Exploring The UNKNOWN Scanning The Internet Via SNMP

Mon, 03 Mar 2008 16:51:32 GMT
by pagvac

Hacking is not only about coming up with interesting solutions to problems, but also about exploring the unknown. It was this drive for knowledge philosophy that lead to surveying a significant sample of the Internet which allowed us to make some VERY interesting observations and get an idea of the current state of remote SNMP hacking.

Why SNMP?

2.5 million random IP addresses were surveyed via SNMP. "Why SNMP you might be asking?" Well, there are several reasons.

First of all SNMP is a UDP-based protocol which allows us to perform scanning at a much shorter time than via TCP-based protocols. Another advantage of UDP-based protocols is that the source IP address can be spoofed easily. In the case of SNMP, it means that an attacker could change configuration settings from a spoofed IP address provided that a valid write community string is identified or cracked. Needless to say changing config settings via SNMP can lead to a full compromise. Finally, we have been very involved researching embedded devices lately, and since a significant amount of Internet devices are hackable via SNMP, such protocol was an obvious candidate.

When SNMP read access is all we need for successful pwnage

Gaining SNMP write access is of course usually considered to be a more serious issue than gaining SNMP read access only. However, even if a cracker only gained read access to a device/server via a SNMP community string, sometimes it would possible to extract sensitive information such as usernames and passwords which would eventually lead to a compromise of the targeted systems. In order to accomplish this, all that is needed by the attacker is knowledge of an interesting OID to query. My point is that SNMP read access could be enough to fully own a device!

Examples of juicy leaks via SNMP read access

For instance, Windows servers return the full list of usernames by snmwalking the OID 1.3.6.1.4.1.77.1.2.25. Or how about the BT Voyager 2000 router leaking the ISP credentials including the password? Oh, wait, I almost forgot to mention HP JetDirect printers leaking the admin password via SNMP read access (using OIDs .iso.3.6.1.4.1.11.2.3.9.4.2.1.3.9.1.1.0 and .1.3.6.1.4.1.11.2.3.9.1.1.13.0). And of course the recently disclosed Dynamic DNS credentials disclosure on ZyXEL Prestige routers via the OID 1.3.6.1.4.1.890.1.2.1.2.6.0 (see section 2.2 in the paper for more details). You get the point: lots of devices leak way too much information via SNMP read access.

The juicy survey stats!

From a total number of 2.5 million random IP addresses, 5320 IP addresses responded to the submitted SNMP requests. Although this is only %0.2128 of all the IP addresses, we need to keep in mind that most Internet systems with SNMP support correspond to embedded devices, which only make a small portion of the Internet. One query was sent to each random IP using the community string public, which is often used as the default read community string. The OID queried on each request is 1.3.6.1.2.1.1.1.0 which is the system description (usually returns brand and model). The destination port used was 161/UDP. Although some systems used different default port numbers for SNMP daemons, 161 is definitely the most common one.

In order to protect the innocent, we hid the first two octets of the IP addresses included in our results CSV file:

cat ./2dot5million-random-ips.csv | while read line
do
    echo -en '*.*.'>>./2dot5million-random-ips.hidden.csv;
    echo $line | cut -d "." -f 3- >> ./2dot5million-random-ips.hidden.csv
done

The most common systems found were the following:

Obviously, what kind of SNMP-enabled devices are the most popular on the Internet is very interesting information from a research point of view. For instance, if researching remote SNMP vulnerabilities, it would make sense to focus on a type of device that is widely-spread through the Internet.

I'll leave you guys to make your own observations by reading the results CSV file.

