simple network management pwnd
play

Simple Network Management Pwnd Information Data Leakage Attacks - PowerPoint PPT Presentation

Mar 19, 2023 •273 likes •939 views

Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral Heiland Matthew Kienow deral_heiland@rapid7.com mkienow@inokii.com dh@layereddefense.com @HacksForProfit @Percent_X Why ? Add value ?

  1. Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP

  2. Introduction Deral Heiland Matthew Kienow deral_heiland@rapid7.com mkienow@inokii.com dh@layereddefense.com @HacksForProfit @Percent_X

  3. Why ? ● Add value ? ● Discover ? ● Exploit ● Curiosity

  4. Why SHODAN STATISTICS SNMP 7,205,555 • Brazil 2,423,559 • India 638,228 • United States 577,780 • Turkey 263,700 • France 45,039

  5. Introduction to SNMP

  6. Simple Why do we need SNMP?

  7. Simple

  8. Network Management Monitoring Managing Manager

  9. Network Management Tracking Updating Agent

  10. Network Management Communication

  11. Protocol ● Provides management standards ● Transport protocol normally UDP ● Agent listens on port 161 ● Manager listens on port 162

  12. SNMP Version 1 Messages / Protocol Data Units (PDUs) ● Manager to Agent 1. GetRequest 2. GetNextRequest 3. SetRequest ● Agent to Manager 4. GetResponse 5. Trap

  13. GetRequest Message 1. Manager wants to get the value of the sysDescr and sysUpTime objects 2. Manager creates a GetRequest message

  14. SNMPv1 Common PDU Format Version Community PDU Type (0‐3) Request Identifier Error Status Error Index Variable Bindings Object 1: Value 1, …, Object X: Value X

  15. GetRequest Message 3. Manager sends GetRequest message to router

  16. GetRequest Message 4. Agent on router creates a GetResponse message with the values of the requested variables 5. Agent sends the message to the manager

  17. SNMP Version 1 Messages / Protocol Data Units (PDUs) ● Manager to Agent 1. GetRequest 2. GetNextRequest 3. SetRequest ● Agent to Manager 4. GetResponse 5. Trap

  18. SNMP Version 2 Major Enhancements ● Addition of Messages / Protocol Data Units (PDUs) ○ GetBulkRequest - efficient retrieval of many variables in single request ○ InformRequest - acknowledged event notification

  19. SNMP Version 2 Major Enhancements ● Security enhancements ○ Party-Based SNMP Version 2 ○ Community-Based SNMP Version 2 (SNMPv2c) ○ User-Based SNMP Version 2 (SNMPv2u)

  20. SNMP Version 3 Major Enhancements ● Security Model ○ Authentication ○ Encryption ○ Integrity ● Access Control Model

  21. Introduction OIDs and MIBs

  22. Introduction OIDs and MIBs How do we enumerate specific data using SNMP?

  23. Introduction OIDs and MIBs “ Management Information Base ( MIB) is a file that contains definitions of management information so that networked systems can be remotely monitored, configured, and controlled.”

  24. Introduction OIDs and MIBs “ Object Identifier (OIDs) point to individual network objects that are maintained in a database called a Management Information Base“

  25. Introduction OIDs and MIBs ● OIDs utilize a dotted list notation 1.3.6.1 = iso.org.dod.internet ● Universally unique ●

  26. Introduction OIDs and MIBs

  27. Introduction OIDs and MIBs Number of Network Interfaces on a Device 1 .3 .6 .1 .2 .1 .2 .1 Management INTERNET (1) DOD (6) ORG (3) ISO (1) ifNumber (1) Interface (2) MIB2 (1) (2)

  28. Introduction OIDs and MIBs ● Enterprise MIBs ○ 1.3.6.1.4.1 ○ iso.org.dod.internet.private.enterprise ● Individual enterprises are assigned a number by Internet Assigned Numbers Authority (IANA) http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers

  29. Introduction OIDs and MIBs 1.3.6.1.4.1.2 IBM 1.3.6.1.4.1.9 ciscoSystems 1.3.6.1.4.1.11 Hewlett-Packard 1.3.6.1.4.1.304 Farallon Computing, Inc. 1.3.6.1.4.1.1991 Brocade Communication Systems, Inc. 1.3.6.1.4.1.4491 Cable Television Laboratories, Inc. 1.3.6.1.4.1.4684 Ambit Microsystems Corporation 1.3.6.1.4.1.43555 LayeredDefense Deral Heiland

  30. SOHO Device Attacks

  31. Exploits & Related Attack Vectors ● Initial research focused on cable / DSL modems ○ Easily obtainable devices ○ Low cost ● Devices examined ○ Netopia/Motorola/Arris ○ Ambit/Ubee ○ Netmaster

  32. Exploits & Related Attack Vectors ● Modems with WiFi builtin frequently expose ○ Wireless keys ○ SSIDs ○ Interface credentials

  33. Exploits & Related Attack Vectors Manual Information Extraction Demo

  34. Exploits & Related Attack Vectors Username: 1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 Password: 1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 WEP Key Index: 1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.3.1.2.12 WPA PSK: 1.3.6.1.4.1.4491.2.4.1.1.6.2.2.1.5.12 SSID: 1.3.6.1.4.1.4684.38.2.2.2.1.5.4.1.14.1.3.12 Ubee DDW3611

  35. Exploits & Related Attack Vectors Automated Information Extraction Demo

  36. Exploits & Related Attack Vectors Password: 1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SSID: 1.3.6.1.4.1.4115.1.20.1.1.3.22.1.2.12 WPA PSK: 1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12 WEP Key 64-bit Index: 1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.1 WEP Key 128-bit Index: 1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.1 ARRIS DG950A

  37. Exploits & Related Attack Vectors • Modems Identified leaking data • Ambit U10C019 (2,285) • Ubee DDW3611 • Netopia 3347 series (40,444) 176,867 • Arris DG950A (19,776) • Motorola/Arris SBG-6580 (97) • Netmaster CBW700N (114,265)

  38. Observations and Trends – Internet Service Providers (ISP) have poorly configured SNMP to manage cable/dsl modems – A decrease in exploitable devices – Older devices are replaced – Newer deployments better secured

  39. Enterprise Device Attacks

  40. Enterprise Device Attacks • SNMP is available on all enterprise devices • Often found enabled by default • Almost as often configured with community strings of public and private

  41. Enterprise Device Attacks Brocade ServerIron ADX 1016-2-PREM Demo

  42. Brocade Load Balancer Brocade ServerIron ADX 1016-2-PREM Shodan results for ServerIron (826) USERNAME  1.3.6.1.4.1.1991.1.1.2.9.2.1.1 PWD HASHES  1.3.6.1.4.1.1991.1.1.2.9.2.1.2

  43. Enterprise Device Attacks • Kyocera printers (Various models) – Independently discovered by both Artyon Breus and Chris Schatz • SMB Path: 1.3.6.1.4.1.1347.42.23.2.4.1.1.2.x.1 • SMB Host: 1.3.6.1.4.1.1347.42.23.2.4.1.1.3.x.1 • SMB Port: 1.3.6.1.4.1.1347.42.23.2.4.1.1.4.x.1 • SMB Login: 1.3.6.1.4.1.1347.42.23.2.4.1.1.5.x.1 • SMB Password: 1.3.6.1.4.1.1347.42.23.2.4.1.1.6.x.1 X= user number

  44. Information Harvesting

  45. Log Data Extraction Attacks Demo

  46. Log Data Extraction Attacks ● Logs viewable via SNMP ● Successful logins Identify valid accounts o Identify host they authenticated from o ● Failed logins Oops... I just entered my password in the user field o Maybe an injection point for XSS in the web viewed logs o

  47. Log Data Extraction Attacks DEMO

  48. Log Data Extraction Attacks ● When encountering devices on a pen-test ○ Alway check to see whether SNMP is enabled and accessible ○ Snmp(bulk)walk device and analyze prior to engaging the device with brute force attacks (telnet, ssh, web, etc.) ○ Avoid overwriting usable data

