There’s another backdoor into many large networks which few organisations seem to recognise or understand – Simple Network Management Protocol (SNMP). SNMP is the Internet standard protocol developed to manage nodes (servers, workstations, routers, switches and hubs etc.) on an IP network. It’s also one of the easiest ways for someone to control your network, steal information and eavesdrop on traffic!
By default, SNMP is generally enabled on routers, switches and sometimes even servers. If you’re using network management software like HP OpenView or IBM Tivoli then you’re using SNMP. Even if you’re not using any network management tools, you’ll still have SNMP somewhere on your network.
There are two passwords (called “community strings”) that you need to know in order to take advantage of SNMP - the read string, which has a default value of “public” and the read/write string, which is set to “private”. Most people never change these defaults. Armed with this knowledge you can view, alter or remotely control many SNMP-enabled devices.
When you plug into your network, a DHCP server will typically issue you an IP address. At the same time you are also given a “default gateway” address – the address of the router that your PC needs to know about in order to view the rest of your network. Type “ipconfig –all” at a command prompt to see these settings. If you feed this default gateway address into a network discovery tool like SolarWinds Network Sonar and if your router is set up in a default fashion, you will soon have details of every device on your network.
If you know the SNMP read/write string, you can also download the router config from each of your routers and frequently read the administrative passwords, giving you control of your network infrastructure.
If you have Windows servers running SNMP (and chances are you do) then you can list the name of every user and group on that server, irrespective of your “null sessions” settings. This is an excellent starting point for password guessing and dictionary attacks, as described above. You can also map out your Windows domain, discover server names and even see what hardware is in use.
A network discovery exercise can provide you with valuable information on your network weaknesses and a remediation plan for your networks team. Understanding how these and other default infrastructure configurations can provide unrestricted access to your network is a major weapon in the battle against hackers and insiders. This answers No. 3 – Unprotected Infrastructure by using a few inexpensive tools or hiring someone to conduct a network discovery exercise on your behalf.
Peter Wood, Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK, will be speaking at FIRST Security Conference in Sevilla. FIRST is the premier organization and recognized global leader in incident response. For more info, visit FIRST's website at http://www.first.org.