[Full-disclosure] Exploring the UNKNOWN: Scanning the Internet via SNMP!
unknown.pentester at gmail.com
Tue Mar 4 00:02:25 GMT 2008
* Exploring the UNKNOWN: Scanning the Internet via SNMP! *
Hacking is not only about coming up with interesting solutions to
problems, but also about exploring the unknown. It was this drive for
knowledge philosophy that lead to surveying a significant sample of
the Internet which allowed us to make some VERY interesting
observations and get an idea of the current state of _remote SNMP
* Why SNMP? *
2.5 million random IP addresses were surveyed via SNMP. Why SNMP you
might be asking? Well, there are several reasons. First of all SNMP is
a UDP-based protocol which allows us to perform scanning at a much
shorter time than via TCP-based protocols. Another advantage of
UDP-based protocols is that the source IP address can be spoofed
easily. In the case of SNMP, it means that an attacker could change
configuration settings from a spoofed IP address provided that a valid
write community string is identified or cracked. Needless to say,
changing config settings via SNMP can lead to a full compromise.
Finally, we have been very involved  researching embedded devices
lately, and since a significant amount of Internet devices are
hackable via SNMP, such protocol was an obvious candidate.
* When SNMP read access is all we need for successful pwnage *
Gaining SNMP write access is of course usually considered to be a more
serious issue than gaining SNMP read access only. However, even if a
cracker only gained read access to a device/server via a SNMP
community string, sometimes it would possible to extract sensitive
information such as usernames and passwords which would eventually
lead to a compromise of the targeted systems. In order to accomplish
this, all that is needed by the attacker is knowledge of an
interesting OID to query. My point is that SNMP read access could a
enough to fully own a device!
* Examples of juicy leaks via SNMP read access *
For instance, Windows servers return the full list of usernames  by
snmwalking the OID 18.104.22.168.22.214.171.124.2.25. Or how about the BT Voyager
2000 router leaking the ISP credentials  including the password?
Oh, wait, I almost forgot to mention HP JetDirect printers leaking 
the admin password  via SNMP read access (using OIDs
.126.96.36.199.188.8.131.52.184.108.40.206.13.0). And of course the recently disclosed
 Dynamic DNS credentials disclosure on ZyXEL Prestige routers via
the OID 220.127.116.11.4.1.818.104.22.168.2.6.0 (see section 2.2 in the paper for
more details). You get the point: lots of devices leak _way too much
information_ via SNMP read access.
* The juicy survey stats! *
>From a total number of 2.5 million random IP addresses, 5320 IP
addresses responded to the submitted SNMP requests. Although this is
only %0.2128 of all the IP addresses, we need to keep in mind that
most Internet systems with SNMP support correspond to embedded
devices, which only make a small portion of the Internet. One query
was sent to each random IP using the community string "public", which
is often used as the default read community string. The OID queried on
each request is 22.214.171.124.126.96.36.199.0 which is the system description
(usually returns brand and model). The destination port used was
161/UDP. Although some systems used different default port numbers for
SNMP daemons, 161 is definitely the most common one.
In order to protect the innocent, we hid the first two octets of the
IP addresses included in our results CSV file:
cat ./2dot5million-random-ips.csv | while read line
echo -en '*.*.'>>./2dot5million-random-ips.hidden.csv;
echo $line | cut -d "." -f 3- >> ./2dot5million-random-ips.hidden.csv
The most common systems found were the following:
* ARRIS Touchstone Telephony Modems  - these VoIP modems alone
made more than 35% of all found devices discovered!
* Cisco routers
* Apple AirPort  and Base Station
* ZyXEL Prestige routers
* Netopia routers
* Windows 2000 servers
Obviously, what kind of SNMP-enabled devices are the most popular on
the Internet is very interesting information from a research point of
view. For instance, if researching remote SNMP vulnerabilities, it
would make sense to focus on a type of device that is widely-spread
through the Internet. I'll leave you guys to make your own
observations by reading the results CSV file.
The survey results file can be found on:
* References *
Adrian "pagvac" Pastor | gnucitizen.org
Full-Disclosure is hosted and sponsored by Secunia.