  49. Log Data Extraction Attacks ● Sample list of device with SNMP stored logs o Netgear ProSafe GSM7328Sv2 Managed Switch o Smart IP Microwave Radio o Netopia 33xx

  50. Automated Information Harvesting

  51. Automated Information Harvesting • Large amounts of data • Unknown meaning of data • Limited time to analyse

  52. Automated Information Harvesting ● How do we gather useful information? ○ Snmp(bulk)walk all devices ○ Parse for keyword and patterns

  53. Automated Information Harvesting ● snmpbw.pl (Still work in progress) ○ Perl script ○ Multithreaded ○ Runs snmpbulkwalk against target list ○ https://github.com/dheiland-r7/snmp

  54. Automated Information Harvesting ● snmpprs.pl (Still work in progress) ○ Perl script ○ Parses snmpwalk data for information ○ https://github.com/dheiland-r7/snmp

  55. Automated Information Harvesting ● Data harvest ○ usernames ○ password or hashes ○ SNMP community strings ○ network infrastructure and VLANs information

  56. Automated Information Harvesting • Samples •  \$[1-6]\$[0-9a-zA-Z.$/]\{31\} •  \"[0-9A-Fa-f]\{32\}\” •  [a-zA-Z.]@[a-zA-Z].[cegmnort] • traphost • admin, Admin, root • fail, success, logging

  57. Automated Information Harvesting DEMO

  58. Other Data Points of Interest

  59. Other Data Points of Interest ● SNMP DoS ○ Earliest identified DoS POC dated 2005 ■ http://packetstormsecurity.com/files/36070/snmpdos.c.html ○ Attacker can direct responses to a target since UDP is connectionless, allowing spoofed IP address ○ GetBulkRequest message is used for reflected amplification attacks

  60. SNMP Security Best Practices

  61. SNMP Security Best Practices ● Manufacture: 1. SNMP disabled by default 2. Move away from SNMPv1 and SNMPv2c 3. MIB objects should not contain any authentication data ● Passwords, password hashes, security keys, usernames or community strings ● Should only contain data related to the operational parameters of the device

  62. SNMP Security Best Practices ● End User: 1. SNMP if not in use should be disabled on all devices prior to deployment. 2. SNMP community strings should be a minimum of 20 characters, alphanumeric upper and lower case with special characters and contain no dictionary words.

Recommend

SNMP Simple Network Management Protocol Computer Center, CS, NCTU Network Management The

SNMP Simple Network Management Protocol Computer Center, CS, NCTU Network Management The

SNMP Simple Network Management Protocol Computer Center, CS, NCTU Network Management The network management is to Monitor the network Ensure the operations over the network are functional Assure the network works

760 views • 45 slides
Generic vs. Specific Simple Network Management Tools J urgen Sch onw alder

Generic vs. Specific Simple Network Management Tools J urgen Sch onw alder

Generic vs. Specific Simple Network Management Tools J urgen Sch onw alder <schoenw@informatik.uni-osnabrueck.de> University of Osnabr uck Germany SANE 2002 p.1 Network Management Standards 1.0 2.0 2.2 2.3 2.4 2.5

774 views • 39 slides
NKN Annual Workshop, IIT Mumbai, 31 st Oct -2 nd Nov 2012 Evolution of Network Management Systems

NKN Annual Workshop, IIT Mumbai, 31 st Oct -2 nd Nov 2012 Evolution of Network Management Systems

NKN Annual Workshop, IIT Mumbai, 31 st Oct -2 nd Nov 2012 Evolution of Network Management Systems Device centric approach 90s Network Management meant device control and monitoring Mostly based on Simple Network Management Protocol (SNMP)

730 views • 19 slides
Specific Simple Network Management Tools urgen Sch onw J alder University of Osnabr

Specific Simple Network Management Tools urgen Sch onw J alder University of Osnabr

Specific Simple Network Management Tools urgen Sch onw J alder University of Osnabr uck Albrechtstr. 28 49069 Osnabr uck, Germany Tel.: +49 541 969 2483 Email: <schoenw@informatik.uni-osnabrueck.de> Web:

