SNMP is an application-layer protocol that runs on UDP and maintains and manages routers, hubs, and switches on an IP network. SNMP allows network administrators to manage network devices from a remote location. However, SNMP has many security vulnerabilities, such as a lack of auditing. Attackers may take advantage of these vulnerabilities to perform account and device enumeration.
Using SNMP to create a list of the user accounts and devices on a target machine is known as SNMP enumeration. SNMP employs two types of software components for communication: the SNMP agent located on the networking device, and the SNMP management station that communicates with the agent.
SNMP holds two passwords to access and configure the SNMP agent from the
management station:
- Read community string: It is public by default; it allows for viewing the device/system configuration.
- Read/Write community string: It is private by default and allows remote configuration editing.
Attacks use these default community strings to extract information
about a device. Attackers enumerate SNMP to extract information about
network resources, such as hosts, routers, devices, and shares, as
well as network information, such as ARP tables, routing tables,
and traffic.
WORKING
SNMP uses a disturbed architecture compromising SNMP managers, SNMP agents,
and several related components. The communication process between an SNMP
manager and an SNMP agent is as follows:
TOOLS
SNMP enumeration tools are used to scan a single IP address or a range of IP
addresses of SNMP-enabled network devices to monitor, diagnose, and
troubleshoot security threats.
- Snmpcheck (snmp_enum Module): It is an open-source tool. Its goal is to automate the process of gathering information on any device with SNMP support (Windows, Unix-like, network appliances, printers, etc). Command in Kali Linux: snmp-check <IP_ADDRESS>.
- SoftPerfect Network Scanner: Attackers use this tool to gather information about a shared folder and network devices.
- Network Performance Monitor (solarwinds.com)
- OpUtils (manageengine.com)
- PRTG Network Monitor (paessler.com)
- Engineer's Toolset (solarwinds.com)
COUNTERMEASURES
- Remove the SNMP agent or turn off the SNMP service.
- If turning off SNMP is not an option, then change the default community string names. Upgrade to SNMP3, which encrypts passwords and messages.
- Implement the Group Policy security option called "Aditional restrictions for anonymous connections."
- Ensure that access to null session pipes, null session shares, and IPsec filtering is restricted.
- Block access to TCP/UDP port 161.
- Do not install the management and monitoring Windows component unless required.
- Encrypt or authenticate using IPsec.
- Do not misconfigure the SNMP service with read-write authorization.
You might be interested in,
- Phases of Hacking
- Introduction to Enumeration
- NetBIOS Enumeration
- LDAP Enumeration
- NTP, NFS and SMTP Enumeration
- DNS Enumeration
- Telnet, SMB, FTP and TFTP Enumeration
- Other Enumeration Techniques (IPSec, VoIP, RPC, Unix/Linux, IPv6, and BGP)
We hope this helps. If you have any suggestions or doubts you can add a
comment and we will reply as soon as possible.
No comments:
Post a Comment