If I were to wander into your offices, plug in my laptop and within minutes take control of your network infrastructure, would you be surprised?
There’s a backdoor into many large networks which few organisations seem to recognise or understand – Simple Network Management Protocol (SNMP). SNMP is the Internet standard protocol developed to manage nodes (servers, workstations, routers, switches and hubs etc.) on an IP network. It enables network administrators to manage network performance, find and solve network problems, and plan for network growth (see here). It’s also one of the easiest ways for someone to control your network, steal information and eavesdrop on traffic!
By default, SNMP is enabled on routers, switches and even servers. If you’re using network management software like HP OpenView or IBM Tivoli then you’re using SNMP. Even if you’re not using any network management tools, you’ll still have SNMP somewhere on your network. There are two passwords (called “community strings”) that you need to know in order to take advantage of SNMP - the read string, which has a default value of “public” and the read/write string, which is set to “private”. Most people never change these defaults. Armed with this knowledge you can view, alter or remotely control any SNMP-enabled device.
When I plug into your network a DHCP server will issue me an IP address. At the same time I am also given a “default gateway” address – the address of the router that my laptop needs to know about in order to view the rest of your network. Just type “ipconfig –all” at a command prompt to see what I mean. If I feed the default gateway address into a network discovery tool like SolarWinds Network Sonar and if your router is set up with defaults, I will soon have details of every device on your network. I can also download the router config from each of your routers and read the administrative passwords, giving me the keys to your network infrastructure.
If you have Windows servers running SNMP (and chances are you do) then I can list the name of every user and group on that server. This gives me an excellent starting point for password guessing and dictionary attacks. I can also map out your Windows domain, discover your server names and even see what hardware you’re using.
Of course it’s not just the casual visitor who may take advantage of this vulnerability, but a disgruntled member of staff, an industrial spy disguised as a contractor or just a nosy IT graduate. Most organisations remain highly vulnerable to insider attacks, yet feel secure because they’ve spent a lot of money on firewalls. It’s time to wake up and recognise that organised crime and casual thieves will both take the easiest, least risky route and that’s from inside the organisation.
So what can you do? First and foremost, if you’re not using SNMP, turn it off! If you are using it, a good start must be to change those default community strings. But before you rush off to start this project, a few words of caution. Firstly, discover which software in your organisation is using SNMP and whether it can use non-default community strings (there are still some horrible applications with hard-coded strings and passwords in many organisations). Secondly, once you’re satisfied that nothing will break if you change those strings, select something complex that will resist a dictionary attack. A long string of mixed case, numbers and punctuation is best. Thirdly, as you’ll need to write those complex strings down, make sure you secure that information properly!
Now, before you go to set up that meeting with your network admins, there are a number of other backdoors that may reveal your SNMP strings to an attacker even after you’ve changed them all. So build a strategy to seek out those backdoors and secure them, and then develop an incident response procedure to use when your shiny new community strings are compromised.
One of the most common methods of exposing SNMP community strings is via server management consoles like Compaq Insight Manager (CIM), which may have been poorly configured. A web browser interface to CIM can often be found on TCP port 2301. Older versions have a default Administrator password of “administrator”, permitting an unauthorised user to gain control of the server remotely, read the SNMP strings and even power down the server.
A short and inexpensive network discovery exercise can provide you with valuable information on your network weaknesses and a remediation plan for your networks team. Understanding how these and other default infrastructure configurations can provide unrestricted access to your network is a major weapon in the battle against hackers and insiders.
Peter Wood, Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK, will be speaking at FIRST Security Conference in Sevilla. FIRST is the premier organization and recognized global leader in incident response. For more info, visit FIRST's website at http://www.first.org.