436 views • 18 slides
Your Thing is pwnd Security Challenges for the Internet of Things Paul Fremantle @pzfreo PhD

Your Thing is pwnd Security Challenges for the Internet of Things Paul Fremantle @pzfreo PhD

Your Thing is pwnd Security Challenges for the Internet of Things Paul Fremantle @pzfreo PhD researcher Portsmouth University (paul.fremantle@port.ac.uk) Co-Founder, WSO2 Firstly, does it even matter? My three rules for IoT security 1.

1.01k views • 57 slides
Simple Internetworking Network 1 (Ethernet) Internetworking Network 2 (Ethernet) H1 H2 H3 H7

Simple Internetworking Network 1 (Ethernet) Internetworking Network 2 (Ethernet) H1 H2 H3 H7

Simple Internetworking Network 1 (Ethernet) Internetworking Network 2 (Ethernet) H1 H2 H3 H7 R3 H8 Network 4 (point-to-point) R1 R2 Kameswari Chebrolu H4 Network 3 (FDDI) Router Dept. of Electrical Engineering, IIT Kanpur H6 H5

543 views • 4 slides
56 C H A P T E R Chapter Goals Discuss the SNMP Management Information Base. Describe SNMP

56 C H A P T E R Chapter Goals Discuss the SNMP Management Information Base. Describe SNMP

56 C H A P T E R Chapter Goals Discuss the SNMP Management Information Base. Describe SNMP version 1. Describe SNMP version 2. Simple Network Management Protocol Background The Simple Network Management Protocol (SNMP) is an

482 views • 12 slides
empower. NDIS made simple and easy for everyone. simple. effective. NDIS Management About Us.

empower. NDIS made simple and easy for everyone. simple. effective. NDIS Management About Us.

empower. NDIS made simple and easy for everyone. simple. effective. NDIS Management About Us. People and their advocates need more assistance with implementing plans. A role more akin to a case manager, who does much of the thinking and

379 views • 14 slides
Network models Why model? simple representation of complex network can derive

Network models Why model? simple representation of complex network can derive

Random Graphs CS224W Network models Why model? simple representation of complex network can derive properties mathematically predict properties and outcomes Also: to have a strawman In what ways is your

846 views • 66 slides
System and Network Management Network Management : ability to monitor, control and plan the

System and Network Management Network Management : ability to monitor, control and plan the

1-1 System and Network Management Network Management : ability to monitor, control and plan the resources and components of computer system and networks network management is a problem created by computer! Goal of network management :

189 views • 8 slides
Internetworking There is more than One Network Simple Internetworking Two issues to be

Internetworking There is more than One Network Simple Internetworking Two issues to be

Internetworking There is more than One Network Simple Internetworking Two issues to be addressed when Best Effort Service Model Global Addressing Scheme connecting networks Datagram Forwarding in IP Address Translation

314 views • 7 slides
Intelligent real-time reactive network management Intelligent Network Management Framework Final

Intelligent real-time reactive network management Intelligent Network Management Framework Final

Intelligent real-time reactive network management Intelligent Network Management Framework Final project studies Guillaume Andreys April/August 2004 Introduction Motivation Presentation Introduction A lot of tools to collect network

444 views • 18 slides
Requirements Management Made Simple - 5 Easy Steps Jiri Walek VP Product Management 1 Poor

Requirements Management Made Simple - 5 Easy Steps Jiri Walek VP Product Management 1 Poor

w i t h Requirements Management Made Simple - 5 Easy Steps Jiri Walek VP Product Management 1 Poor Requirements Management 2 nd main cause for project failures. PMI: Pulse of Profession 2015 48% 24% 90% Overall Small projects Large

535 views • 42 slides
Simple. Wine Quality Reality. Water Management Winegrowing Sustainable Where We Start A

Simple. Wine Quality Reality. Water Management Winegrowing Sustainable Where We Start A

