Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
simple network management pwnd

Simple Network Management Pwnd Information Data Leakage Attacks - PowerPoint PPT Presentation

Mar 19, 2023 •273 likes •956 views

Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral Heiland Matthew Kienow deral_heiland@rapid7.com mkienow@inokii.com dh@layereddefense.com @HacksForProfit @Percent_X Why ? Add value ?

  1. Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP

  2. Introduction Deral Heiland Matthew Kienow deral_heiland@rapid7.com mkienow@inokii.com dh@layereddefense.com @HacksForProfit @Percent_X

  3. Why ? ● Add value ? ● Discover ? ● Exploit ● Curiosity

  4. Why SHODAN STATISTICS SNMP 7,205,555 • Brazil 2,423,559 • India 638,228 • United States 577,780 • Turkey 263,700 • France 45,039

  5. Introduction to SNMP

  6. Simple Why do we need SNMP?

  7. Simple

  8. Network Management Monitoring Managing Manager

  9. Network Management Tracking Updating Agent

  10. Network Management Communication

  11. Protocol ● Provides management standards ● Transport protocol normally UDP ● Agent listens on port 161 ● Manager listens on port 162

  12. SNMP Version 1 Messages / Protocol Data Units (PDUs) ● Manager to Agent 1. GetRequest 2. GetNextRequest 3. SetRequest ● Agent to Manager 4. GetResponse 5. Trap

  13. GetRequest Message 1. Manager wants to get the value of the sysDescr and sysUpTime objects 2. Manager creates a GetRequest message

  14. SNMPv1 Common PDU Format Version Community PDU Type (0‐3) Request Identifier Error Status Error Index Variable Bindings Object 1: Value 1, …, Object X: Value X

  15. GetRequest Message 3. Manager sends GetRequest message to router

  16. GetRequest Message 4. Agent on router creates a GetResponse message with the values of the requested variables 5. Agent sends the message to the manager

  17. SNMP Version 1 Messages / Protocol Data Units (PDUs) ● Manager to Agent 1. GetRequest 2. GetNextRequest 3. SetRequest ● Agent to Manager 4. GetResponse 5. Trap

  18. SNMP Version 2 Major Enhancements ● Addition of Messages / Protocol Data Units (PDUs) ○ GetBulkRequest - efficient retrieval of many variables in single request ○ InformRequest - acknowledged event notification

  19. SNMP Version 2 Major Enhancements ● Security enhancements ○ Party-Based SNMP Version 2 ○ Community-Based SNMP Version 2 (SNMPv2c) ○ User-Based SNMP Version 2 (SNMPv2u)

  20. SNMP Version 3 Major Enhancements ● Security Model ○ Authentication ○ Encryption ○ Integrity ● Access Control Model

  21. Introduction OIDs and MIBs

  22. Introduction OIDs and MIBs How do we enumerate specific data using SNMP?

  23. Introduction OIDs and MIBs “ Management Information Base ( MIB) is a file that contains definitions of management information so that networked systems can be remotely monitored, configured, and controlled.”

  24. Introduction OIDs and MIBs “ Object Identifier (OIDs) point to individual network objects that are maintained in a database called a Management Information Base“

  25. Introduction OIDs and MIBs ● OIDs utilize a dotted list notation 1.3.6.1 = iso.org.dod.internet ● Universally unique ●

  26. Introduction OIDs and MIBs

  27. Introduction OIDs and MIBs Number of Network Interfaces on a Device 1 .3 .6 .1 .2 .1 .2 .1 Management INTERNET (1) DOD (6) ORG (3) ISO (1) ifNumber (1) Interface (2) MIB2 (1) (2)

  28. Introduction OIDs and MIBs ● Enterprise MIBs ○ 1.3.6.1.4.1 ○ iso.org.dod.internet.private.enterprise ● Individual enterprises are assigned a number by Internet Assigned Numbers Authority (IANA) http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers

  29. Introduction OIDs and MIBs 1.3.6.1.4.1.2 IBM 1.3.6.1.4.1.9 ciscoSystems 1.3.6.1.4.1.11 Hewlett-Packard 1.3.6.1.4.1.304 Farallon Computing, Inc. 1.3.6.1.4.1.1991 Brocade Communication Systems, Inc. 1.3.6.1.4.1.4491 Cable Television Laboratories, Inc. 1.3.6.1.4.1.4684 Ambit Microsystems Corporation 1.3.6.1.4.1.43555 LayeredDefense Deral Heiland