Archived Comments

Yousif YaldaYousif Yalda
Hmm, this method is indeed quality scanning. I'll surely be reading about quite often now. Great post pdp, read access is becoming a little thin now in all cases, not just SNMP ;)
NIbinNIbin
Hi, This is an interesting information. Why not check for the default passwords in routers worldwide (like enable passwords in routers)..It will be more interesting!!!
questionallthingsquestionallthings
For the devices did the firmware/service package version matter at all?
LonerVampLonerVamp
You got replies in just 5320 out of 2.5 million IPs. That's great. Did you actually find anything sensitive in this list? Anything that could be owned via SNMP read access? Any write access? I wonder how many of those 5320 hits have worse things to worry about than SNMP due to misconfigurations? That's great that you mentioned a couple juicy leaks via SNMP, but did your scan actually come up with any, or was that simply theoretical "could happen?"
Adrian PastorAdrian Pastor
Yousif: Thank you for your feedback Yousif, however, this is ap, rather than pdp :) As you know we're a few in the group (http://www.gnucitizen.org/about/), although pdp is the most active researcher. @Nlbin: we could do that, but that would mean crossing the line which we do NOT do :-) @questionallthings: I'm not sure if I understand your question, but I can tell you that knowing specific firmware type and version would allow attackers research public exploits that work for such firmware type/version combination.
pdppdp
LonerVamp, obviously we cannot go ahead and start exploiting or testing these devices! saying that, everything is theoretical. But the point of the experiment was very different. Our goal was to sample publicly available SNMP device as we find that people ignore SNMP, don't ask, don't know why. Given the fact that most embedded devices we have encountered so far, have some seriously screwed up SNMP implementations, we find this research very interesting. Therefore, we wanted to share it with the rest of the security community as it may come handy. That's all!
sniffzsniffz
Hi I have a 660H-61 Router. I have three questions to your pdf doc. 1.) All your discovered holes are only a security problem if the webinterface or snmp open on the wan, and if i had no attackers in the lan! Is that right? 2.) in the snmp (read/write) test my router is not vulnerable (according to your document). What is the reason? snmp disabled or what? 4.) If in the Firewall rules no SNMP rule, is the port also open to the wan? 3.) How can i snmp disable? in telnet i haven't found a option! Thanks very much! sniffz
reznrezn
Unfortunately, a large majority of those Arris Touchstone modems are probably not under the control of the people who use them. They are probably controlled by a service provider or ISP. It is not generally possible to put anything between your cable modem and the internet, so it is often impossible for the user to protect these devices against SNMP attacks.
adyady
Can it be adapted for SCADA?
Adrian PastorAdrian Pastor
@sniffz: our SNMP experiment covers devices with SNMP daemons visible from the Internet (WAN interface). 1) However, since you own a ZyXEL router you should know that we found that many ISPs ship these routers with SNMP enabled on the *WAN*. Once you discover a ZyXEL router with SNMP reachable from the Internet you'll find out that many adjacent ZyXEL routers that belong to the same netblock suffer the same problem! 2) Please specify the section/page of the paper. Most likely it means that SNMP is *not* enabled with read and write access by default. 3) It *is* if SNMP is enabled and configured to be visible from the WAN interface (you can check this via the web and telnet interface) 4) We recommend you to disable SNMP which is explained in your router's manual (you should be able to do it via Telnet).
Adrian PastorAdrian Pastor
@rezn: I guess that makes finding a vulnerability on these devices even more serious! This is another example of ISPs shipping devices with insecure default configurations. @ady: adapting the research for SCADA could be done of course. Maybe you want to do it and share the results?
sniffzsniffz
@Adrian Pastor 1. Ok, my Zyxel 660H-61 haven't any SNMP Firewall rule. 2. It's section 2.2. And my Router is not listen as vulnerable. 3. I havent't any snmp configuration page in the webinterface. In telnet i saw the same picture, you have in the pdf. But there i can't disable SNMP! 4. I haven't found any option to disable snmp! Thanks!
nexnex
have you scanned specific range or totally randomness ?
SteveSteve
I am a programmer that needs to be able to reset via snmp Netopia routers. How is this accomplished? Do you know?
Adrian PastorAdrian Pastor
@sniffz: if your model is NOT listed as vulnerable does NOT mean is NOT. Pasted from page 2 in the paper:
Other ZyXEL models not mentioned in this paper might also be vulnerable to the same issues discussed. Additionally, not all ZyXEL models mentioned in this paper have been tested for the same vulnerabilities due to time constraints and lack of full unrestricted access (i.e.: full administrative access was not possible during a penetration test).
I recommend you reading the manual for your model in order to find out how to change the default SNMP community strings, or restrict SNMP access from trusted IP addresses only: http://www.zyxel.com/DownloadLibary_ShortName/P-660H-61/user_guide/P-660H-61_3-40(QT).pdf
Adrian PastorAdrian Pastor
@sniffz: sorry, they link in the previous comment broke. Try this one instead: http://snipurl.com/217ow
Adrian PastorAdrian Pastor
@nex: the scan was done on completely random IP addresses.