Simple. Wine Quality Reality. Water Management Winegrowing Sustainable Where We Start A Grower & Vintner Alliance The Code. Water Management Defining Sustainability in 400 pages Viticulture Soil Management

388 views • 25 slides
SNA 2A: Intro to Random Graphs Lada Adamic Network models ! Why model? ! simple representation of

SNA 2A: Intro to Random Graphs Lada Adamic Network models ! Why model? ! simple representation of

SNA 2A: Intro to Random Graphs Lada Adamic Network models ! Why model? ! simple representation of complex network ! can derive properties mathematically ! predict properties and outcomes ! Also: to have a strawman ! In what ways is your real-world

926 views • 28 slides
Media Network Ties Introduction How simple processes at the level of individual nodes and

Media Network Ties Introduction How simple processes at the level of individual nodes and

Online Social Networks and Media Network Ties Introduction How simple processes at the level of individual nodes and links can have complex effects at the whole population How information flows within the network How links/ties are

1.08k views • 84 slides
ABOUT THE NETWORK The Network for Social Work Management is a professional, international

ABOUT THE NETWORK The Network for Social Work Management is a professional, international

ABOUT THE NETWORK The Network for Social Work Management is a professional, international organization focused on strengthening and advancing social work management within health and human services. Our Mission As a group, we work together to

511 views • 27 slides
ABOUT THE NETWORK The Network for Social Work Management is a professional, international

ABOUT THE NETWORK The Network for Social Work Management is a professional, international

ABOUT THE NETWORK The Network for Social Work Management is a professional, international organization focused on strengthening and advancing social work management within health and human services. Our Mission As a group, we work together to

772 views • 51 slides
Topology monitoring implementation of network management system in TWAREN hybrid network

Topology monitoring implementation of network management system in TWAREN hybrid network

Topology monitoring implementation of network management system in TWAREN hybrid network National Center for High-Performance Computing 1 ABSTRACT TWAREN (TaiWan Advanced Research and Education Network) is a hybrid network composed of

532 views • 16 slides
Your Network Management Partner Castle Rock Com puting Silicon Valley based Network

Your Network Management Partner Castle Rock Com puting Silicon Valley based Network

Your Network Management Partner Castle Rock Com puting Silicon Valley based Network Management Specialist Founded in 1987 Over 130,000 SNMPc Shipped Customers include Fortune 500, SMEs, MSPs OEMs The Need For Netw

606 views • 45 slides
Switch Implementation and Performance Simple switch - general purpose workstation with

Switch Implementation and Performance Simple switch - general purpose workstation with

Switch Implementation and Performance Simple switch - general purpose workstation with multiple network adapters I/O Bus Network Interface 1 CPU Network Interface 2 Main Bus Network Interface 3 Main Memory Oct. 12. 2005 CS 440

993 views • 13 slides
Management of ASON- -capable capable Management of ASON Network and its Control Plane Network

Management of ASON- -capable capable Management of ASON Network and its Control Plane Network

I nternational Telecom m unication Union ITU-T Management of ASON- -capable capable Management of ASON Network and its Control Plane Network and its Control Plane H. Kam LAM Lucent Technologies I TU-T W orkshop NGN and its Transport

449 views • 28 slides
Alva L. Couch, Ph.D. Tufts University Network management is at a critical juncture It was

Alva L. Couch, Ph.D. Tufts University Network management is at a critical juncture It was

Alva L. Couch, Ph.D. Tufts University Network management is at a critical juncture It was possible in the past for people to understand network function at all levels. This is no longer possible. Network management must be

510 views • 12 slides
Bringing ZFS information into SNMP Thomas Stibor GSI Helmholtz Centre for Heavy Ion Research, HPC

Bringing ZFS information into SNMP Thomas Stibor GSI Helmholtz Centre for Heavy Ion Research, HPC

Bringing ZFS information into SNMP Thomas Stibor GSI Helmholtz Centre for Heavy Ion Research, HPC 27. Januar 2014 What is SNMP? Simple Network Management Protocol (SNMP) is protocol for network management. It allows collecting

471 views • 19 slides

More recommend