  30. SOHO Device Attacks

  31. Exploits & Related Attack Vectors ● Initial research focused on cable / DSL modems ○ Easily obtainable devices ○ Low cost ● Devices examined ○ Netopia/Motorola/Arris ○ Ambit/Ubee ○ Netmaster

  32. Exploits & Related Attack Vectors ● Modems with WiFi builtin frequently expose ○ Wireless keys ○ SSIDs ○ Interface credentials

  33. Exploits & Related Attack Vectors Manual Information Extraction Demo

  34. Exploits & Related Attack Vectors Username: 1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 Password: 1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 WEP Key Index: 1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.3.1.2.12 WPA PSK: 1.3.6.1.4.1.4491.2.4.1.1.6.2.2.1.5.12 SSID: 1.3.6.1.4.1.4684.38.2.2.2.1.5.4.1.14.1.3.12 Ubee DDW3611

  35. Exploits & Related Attack Vectors Automated Information Extraction Demo

  36. Exploits & Related Attack Vectors Password: 1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SSID: 1.3.6.1.4.1.4115.1.20.1.1.3.22.1.2.12 WPA PSK: 1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12 WEP Key 64-bit Index: 1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.1 WEP Key 128-bit Index: 1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.1 ARRIS DG950A

  37. Exploits & Related Attack Vectors • Modems Identified leaking data • Ambit U10C019 (2,285) • Ubee DDW3611 • Netopia 3347 series (40,444) 176,867 • Arris DG950A (19,776) • Motorola/Arris SBG-6580 (97) • Netmaster CBW700N (114,265)

  38. Observations and Trends – Internet Service Providers (ISP) have poorly configured SNMP to manage cable/dsl modems – A decrease in exploitable devices – Older devices are replaced – Newer deployments better secured

  39. Enterprise Device Attacks

  40. Enterprise Device Attacks • SNMP is available on all enterprise devices • Often found enabled by default • Almost as often configured with community strings of public and private

  41. Enterprise Device Attacks Brocade ServerIron ADX 1016-2-PREM Demo

  42. Brocade Load Balancer Brocade ServerIron ADX 1016-2-PREM Shodan results for ServerIron (826) USERNAME  1.3.6.1.4.1.1991.1.1.2.9.2.1.1 PWD HASHES  1.3.6.1.4.1.1991.1.1.2.9.2.1.2

  43. Enterprise Device Attacks • Kyocera printers (Various models) – Independently discovered by both Artyon Breus and Chris Schatz • SMB Path: 1.3.6.1.4.1.1347.42.23.2.4.1.1.2.x.1 • SMB Host: 1.3.6.1.4.1.1347.42.23.2.4.1.1.3.x.1 • SMB Port: 1.3.6.1.4.1.1347.42.23.2.4.1.1.4.x.1 • SMB Login: 1.3.6.1.4.1.1347.42.23.2.4.1.1.5.x.1 • SMB Password: 1.3.6.1.4.1.1347.42.23.2.4.1.1.6.x.1 X= user number

  44. Information Harvesting

  45. Log Data Extraction Attacks Demo

  46. Log Data Extraction Attacks ● Logs viewable via SNMP ● Successful logins Identify valid accounts o Identify host they authenticated from o ● Failed logins Oops... I just entered my password in the user field o Maybe an injection point for XSS in the web viewed logs o

  47. Log Data Extraction Attacks DEMO

  48. Log Data Extraction Attacks ● When encountering devices on a pen-test ○ Alway check to see whether SNMP is enabled and accessible ○ Snmp(bulk)walk device and analyze prior to engaging the device with brute force attacks (telnet, ssh, web, etc.) ○ Avoid overwriting usable data

  49. Log Data Extraction Attacks ● Sample list of device with SNMP stored logs o Netgear ProSafe GSM7328Sv2 Managed Switch o Smart IP Microwave Radio o Netopia 33xx

  50. Automated Information Harvesting

  51. Automated Information Harvesting • Large amounts of data • Unknown meaning of data • Limited time to analyse

  52. Automated Information Harvesting ● How do we gather useful information? ○ Snmp(bulk)walk all devices ○ Parse for keyword and patterns

