There is a backdoor into many large networks that few organisations seem to recognise or understand: the Simple Network Management Protocol (SNMP). SNMP is the Internet standard protocol developed to manage nodes or connection points, like servers, workstations, routers, switches and hubs on an IP network, monitoring for conditions that may require assistance from an administrator. The protocol also provides the opportunity for someone to control your network, eavesdrop on traffic and steal valuable data.
By default, SNMP is generally enabled on routers, switches and sometimes even servers. Any organization using network management software like Hewlett-Packard Co.'s OpenView or IBM Tivoli uses SNMP. Even if an enterprise does not use any network management tools, SNMP is likely to be in use somewhere on the network. There are two passwords (called "community strings") that can be used to take advantage of the Simple Network Management Protocol: the read string, which has a default value of "public," and the read/write string, which is set to "private." Most people never change these defaults. Armed with this knowledge, an attacker can view, alter or remotely control many SNMP-enabled devices.
When a device is plugged into the network, a DHCP server will typically issue the device an IP address. At the same time, the server also gives a "default gateway" address, which is the router address that a device needs in order to view the rest of the network. Type "ipconfig/all" at a command prompt to see these settings. If an attacker then feeds this default gateway address into a network discovery tool, like SolarWinds Inc.'s Network Sonar, and if the router is set up in a default fashion, that person will soon have a list of every router and switch on your network. Using non-standard, difficult-to-guess SNMP community strings can mitigate this vulnerability. Once someone knows the SNMP read/write string, he or she can also download configuration details from each of the routers and frequently read administrative passwords, enabling someone with malicious intent to take control of the network infrastructure.
SNMP isn't merely a vulnerability in regard to network devices. If you have Windows servers running SNMP (and chances are you do), then you can list the name of every user and group on that server, irrespective of your "null sessions" settings. This is an excellent starting point for password guessing and dictionary attacks. A malicious attacker can often take those usernames and then guess their corresponding passwords; the hardest part is knowing the account names to target. When testing networks, my organization uses this technique to achieve a foothold into the Windows domain, from which it is sometimes possible to gain full domain administrator privileges. You can also map out your Windows domain, discover server names and even see what hardware is in use.
Mitigation of SNMP-related threats should begin with a network device audit or discovery exercise. Network discovery can provide valuable information on network weaknesses, such as poor SNMP strings and default configurations, as well as a remediation plan for a networks team.
A well-designed network discovery exercise will result in a list of network devices and the Simple Network Management Protocol community strings in use. You should then formulate a plan to change all existing devices to use difficult-to-guess community strings that are resistant to simple guessing attacks. Of course, it is also important to build procedures and regular checks to ensure that all new devices are installed using your proprietary community string values.
The other significant output of a network discovery exercise should be a list of open ports (services) associated with each infrastructure device (routers, switches, access points, and so on). You should review these to ensure that each service is necessary and disable those that are not. Each essential service should then be patched, and any manufacturer default credentials should be changed to difficult-to-guess values. Again, procedures should be created to ensure that new devices conform to your new, more secure standards and regular checks are carried out to ensure compliance.
An understanding of how these and other default infrastructure configurations can provide unrestricted access to a network is a major advantage in the battle against hackers and insiders, many of whom would otherwise exploit poor configurations to intercept sensitive information or steal users' Windows credentials.
About the author:
Peter Wood is Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK. He is a world-renowned security evangelist, speaking at conferences and seminars on ethical hacking techniques and social engineering. He has appeared in documentaries for BBC television, provided commentary on security issues for TV and radio and written many articles on a variety of security topics. He has also been rated the British Computer Society's number one speaker.