensitive information or steal users' Windows credentials.

About the author:
Peter Wood is Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK. He is a world-renowned security evangelist, speaking at conferences and seminars on ethical hacking techniques and social engineering. He has appeared in documentaries for BBC television, provided commentary on security issues for TV and radio and written many articles on a variety of security topics. He has also been rated the British Computer Society's number one speaker.

Read more on Network security management