Network discovery and the Simple Network Management Protocol

SNMP is the Internet standard protocol developed to manage nodes or connection points, like servers, workstations, routers, switches and hubs, on an IP network, monitoring for conditions that may require assistance from an administrator. The protocol also provides the opportunity for someone to control your network, eavesdrop on traffic and steal valuable data, which we'll cover shortly.

By default, SNMP is generally enabled on routers, switches and sometimes even servers. Any organization using network management software like Hewlett-Packard Co.'s OpenView or IBM Tivoli uses SNMP. Even if an enterprise does not use any network management tools, SNMP is likely to be in use somewhere on the network.

There are two passwords (called "community strings") that can be used to take advantage of SNMP: the read string, which has a default value of "public" and the read/write string, which is set to "private." Most people never change these defaults. Armed with this knowledge, an attacker can view, alter or remotely control many SNMP-enabled devices.

When a device is plugged into the network, a DHCP server will typically issue it an IP address. At the same time, the server also gives a "default gateway" address, which is the router address that a device needs in order to view the rest of the network. Type "ipconfig –all" at a command prompt to see these settings. If this default gateway address is then fed into a network discovery tool like SolarWinds Inc.'s Network Sonar, and if the router is set up in a default fashion, you will soon have a list of every router and switch on your network.

Once someone knows the SNMP read/write string, he or she can also download the router configuration details from each of the routers and frequently read administrative passwords, enabling someone with malicious intent to take control of the network infrastructure.

SNMP isn't merely a vulnerability in regard to network devices. If you have Windows servers running SNMP (and chances are you do), then you can list the name of every user and group on that server, irrespective of your "null sessions" settings. This is an excellent starting point for password guessing and dictionary attacks. A malicious attacker can often guess the passwords for a number of user accounts once he or she knows the account names to target. When testing networks, we use this technique to achieve a foothold into the Windows domain, from which it is sometimes possible to gain full Domain Admin privilege. You can also map out your Windows domain, discover server names and even see what hardware is in use.

Mitigation of SNMP-related threats should begin with a network device audit or discovery exercise. Network discovery can provide valuable information on network weaknesses such as poor SNMP strings and default configurations as well as a remediation plan for a networks team. Understanding how these and other default infrastructure configurations can provide unrestricted access to a network, is a major weapon in the battle against hackers and insiders who would otherwise exploit poor configuration to intercept sensitive information or steal users' Windows credentials.

About the author:
Peter Wood is Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK. He is a world-renowned security evangelist, speaking at conferences and seminars on ethical hacking techniques and social engineering. He has appeared in documentaries for BBC television, provided commentary on security issues for TV and radio and written many articles on a variety of security topics. He has also been rated the British Computer Society's number one speaker.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Monitoring: Tools and Systems Scapy tutorial: How to use Scapy to test Snort rules How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse SIEM systems streamline compliance processes, offer security benefits How to set your baseline with host integrity monitoring software Thin-client technologies surge thanks to easier security, says Deloitte Finding the best log management product for your organisation How to maintain network control plane security Conficker-infected machines now number 7 million, Shadowserver finds A guide to internal and external network security auditing Network security tips Cloud-based services require stalwart business continuity plans How to perform an Active Directory health check Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Windows management tips: How to backup and restore Active Directory Cloud computing compliance: Exploring data security in the cloud Configuring a Windows network infrastructure: Wired, wireless security How to use Google Webmaster tools to help protect your site How to set your baseline with host integrity monitoring software A closer look at Internet Explorer 8 security features Protecting enterprise networks from new mobile application downloads RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.