Whether you are in Cyber Security, IT or Networking. You will always come across SNMP during your day to day job which means that it is something of worth which made it to be used so much. Due to its importance we should also know about this protocol especially we as a penetration testers should have a good idea about this protocol. I have seen many penetration testers in different scenarios who have avoided testing this protocol.
What is SNMP?
SNMP stands for Simple Network Management Protocol. The abbreviation is pretty clear but let’s break it down to understand it better.
- Simple — It is very simple i.e. simple to understand and implement and in clear text so that we it read it.
- Network — It is something which is meant to be utilized within the network.
- Management — It is used to manage something preferably network devices.
- Protocol — It is a part of internet protocol defined in multiple RFCs
Imagine having hundreds of switches, routers, hubs, computers, printers and you are the one managing those manually without having the insights what’s happening on these assets. Suddenly, you get a call from your colleague and you are told that the network went down and you are suppose to find where actually the is. This is going to be heck lot of work to manually check each router/switch.
SNMP was designed by people who understood such scenarios thus SNMP helps managing these devices evenly. Also,
- It monitors the inbound and outbound traffic flowing through the device this giving more insights what is happening in and out of device.
- Provides detection of faults within the network devices proactively by means of alerts/notifications thus necessary actions can be taken on time.
- Allow us to analyze data collected from devices over long period of time to identify bottlenecks and performance issues.
- It provides us with a way to remotely manage, configure and control the devices.
You must be having a connection that it is all being done by SNMP itself. Sort of true but there are few other components which are required for SNMP to work correctly. Let’s take a look onto these components one by one.
As the name predicts, SNMP is a manager preferably a piece of software which is installed on a system. The main job of this software is to query the networking devices to check if they are responding or not. Similar to analytics software, SNMP manager provides us with detailed insights of networking devices which are integrated with it.
In order for SNMP Manager to work properly. Correct credentials are required to be supplied along with the IP address of the networking device. Once provided, the SNMP manager fetches the information which has been collected and stored by SNMP agents on each networking device.
These agents are a piece of software’s which comes pre-installed with almost all of the new networking devices. Agents have specific jobs which in this case to log everything into a database called MIB (Management Information Base). It is a database which consists of all the details i.e. what is the current state of the device. The database is properly designed to store the device information. The SNMP Manager send a request to fetch the details from the MIB database which is then presented to the end user on Network Management Software. Even if there is an error over MIB it will be reported to the NMS.
I would like to cover the SNMP Monitoring methods first before we dig deeper into how the information is stored in the MIB and also OID. There are primarily two methods which are used for SNMP monitoring.
The first one is known as TRAPS and the second one is known as POLLING.
The first method which is used in monitoring the networks is SNMP Traps. Traps are asynchronous in nature. In this scenario the NMS or manager never ever request the agent, neither query the device to send information but the devices send data/information to the NMS if anything occurs on their end i.e. rules are configured on the devices for different scenarios and if they occur a message will be send to the manager with the details so that the required actions can be taken on time. It is also to be noted that TRAPS are transmitted over UDP Port 162 and packets may not be delivered to the manager while in transit.
The second method is called polling. This method differs from TRAPS in a way that these requests are synchronous. The NMS or manager sends a request to the agent to fetch the MIB details. The requests can be set by means of intervals as per the requirement. The NMS might query the agent to send information each second or after every minute. Thus keeping track of the device over time. Polling messages are transmitted over UDP Port 161 but these can also go missing while in transit.
As we now understand how SNMP works, different alerting methods. Its time to learn about MIBs and OIDs.
MIBs — Management Information Base
MIBs or Management Information Base is a hierarchy of information that describes the components of the device. Network devices have a database called ‘MIB’ or ‘MIB table’ or ‘MIB Tree’ with the set of ‘objects’. These object stores valuable information like memory status, hardware status, etc. within the network device.
MIB is globally standardized but is also flexible enough to allow vendor specific-changes i.e. MIBs for HP Printers will be different from MIBs released for CISCO Routers or Switches because both vendors are different.
The sample hierarchy can be seen in the below tree diagram. The first 4 notes are standardized and after that nodes can be changed as per vendor requirements. Each node has a name and a value which means we can query via SNMP by crafting queries with names only or numbers only.
Suppose that we want to query system information so the queries will become like,
String = iso.org.dod.internet.directory.mib-2.system
Numeric = 18.104.22.168.1.1.1
Suppose we want to query information related to JuniperMIB so the queries will become like.
String = iso.org.dod.internet.private.enterprise.juniperMIB
Numeric = 22.214.171.124.4.1.2636
These queries are called OIDs (Object Identifiers) as these uniquely identify a particular object in a MIBs tree hierarchy.
As an example, we can use MibDepot website to look for MIB files, MIB Objects and OIDs for different vendors.
We can these OIDs to query SNMP compatible device to only give information related to that OID.
One of the reasons that SNMP has seen such heavy adoption is the simplicity of the commands available. There are very few operations to implement or remember, but they are flexible enough to address the utility requirements of the protocol.
The following PDUs, or protocol data units, describe the exact messaging types that are allowed by the protocol:
- Get: A Get message is sent by a manager to an agent to request the value of a specific OID. This request is answered with a Response message that is sent back to the manager with the data.
- GetNext: A GetNext message allows a manager to request the next sequential object in the MIB. This is a way that you can traverse the structure of the MIB without worrying about what OIDs to query.