  53. Automated Information Harvesting ● snmpbw.pl (Still work in progress) ○ Perl script ○ Multithreaded ○ Runs snmpbulkwalk against target list ○ https://github.com/dheiland-r7/snmp

  54. Automated Information Harvesting ● snmpprs.pl (Still work in progress) ○ Perl script ○ Parses snmpwalk data for information ○ https://github.com/dheiland-r7/snmp

  55. Automated Information Harvesting ● Data harvest ○ usernames ○ password or hashes ○ SNMP community strings ○ network infrastructure and VLANs information

  56. Automated Information Harvesting • Samples •  \$[1-6]\$[0-9a-zA-Z.$/]\{31\} •  \"[0-9A-Fa-f]\{32\}\” •  [a-zA-Z.]@[a-zA-Z].[cegmnort] • traphost • admin, Admin, root • fail, success, logging

  57. Automated Information Harvesting DEMO

  58. Other Data Points of Interest

  59. Other Data Points of Interest ● SNMP DoS ○ Earliest identified DoS POC dated 2005 ■ http://packetstormsecurity.com/files/36070/snmpdos.c.html ○ Attacker can direct responses to a target since UDP is connectionless, allowing spoofed IP address ○ GetBulkRequest message is used for reflected amplification attacks

  60. SNMP Security Best Practices

  61. SNMP Security Best Practices ● Manufacture: 1. SNMP disabled by default 2. Move away from SNMPv1 and SNMPv2c 3. MIB objects should not contain any authentication data ● Passwords, password hashes, security keys, usernames or community strings ● Should only contain data related to the operational parameters of the device

  62. SNMP Security Best Practices ● End User: 1. SNMP if not in use should be disabled on all devices prior to deployment. 2. SNMP community strings should be a minimum of 20 characters, alphanumeric upper and lower case with special characters and contain no dictionary words.

Recommend

Your Thing is pwnd Security Challenges for the Internet of Things Paul Fremantle @pzfreo PhD

Your Thing is pwnd Security Challenges for the Internet of Things Paul Fremantle @pzfreo PhD

Your Thing is pwnd Security Challenges for the Internet of Things Paul Fremantle @pzfreo PhD researcher Portsmouth University (paul.fremantle@port.ac.uk) Co-Founder, WSO2 Firstly, does it even matter? My three rules for IoT security 1.

1.01k views • 57 slides
Classification of curves Simple, not closed Simple, closed Closed, not simple Not simple, not

Classification of curves Simple, not closed Simple, closed Closed, not simple Not simple, not

Classification of curves Simple, not closed Simple, closed Closed, not simple Not simple, not closed MA202 Sections 5 & 401 Chapter 11-2 Slides Interior and exterior of a simple closed curve MA202 Sections 5 & 401 Chapter 11-2

493 views • 36 slides
SNMP Simple Network Management Protocol Computer Center, CS, NCTU Network Management The

SNMP Simple Network Management Protocol Computer Center, CS, NCTU Network Management The

SNMP Simple Network Management Protocol Computer Center, CS, NCTU Network Management The network management is to Monitor the network Ensure the operations over the network are functional Assure the network works

763 views • 45 slides
Limits on Representing Functions by Linear Combinations of Simple Functions 0,1

Limits on Representing Functions by Linear Combinations of Simple Functions 0,1

Limits on Representing Functions by Linear Combinations of Simple Functions 0,1 0,1 ? simple simple simple simple simple simple Ryan Williams MIT The -linear Representation Problem Let be a class of

284 views • 14 slides
DNA Interaction Follow Network Network User-Product Network Nonuniform network comm costs

DNA Interaction Follow Network Network User-Product Network Nonuniform network comm costs

Social Network Social Network Web Network DNA Interaction Follow Network Network User-Product Network Nonuniform network comm costs Nonuniform comp requirement Contentiousness of the memory Nonuniform comm requirement

865 views • 50 slides
Presentation Skills In 7 Simple Steps Schofield James Presentation Skills In 7 Simple Steps

Presentation Skills In 7 Simple Steps Schofield James Presentation Skills In 7 Simple Steps

