Simple network management protocol: Essential threats to avoid

By default, SNMP is generally enabled on routers, switches and sometimes even servers. Any organization using network management software like Hewlett-Packard Co.'s OpenView or IBM Tivoli uses SNMP. Even if an enterprise does not use any network management tools, SNMP is likely to be in use somewhere on the network. There are two passwords (called "community strings") that can be used to take advantage of the Simple Network Management Protocol: the read string, which has a default value of "public," and the read/write string, which is set to "private." Most people never change these defaults. Armed with this knowledge, an attacker can view, alter or remotely control many SNMP-enabled devices.

When a device is plugged into the network, a DHCP server will typically issue the device an IP address. At the same time, the server also gives a "default gateway" address, which is the router address that a device needs in order to view the rest of the network. Type "ipconfig/all" at a command prompt to see these settings. If an attacker then feeds this default gateway address into a network discovery tool, like SolarWinds Inc.'s Network Sonar, and if the router is set up in a default fashion, that person will soon have a list of every router and switch on your network. Using non-standard, difficult-to-guess SNMP community strings can mitigate this vulnerability. Once someone knows the SNMP read/write string, he or she can also download configuration details from each of the routers and frequently read administrative passwords, enabling someone with malicious intent to take control of the network infrastructure.

SNMP isn't merely a vulnerability in regard to network devices. If you have Windows servers running SNMP (and chances are you do), then you can list the name of every user and group on that server, irrespective of your "null sessions" settings. This is an excellent starting point for password guessing and dictionary attacks. A malicious attacker can often take those usernames and then guess their corresponding passwords; the hardest part is knowing the account names to target. When testing networks, my organization uses this technique to achieve a foothold into the Windows domain, from which it is sometimes possible to gain full domain administrator privileges. You can also map out your Windows domain, discover server names and even see what hardware is in use.

Mitigation of SNMP-related threats should begin with a network device audit or discovery exercise. Network discovery can provide valuable information on network weaknesses, such as poor SNMP strings and default configurations, as well as a remediation plan for a networks team.

A well-designed network discovery exercise will result in a list of network devices and the Simple Network Management Protocol community strings in use. You should then formulate a plan to change all existing devices to use difficult-to-guess community strings that are resistant to simple guessing attacks. Of course, it is also important to build procedures and regular checks to ensure that all new devices are installed using your proprietary community string values.

The other significant output of a network discovery exercise should be a list of open ports (services) associated with each infrastructure device (routers, switches, access points, and so on). You should review these to ensure that each service is necessary and disable those that are not. Each essential service should then be patched, and any manufacturer default credentials should be changed to difficult-to-guess values. Again, procedures should be created to ensure that new devices conform to your new, more secure standards and regular checks are carried out to ensure compliance.

An understanding of how these and other default infrastructure configurations can provide unrestricted access to a network is a major advantage in the battle against hackers and insiders, many of whom would otherwise exploit poor configurations to intercept sensitive information or steal users' Windows credentials.

About the author:
Peter Wood is Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK. He is a world-renowned security evangelist, speaking at conferences and seminars on ethical hacking techniques and social engineering. He has appeared in documentaries for BBC television, provided commentary on security issues for TV and radio and written many articles on a variety of security topics. He has also been rated the British Computer Society's number one speaker.

Rate this Tip To rate tips, you must be a member of SearchSecurity.IN. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network and endpoint security tools and technologies Vulnerability management gets in-house treatment at AXA Business Services Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis How to perform an Active Directory health check Information rights management helps L&T protect its knowhow Voice data security risks on the rise, say experts Firewall audit tools aid compliance Interest in data leakage protection, event log management rises Zeus Trojan continues reign infecting 74,000 PCs in global botnet Fraudulent mobile applications will threaten mobile banking security Vulnerability and patch management Vulnerability management gets in-house treatment at AXA Business Services Gartner's server virtualization security risk list Clientless SSL VPN vulnerability and Web browser protection Cloud Security Alliance releases top cloud computing security threats RAM-scraping attacks are a rising -- but preventable -- threat Microsoft warns that IE zero-day vulnerability causes data leakage What to do with network penetration test results Network discovery and the Simple Network Management Protocol Best practices to secure wireless networks Microsoft issues advisory on Internet Explorer zero-day Hacking countermeasures How to address HIPAA data encryption security challenges Vulnerability management gets in-house treatment at AXA Business Services Gartner's server virtualization security risk list Noted cryptographer on SSL, encryption and cloud computing Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis PCI tokenization push promising but premature, experts say Clientless SSL VPN vulnerability and Web browser protection How to perform an Active Directory health check Information rights management helps L&T protect its knowhow RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary man-in-the-middle (MitM) attack  (SearchSecurityIN.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.