- Set: A Set message is sent by a manager to an agent in order to change the value held by a variable on the agent. This can be used to control configuration information or otherwise modify the state of remote hosts. This is the only write operation defined by the protocol.
- GetBulk: This manager to agent request functions as if multiple GetNext requests were made. The reply back to the manager will contain as much data as possible (within the constraints set by the request) as the packet allows.
- Response: This message, sent by an agent, is used to send any requested information back to the manager. It serves as both a transport for the data requested, as well as an acknowledgement of receipt of the request. If the requested data cannot be returned, the response contains error fields that can be set with further information. A response message must be returned for any of the above requests, as well as Inform messages.
- Trap: A trap message is generally sent by an agent to a manager. Traps are asynchronous notifications in that they are unsolicited by the manager receiving them. They are mainly used by agents to inform managers of events that are happening on their managed devices.
- Inform: To confirm the receipt of a trap, a manager sends an Inform message back to the agent. If the agent does not receive this message, it may continue to resend the trap message.
With these seven data unit types, SNMP is capable of querying for and sending information about your networked devices.
The SNMP Community Strings are like user id or password which are sent along with each SNMP Get request. If the community string provided during the request is correct only then the device will respond with the requested information otherwise not.
In most of the cases, vendors ship their equipment with default password set as “public” which is a community string and it is required to be changed by the Network Administrators. If there are intruders they will be able to read a heck lot of information from the device which they shouldn’t.
While there is a Read-Only community string, there will definitely be need for writing/changing the configs on the device. Due to need we also have Read-Write community string which can be used with Set request to set a certain MIB Object to particular values. The Read Write Community String should never be set to public as it can allow unauthorized users to make unnecessary changes.
Finally, we have SNMP Trap Community String, which is an unsolicited message from a device to SNMP console stating that device is in an unusual state. Traps might indicate power-up, link up/down, temperatures exceeding certain limits etc.
Is SNMP Secure?
Well, if you are using SNMPv3. Then you can say that you are secure for the time being. It’s because nothing is threat-proof in today’s cyber world but you can minimize the threats to certain level.
There are three version of SNMP i.e. Version 1, 2c and 3.
The first two version are not secure at all because they transmit information in clear-text and the only authentication mechanism is by supplying community strings. So, if an attacker has access to the network he can perform MITM and can obtain the community strings which can then be utilized to query SNMP compatible devices. Also these can be bruteforced as well. On the other hand SNMP v3 fixed this issue by adding USM & VACM i.e. User Based Security Model and View Based Access Control. It also supports “Engine-ID” identifier which uniquely identifies each SNMP device. In order not to have conflict it is required that each device should be having a unique Engine-ID. SNMP v3 also added authentication and encryption mechanism to add more security to the protocol.
However, now we can now use SNMP over TLS & DTLS as they provide more security to data being transmitted. If we do so, then the ports will be changed. For TLS (Transport Layer Security) TCP Port 10161 will be utilized and for DTLS (Datagram Transport Layer Security) TCP Port 10162 will be utilized.
SNMPv3 has 3 level of authentication which are as follows:
- NoAuthNoPriv: Users who use this mode/level have No Authentication and No privacy when they send/receive messages.
- AuthNoPriv: This Level requires the user to Authenticate, but will not Encrypt Sent/Received Messages.
- AuthPriv: Finally, the most secure level, where Authentication is Required and Sent/Received Messages are Encrypted.
So far, we have learnt quite much regarding the SNMP Protocol. You might have questioned yourself that how can we do Vulnerability Assessment/Penetration Testing of SNMP compatible device. Well, this section is going to cover the exploitation side.
We can query over Censys to list all the devices which are running SNMP and are open to public.
We found ton of devices. Let’s check a device having IP 126.96.36.199.
The first and the foremost tool that we are going to use is SNMP-Check. It comes pre-installed with Kali Linux. At first we will take a look onto the parameters which are required to be supported with this tool.
There are few options. At first we need to specify the port. Which by default is 161 meaning it is being used for Polling. The port can be changed as per the requirements. The second option is community strings. We are more interested in “public” and “private” community strings at the moment. Thirdly, we can define the protocol version by using the version tag and finally -w tag to check if we have write access on the system. Thus, it will allow us to make changes into the objects.
Let’s fire up the snmp-check and see what results are provided.
We confirmed that SNMPv1 is currently being used with default community string set to “public”. Also we have the write access on the device meaning we can alter the objects on the device.
There is a lot of other information which is provided i.e. the system and network information and also any other ports open on the device.
By doing so, we obtained plenty of information. If an attacker is good, he can scan the subnets for other devices as well and can look for possible loopholes.
This is another tool which does some cool job. We can query the complete MIB Objects using this tool. Suppose we want to list everything on the device we can use the snmp-walk command to list down the OIDs and their respective values.
Once we have obtained the OIDs we can query the device for details related to specific OIDs. Suppose we want to only check the device name. We can query the device as below.
Doing so, only specific information related to our provided OIDs value is returned. As we have the write access on the device over SNMP.
Similarly, we can use NMAP which includes few SNMP related scripts.
We can also utilize Metasploit having few auxiliary modules which does the tasks for us.
Finally, we can utilize the built-in SNMP related tools from within Kali Linux.
I have been thinking a lot about writing this article and before doing so I refreshed my personal understanding of SNMP protocol. For the sake of this, I have been reading a ton about this protocol and have noted down some cool references for you guys to have a look as well.