Presentation Skills In 7 Simple Steps Schofield James.pdf Presentation Skills In 7 Simple Steps Schofield James Presentation Skills In 7 Simple Steps Schofield James Whatever our proffesion, Presentation Skills In 7 Simple Steps Schofield James

507 views • 15 slides
Simple VHF Direction Finding Gary Wilson, K2GW Requirements Knowledge of VHF Propagation

Simple VHF Direction Finding Gary Wilson, K2GW Requirements Knowledge of VHF Propagation

Simple VHF Direction Finding Gary Wilson, K2GW Requirements Knowledge of VHF Propagation Methodical, Patient Approach Simple Land Navigation Skills Simple DF Skills Simple Tools Simple Radio Equipment VHF Propagation Straight Line, but

281 views • 16 slides
Usability Studies Made Simple Usability Studies Made Simple Marla Lobley The Problem The

Usability Studies Made Simple Usability Studies Made Simple Marla Lobley The Problem The

Usability Studies Made Simple Usability Studies Made Simple Marla Lobley The Problem The Problem Photo by Oote Boe The Cost The Cost The Plan The Plan Simple Usability Studies Simple Usability Studies Test with 3 Test with 3 -5

408 views • 16 slides
The Beauty of Simple Michael Boelen NLUUG - May 16th, 2017 Today Define simple

The Beauty of Simple Michael Boelen NLUUG - May 16th, 2017 Today Define simple

The Beauty of Simple Michael Boelen NLUUG - May 16th, 2017 Today Define simple Challenge complexity Simplify your life @mboelen Simple Keep it simple, stupid. Kelly Johnson, KISS principle Simplicity is

762 views • 38 slides
Simple Squamous Epithelial Simple Cuboidal Epithelial Simple Columnar Epithelial Stratified

Simple Squamous Epithelial Simple Cuboidal Epithelial Simple Columnar Epithelial Stratified

Simple Squamous Epithelial Simple Cuboidal Epithelial Simple Columnar Epithelial Stratified Squamous Epithelial Stratified Squamous Epithelial Stratified Squamous Epithelial Pseudostratified Ciliated Columnar Epithelial Smooth Muscle Cardiac

357 views • 20 slides
A combinatoric invariant of simple polytopes 1 Simple polytopes 2 graded Boolean Bo Chen

A combinatoric invariant of simple polytopes 1 Simple polytopes 2 graded Boolean Bo Chen

A combina- toric invariant of simple polytopes Bo Chen A combinatoric invariant of simple polytopes 1 Simple polytopes 2 graded Boolean Bo Chen ring of simple polytopes School of Mathematics and Statistics, HUST 3 Jiont-work

839 views • 39 slides
STAT 213 Simple Linear Regression I Colin Reimer Dawson Oberlin College 5 October 2016 Outline

STAT 213 Simple Linear Regression I Colin Reimer Dawson Oberlin College 5 October 2016 Outline

Outline Simple Linear Regression Model STAT 213 Simple Linear Regression I Colin Reimer Dawson Oberlin College 5 October 2016 Outline Simple Linear Regression Model Outline Simple Linear Regression Model Outline Simple Linear Regression

401 views • 16 slides
Simple Polyadic Groups H. Khodabandeh, M. Shahryari AAD May 2012 H. Khodabandeh, M. Shahryari

Simple Polyadic Groups H. Khodabandeh, M. Shahryari AAD May 2012 H. Khodabandeh, M. Shahryari

Simple Polyadic Groups C ES ME Simple Polyadic Groups H. Khodabandeh, M. Shahryari AAD May 2012 H. Khodabandeh, M. Shahryari Simple Polyadic Groups C ES ME Simple Polyadic Groups C ES ME A simple notation During

602 views • 26 slides
Class 14: Simple harmonic motion Class 14: Simple harmonic motion Origin of simple harmonic motion

Class 14: Simple harmonic motion Class 14: Simple harmonic motion Origin of simple harmonic motion

Class 14: Simple harmonic motion Class 14: Simple harmonic motion Origin of simple harmonic motion U(x) = kx 2 Total energy Total energy F = - kx x V=0 a is max V=0, a is max. V=0 a is max V=0, a is max. a=0, v is max. Equation of motion

