Skip to content

161-162 SNMP Simple Network Management Protocol

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behaviour.

Simple Network Management Protocol (SNMP) was created to monitor network devices. In addition, this protocol can also be used to handle configuration tasks and change settings remotely. SNMP-enabled hardware includes routers, switches, servers, IoT devices, and many other devices that can also be queried and controlled using this standard protocol. Thus, it is a protocol for monitoring and managing network devices.

Managers: one or more administrative computers that have the task of monitoring or managing a group of hosts or devices on a computer network, the managed device.

Managed devices: routers, switches, servers, IoT devices, and many other devices.

Agent: network-management software module that resides on a managed device. An agent has local knowledge of management information and translates that information to or from an SNMP-specific form.

In addition to the pure exchange of information, SNMP:

  • Transmits control commands using agents over UDP port 161.
  • Enables the use of so-called traps over UDP port 162. These are data packets sent from the SNMP server to the client without being explicitly requested. If a device is configured accordingly, an SNMP trap is sent to the client once a specific event occurs on the server-side.

Management Information Base (MIB): For the SNMP client and server to exchange the respective values, the available SNMP objects must have unique addresses known on both sides. And at this point, MIB is born.

MIB is an independent format for storing device information. A MIB is a text file in which all queryable SNMP objects of a device are listed in a standardized tree hierarchy. MIB files are written in the Abstract Syntax Notation One (ASN.1) based ASCII text format.

They contain Object Identifier (OID), at least one. In addition to the necessary unique address and a name, provides information about the type, access rights, and a description of the respective object. An OID represents a node in a hierarchical namespace. A sequence of numbers uniquely identifies each node, allowing the node's position in the tree to be determined. The longer the chain, the more specific the information. Many nodes in the OID tree contain nothing except references to those below them. The OIDs consist of integers and are usually concatenated by dot notation.

SNMPv1, SNMPv2 and SNMPv3

SNMP version 1 (SNMPv1) is used for network management and monitoring. SNMPv1 has no built-in authentication mechanism, meaning anyone accessing the network can read and modify network data. Another main flaw of SNMPv1 is that it does not support encryption, meaning that all data is sent in plain text and can be easily intercepted.

SNMPv2 existed in different versions. The version still exists today is v2c, and the extension c means community-based SNMP. A significant problem with the initial execution of the SNMP protocol is that the community string that provides security is only transmitted in plain text, meaning it has no built-in encryption.

SNMPv3: The security has been increased enormously for SNMPv3 by security features such as authentication using username and password and transmission encryption (via pre-shared key) of the data. However, the complexity also increases to the same extent, with significantly more configuration options than v2c.

How can interception happens? Community strings can be seen as passwords that are used to determine whether the requested information can be viewed or not. It is important to note that many organizations are still using SNMPv2, as the transition to SNMPv3 can be very complex, but the services still need to remain active. SNMP Community strings provide information and statistics about a router or device. The manufacturer default community strings of public and private are often unchanged. In SNMP versions 1 and 2c, access is controlled using a plaintext community string, and if we know the name, we can gain access to it. Examination of process parameters might reveal credentials passed on the command line, which might be possible to reuse for other externally accessible services given the prevalence of password reuse in enterprise environments. Routing information, services bound to additional interfaces, and the version of installed software can also be revealed.

Footprinting SNMP

There are tools like snmpwalk, onesixtyone, and braa.

snmpwalk

snmpwalk is used to query the OIDs with their information. It retrieves a subtree of management values using SNMP GETNEXT requests.

snmpwalk -v2c -c public $ip

snmpwalk -v 2c -c public $ip 1.3.6.1.2.1.1.5.0

snmpwalk -v 2c -c private $ip

If we do not know the community string, we can use onesixtyone and SecLists wordlists to identify these community strings.

onesixtyone - Fast and simple SNMP scanner

A tool such as onesixtyone can be used to brute force the community string names using a dictionary file of common community strings such as the dict.txt file included in the GitHub repo for the tool.

onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt $ip

When certain community strings are bound to specific IP addresses, they are named with the hostname of the host, and sometimes even symbols are added to these names to make them more challenging to identify.

braa

Knowing a community string, we can use braa to brute-force the individual OIDs and enumerate the information behind them.

braa <community string>@$ip:.1.3.6.*   

    # Example:
    # braa public@10.129.14.128:.1.3.6.*

Installing SNMP

The default configuration of the SNMP daemon is located at /etc/snmp/snmpd.conf. It contains basic settings for the service, which include the IP addresses, ports, MIB, OIDs, authentication, and community strings. See specifics about the configuration of this file in the manpage.

Some classic misconfigurations are:

Settings Description
rwuser noauth Provides access to the full OID tree without authentication.
rwcommunity <community string> <IPv4 address> Provides access to the full OID tree regardless of where the requests were sent from.
rwcommunity6 <community string> <IPv6 address> Same access as with rwcommunity with the difference of using IPv6.

More about SNMP versioning and security

Source: wikipedia

SNMP is available in different versions, each has its own security issues. SNMP v1 sends passwords in clear-text over the network. Therefore, passwords can be read with packet sniffing. SNMP v2 allows password hashing with MD5, but this has to be configured. Virtually all network management software support SNMP v1, but not necessarily SNMP v2 or v3. SNMP v2 was specifically developed to provide data security, that is authentication, privacy and authorization, but only SNMP version 2c gained the endorsement of the Internet Engineering Task Force (IETF), while versions 2u and 2* failed to gain IETF approval due to security issues. SNMP v3 uses MD5, Secure Hash Algorithm (SHA) and keyed algorithms to offer protection against unauthorized data modification and spoofing attacks. If a higher level of security is needed the Data Encryption Standard (DES) can be optionally used in the cipher block chaining mode. SNMP v3 is implemented on Cisco IOS since release 12.0(3)T. SNMPv3 may be subject to brute force and dictionary attacks for guessing the authentication keys, or encryption keys, if these keys are generated from short (weak) passwords or passwords that can be found in a dictionary.

Last update: 2023-07-01
Created: May 22, 2023 16:04:59