lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <b7a807650803031602y6c264d5x3b20f82e2e83517f@mail.gmail.com>
Date: Tue, 4 Mar 2008 00:02:25 +0000
From: "Adrian P" <unknown.pentester@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Exploring the UNKNOWN: Scanning the Internet via
	SNMP!

* Exploring the UNKNOWN: Scanning the Internet via SNMP! *
http://www.gnucitizen.org/blog/exploring-the-unknown-scanning-the-internet-via-snmp/

Hacking is not only about coming up with interesting solutions to
problems, but also about exploring the unknown. It was this drive for
knowledge philosophy that lead to surveying a significant sample of
the Internet which allowed us to make some VERY interesting
observations and get an idea of the current state of _remote SNMP
hacking_.

* Why SNMP? *

2.5 million random IP addresses were surveyed via SNMP. Why SNMP you
might be asking? Well, there are several reasons. First of all SNMP is
a UDP-based protocol which allows us to perform scanning at a much
shorter time than via TCP-based protocols. Another advantage of
UDP-based protocols is that the source IP address can be spoofed
easily. In the case of SNMP, it means that an attacker could change
configuration settings from a spoofed IP address provided that a valid
write community string is identified or cracked. Needless to say,
changing config settings via SNMP can lead to a full compromise.
Finally, we have been very involved [1] researching embedded devices
lately, and since a significant amount of Internet devices are
hackable via SNMP, such protocol was an obvious candidate.

* When SNMP read access is all we need for successful pwnage *

Gaining SNMP write access is of course usually considered to be a more
serious issue than gaining SNMP read access only. However, even if a
cracker only gained read access to a device/server via a SNMP
community string, sometimes it would possible to extract sensitive
information such as usernames and passwords which would eventually
lead to a compromise of the targeted systems. In order to accomplish
this, all that is needed by the attacker is knowledge of an
interesting OID to query. My point is that SNMP read access could a
enough to fully own a device!

* Examples of juicy leaks via SNMP read access *

For instance, Windows servers return the full list of usernames [2] by
snmwalking the OID 1.3.6.1.4.1.77.1.2.25. Or how about the BT Voyager
2000 router leaking the ISP credentials [3] including the password?
Oh, wait, I almost forgot to mention HP JetDirect printers leaking [4]
the admin password [5] via SNMP read access (using OIDs
.iso.3.6.1.4.1.11.2.3.9.4.2.1.3.9.1.1.0 and
.1.3.6.1.4.1.11.2.3.9.1.1.13.0). And of course the recently disclosed
[6] Dynamic DNS credentials disclosure on ZyXEL Prestige routers via
the OID 1.3.6.1.4.1.890.1.2.1.2.6.0 (see section 2.2 in the paper for
more details). You get the point: lots of devices leak _way too much
information_ via SNMP read access.

* The juicy survey stats! *

>>From a total number of 2.5 million random IP addresses, 5320 IP
addresses responded to the submitted SNMP requests. Although this is
only %0.2128 of all the IP addresses, we need to keep in mind that
most Internet systems with SNMP support correspond to embedded
devices, which only make a small portion of the Internet. One query
was sent to each random IP using the community string "public", which
is often used as the default read community string. The OID queried on
each request is 1.3.6.1.2.1.1.1.0 which is the system description
(usually returns brand and model). The destination port used was
161/UDP. Although some systems used different default port numbers for
SNMP daemons, 161 is definitely the most common one.

In order to protect the innocent, we hid the first two octets of the
IP addresses included in our results CSV file:

cat ./2dot5million-random-ips.csv | while read line
do
	echo -en '*.*.'>>./2dot5million-random-ips.hidden.csv;
	echo $line | cut -d "." -f 3- >> ./2dot5million-random-ips.hidden.csv
done

The most common systems found were the following:

    * ARRIS Touchstone Telephony Modems [7] - these VoIP modems alone
made more than 35% of all found devices discovered!
    * Cisco routers
    * Apple AirPort [8] and Base Station
    * ZyXEL Prestige routers
    * Netopia routers
    * Windows 2000 servers

Obviously, what kind of SNMP-enabled devices are the most popular on
the Internet is very interesting information from a research point of
view. For instance, if researching remote SNMP vulnerabilities, it
would make sense to focus on a type of device that is widely-spread
through the Internet. I'll leave you guys to make your own
observations by reading the results CSV file.

The survey results file can be found on:
http://www.gnucitizen.org/blog/exploring-the-unknown-scanning-the-internet-via-snmp/

* References *

[1] http://www.google.com/search?num=100&hl=en&q=site%3Agnucitizen.org+%28embedded+devices%29+OR+upnp&btnG=Search

[2] http://insecure.org/sploits/NT.smnp.domain_users.record_deletion.html

[3] http://www.securityfocus.com/archive/1/366780

[4] http://www.phenoelit-us.org/stuff/HP_snmp.txt

[5] http://www.securityfocus.com/bid/7001/exploit

[6] http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf

[7] http://www.arrisi.com/products/touchstone/index.asp

[8] http://www.apple.com/airportexpress/

-- 
Adrian "pagvac" Pastor | gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