computer missue act 1990computer missue act 1990
I think you just admitted to breaking the Computer Misuse Act 1990. Please explain yourself!
sniffzsniffz
ok! thank's for the information.
Adrian PastorAdrian Pastor
@CMA1990: what do you mean? No vulnerability was probed/exploited whatsoever. This is NO different to Google bots visiting websites or any other company that surveys Internet servers for research reasons.
Judge DreddJudge Dredd
I Judge Dredd condemn you under article: 1(1) of computer misuse act 1990 A person is guilty of an offence if: a) He causes a computer to perform any function with intent to secure access to any program or data held in a computer; b) the access he intends to secure is unauthorized; and c) he knows at the time when he causes the computer to perform the function that this is the case. you've used known default passwords to access other information without authorization, thus securing vital/security related information. this is equivalent to using default admin passwords on an insecure website, and retrieving sensitive information or performing defacement. JD>"How do you plead"; GNUC>"Innocent!!!!" JD>"How did I know you'd say that, I find you Guilty under all 3" -- Judge Dredd
pdppdp
Dear Judge Dredd, you've accessed this GNUCITIZEN post without authorization. Please explain, or will take legal actions against your unethical, intrusive behavior. Here is how your actions reflect on the computer misuse act: 1) He causes a computer to perform any function with intent to secure access to any program or data held in a computer; - you've tried to compromise our systems by submitting meta characters such as ", <, > and ', things that can potentially lead to SQL Injection and backend compromise. 2) the access he intends to secure is unauthorized; and - we have never gave you any sort of authorization. We never give such privilege to trolls. We have never give you authorization to post meta characters on this post or to access the GNUCITIZEN domain. 3) he knows at the time when he causes the computer to perform the function that this is the case. - your intentions are more then clear. :)
ethical, smethical - the legal beagleethical, smethical - the legal beagle
Sure, I see snmp services being advertised all the time. I also use google to search then out. Communities are used for auth, trying the default is no different from trying the default at a telnet password prompt. CMA sunshine.
Judge DreddJudge Dredd
caught red handed in real life? view the following article http://isc.sans.org/diary.html?storyid=4175
pdppdp
10x Judge for keeping us up-to-date. Much appreciated.
DigicatDigicat
The hits reported as Windows 2000 are also Windows XP. Windows XP claims Windows 2000 but reports version 5.1 build 2600 on the same line. There was also one Windows 2003 that reported as Windows 2000 version 5.2 . It looks like a handful (likely larger since this is only a sampling) of unwise Windows XP users installated SNMP, and then opened that in Windows Firewall, or otherwise didn't implement Windows Firewall.
Adrian 'pagvac' PastorAdrian 'pagvac' Pastor
@Digicat: You're right. The WinXP agents claims to be "Windows 2000" but still leak the fact that they're XP by revealing the "5.1" version rather than "5.0". And you're also right when you say that there was one Win 2K3 box (5.2): "Hardware: x86 Family 6 Model 15 Stepping 6 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free)" However, it's still correct to say that most Windows boxes found were Windows 2000 (5.0). Funny enough there was also a Win98 box?!! I wonder if it's a honey pot: "Microsoft Corp. Windows 98."
Yash KadakiaYash Kadakia
I've been working on SNMP security for some time now its definitely an interesting subject with lots of potential. Side-note: I can't seem find the link to the paper? -- Yash Kadakia CTO, Security Brigade http://www.securitybrigade.com Penetration Testing, PCI DSS Compliance, Security Consulting etc.
Adrian 'pagvac' PastorAdrian 'pagvac' Pastor
@Yash: the paper can be found here: http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf SNMP security is indeed an interesting subject!
defcondefcon
What is a good snmp scanner for linux?
Adrian 'pagvac' PastorAdrian 'pagvac' Pastor
@defcon: there are many SNMP scanners for Linux out there implemented in Perl i.e.: http://www.ernw.de/download/snmpattack.pl. You can even write a "home-made" one in bash by wrapping around the 'snmpget' (from the net-snmp package) command and requesting the 'system description' OID.
PersiaPersia
These are for sure not something new quite alot of ppl can own almost any box running snmp. to my expriance (90% success having read access) (20% with having any access) base on their implimantation flaws causing overflows,avs,and very funny implimantaion of access control ,its not hard to elevate read access or even just to write to password oid using READONLY access , for many, you can edit arp cache to your benefit with low access level , for some other utilize tftp to extract private password from config binary. not going to argue more .just seach the net see for yourself . or apply a general fuzzer. btw: i was searching for private oid logo for assigned oids to use in some freeware . anybody care to share ? Thanks
pagvacpagvac
@Persia: it'd be great if you could name some specific examples of devices that allow you to edit the ARP cache with SNMP READ access only
0xff0xff0xff0xff
i am currently writing a tool to manipulate snmp i am writing it in c# the reason for this is simple i cannot do certain things i need to in linux scripting for that matter and its just easier this way it will be impressive