629 views • 6 slides
System and Network Management Network Management : ability to monitor, control and plan the

System and Network Management Network Management : ability to monitor, control and plan the

1-1 System and Network Management Network Management : ability to monitor, control and plan the resources and components of computer system and networks network management is a problem created by computer! Goal of network management :

190 views • 8 slides
1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

Network Layer Network Layer Chapter 4: Network Layer Mobile network Chapter goals: Global ISP understand principles behind network layer Network Layer services: Home network network layer service models Regional ISP forwarding

555 views • 3 slides
Andreas Mller Overview q Introduction to Network Address Translation q Behavior of NAT

Andreas Mller Overview q Introduction to Network Address Translation q Behavior of NAT

Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU Mnchen ilab 2 Advanced NAT Andreas Mller Overview q Introduction to Network Address Translation q Behavior of NAT q The NAT Traversal

1.01k views • 43 slides
IPv6 & Linux About Me Work at Jumping Bean Developer & Trainer Contact Info:

IPv6 & Linux About Me Work at Jumping Bean Developer & Trainer Contact Info:

IPv6 & Linux About Me Work at Jumping Bean Developer & Trainer Contact Info: Twitter @mxc4 Twitter @jumpingbeansa mark@jumpingbean.co.za Goals & Motivation Why? What? Understanding of IPv6 Why IPv6?

681 views • 45 slides
IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address

IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address

IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address IPv4 allowed for 4.3 billion possible addresses, IPv6 allows for 340 undecillion addresses 3.40E38, 7.9E28 more than IPv4 addresses, ~ 4.8x10

1.07k views • 28 slides
Network Programming - I Tevfik Ko ar Louisiana State University November 9 th , 2010 1 2

Network Programming - I Tevfik Ko ar Louisiana State University November 9 th , 2010 1 2

CSC 4304 - Systems Programming Network Programming Fall 2010 Lecture - XV Network Programming - I Tevfik Ko ar Louisiana State University November 9 th , 2010 1 2 Sockets Ports A Socket is comprised of: Ports 0 through 1023 are

412 views • 5 slides
Postmarketing Drug Safety and Inspection Readiness June 19, 2018 Center for Drug Evaluation and

Postmarketing Drug Safety and Inspection Readiness June 19, 2018 Center for Drug Evaluation and

Postmarketing Drug Safety and Inspection Readiness June 19, 2018 Center for Drug Evaluation and Research (CDER) Small Business and Industry Assistance (SBIA) Webinar United States Food and Drug Administration (FDA) CDER / Office of Compliance

632 views • 61 slides
Seminar: Ubiquitous Computing Instant Networking and Dynamic Service Discovery Tim Niemueller <

Seminar: Ubiquitous Computing Instant Networking and Dynamic Service Discovery Tim Niemueller <

Introduction Instant Networking Name Resolution Service Discovery Summary Seminar: Ubiquitous Computing Instant Networking and Dynamic Service Discovery Tim Niemueller < tim@niemueller.de > Supervisor: Karl-Heinz-Krempels Lehrstuhl f

1.83k views • 134 slides
Profiling I nternet Backbone Traffic: Behavior Models and Applications Kuai Xu, Zhi-Li Zhang,

Profiling I nternet Backbone Traffic: Behavior Models and Applications Kuai Xu, Zhi-Li Zhang,

ACM SIGCOMM 2005 Profiling I nternet Backbone Traffic: Behavior Models and Applications Kuai Xu, Zhi-Li Zhang, and Supratik Bhattacharyya University of Minnesota Sprint ATL August 24, 2005 Why profile traffic? Changes in

715 views • 25 slides
INTERNATIONAL NETWORK UPDATE DAN TWOHILL daniel.twohill@reannz.co.nz 2 REANNZ Lunch 20

INTERNATIONAL NETWORK UPDATE DAN TWOHILL daniel.twohill@reannz.co.nz 2 REANNZ Lunch 20

REANNZ LUNCH 20 17 JUN INTERNATIONAL NETWORK UPDATE DAN TWOHILL daniel.twohill@reannz.co.nz 2 REANNZ Lunch 20 International Network update INTERNATIONAL NETWORK UPDATE RECAP: WHAT MAKES UP AN INTERNATIONAL NETWORK? Physical

314 views • 17 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.