Comments on: Exploring the UNKNOWN: Scanning the Internet via SNMP!

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Sat, 07 Jun 2008 19:26:57 +0000

@defcon: there are many SNMP scanners for Linux out there implemented in Perl i.e.: http://www.ernw.de/download/snmpattack.pl.

You can even write a “home-made” one in bash by wrapping around the ’snmpget’ (from the net-snmp package) command and requesting the ’system description’ OID.

By: defcon

defcon — Fri, 06 Jun 2008 11:58:56 +0000

for linux.

By: defcon

defcon — Fri, 06 Jun 2008 11:56:56 +0000

What is a good snmp scanner?

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Mon, 21 Apr 2008 10:43:07 +0000

@Yash: the paper can be found here: http://www.procheckup.com/Hack.....teways.pdf

SNMP security is indeed an interesting subject!

By: Yash Kadakia

Yash Kadakia — Sun, 20 Apr 2008 21:03:10 +0000

I’ve been working on SNMP security for some time now its definitely an interesting subject with lots of potential.

Side-note: I can’t seem find the link to the paper?

–
Yash Kadakia
CTO, Security Brigade
http://www.securitybrigade.com
Penetration Testing, PCI DSS Compliance, Security Consulting etc.

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Sun, 06 Apr 2008 14:44:39 +0000

@Digicat: You’re right. The WinXP agents claims to be “Windows 2000″ but still leak the fact that they’re XP by revealing the “5.1″ version rather than “5.0″. And you’re also right when you say that there was one Win 2K3 box (5.2):

“Hardware: x86 Family 6 Model 15 Stepping 6 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Uniprocessor Free)”

However, it’s still correct to say that most Windows boxes found were Windows 2000 (5.0).

Funny enough there was also a Win98 box?!! I wonder if it’s a honey pot: “Microsoft Corp. Windows 98.”

By: Digicat

Digicat — Sun, 23 Mar 2008 06:02:31 +0000

The hits reported as Windows 2000 are also Windows XP. Windows XP claims Windows 2000 but reports version 5.1 build 2600 on the same line. There was also one Windows 2003 that reported as Windows 2000 version 5.2 . It looks like a handful (likely larger since this is only a sampling) of unwise Windows XP users installated SNMP, and then opened that in Windows Firewall, or otherwise didn’t implement Windows Firewall.

By: pdp

pdp — Fri, 21 Mar 2008 23:25:54 +0000

10x Judge for keeping us up-to-date. Much appreciated.

By: Judge Dredd

Judge Dredd — Fri, 21 Mar 2008 22:48:00 +0000

caught red handed in real life?

view the following article

http://isc.sans.org/diary.html?storyid=4175

By: ethical, smethical - the legal beagle

ethical, smethical - the legal beagle — Tue, 18 Mar 2008 08:41:57 +0000

Sure, I see snmp services being advertised all the time. I also use google to search then out. Communities are used for auth, trying the default is no different from trying the default at a telnet password prompt. CMA sunshine.

By: pdp

pdp — Tue, 18 Mar 2008 06:38:59 +0000

Dear Judge Dredd, you’ve accessed this GNUCITIZEN post without authorization. Please explain, or will take legal actions against your unethical, intrusive behavior.

Here is how your actions reflect on the computer misuse act:

1) He causes a computer to perform any function with intent to secure access to any program or data held in a computer;
- you’ve tried to compromise our systems by submitting meta characters such as “, < , > and ‘, things that can potentially lead to SQL Injection and backend compromise.

2) the access he intends to secure is unauthorized; and
- we have never gave you any sort of authorization. We never give such privilege to trolls. We have never give you authorization to post meta characters on this post or to access the GNUCITIZEN domain.

3) he knows at the time when he causes the computer to perform the function that this is the case.
- your intentions are more then clear.

By: Judge Dredd

Judge Dredd — Mon, 17 Mar 2008 23:10:29 +0000

I Judge Dredd condemn you under article:

1(1) of computer misuse act 1990
A person is guilty of an offence if:

a) He causes a computer to perform any function with intent to secure access to any program or data held in a computer;
b) the access he intends to secure is unauthorized; and
c) he knows at the time when he causes the computer to perform the function that this is the case.

you’ve used known default passwords to access other information without authorization, thus securing vital/security related information.

this is equivalent to using default admin passwords on an insecure website, and retrieving sensitive information or performing defacement.

JD>”How do you plead”;
GNUC>”Innocent!!!!”
JD>”How did I know you’d say that, I find you Guilty under all 3″
– Judge Dredd

By: Adrian Pastor

Adrian Pastor — Mon, 10 Mar 2008 16:22:29 +0000

@CMA1990: what do you mean? No vulnerability was probed/exploited whatsoever. This is NO different to Google bots visiting websites or any other company that surveys Internet servers for research reasons.

By: sniffz

sniffz — Mon, 10 Mar 2008 06:54:30 +0000

ok! thank’s for the information.

By: computer missue act 1990

computer missue act 1990 — Sun, 09 Mar 2008 13:33:09 +0000

I think you just admitted to breaking the Computer Misuse Act 1990.

Please explain yourself!

By: Adrian Pastor

Adrian Pastor — Sat, 08 Mar 2008 03:33:28 +0000

@nex: the scan was done on completely random IP addresses.

By: Adrian Pastor

Adrian Pastor — Fri, 07 Mar 2008 18:23:56 +0000

@sniffz: sorry, they link in the previous comment broke. Try this one instead: http://snipurl.com/217ow

By: Adrian Pastor

Adrian Pastor — Fri, 07 Mar 2008 18:20:29 +0000

@sniffz: if your model is NOT listed as vulnerable does NOT mean is NOT. Pasted from page 2 in the paper: " Other ZyXEL models not mentioned in this paper might also be vulnerable to the same issues discussed. Additionally, not all ZyXEL models mentioned in this paper have been tested for the same vulnerabilities due to time constraints and lack of full unrestricted access (i.e.: full administrative access was not possible during a penetration test). " I recommend you reading the manual for your model in order to find out how to change the default SNMP community strings, or restrict SNMP access from trusted IP addresses only: http://www.zyxel.com/DownloadLibary_ShortName/P-660H-61/user_guide/P-660H-61_3-40(QT).pdf

By: Steve

Steve — Fri, 07 Mar 2008 16:06:33 +0000

I am a programmer that needs to be able to reset via snmp Netopia routers.
How is this accomplished? Do you know?

By: nex

nex — Fri, 07 Mar 2008 16:04:36 +0000

have you scanned specific range or totally randomness ?