Exploring The UNKNOWN Scanning The Internet Via SNMP
Hacking is not only about coming up with interesting solutions to problems, but also about exploring the unknown. It was this drive for knowledge philosophy that lead to surveying a significant sample of the Internet which allowed us to make some VERY interesting observations and get an idea of the current state of remote SNMP hacking.
2.5 million random IP addresses were surveyed via SNMP. "Why SNMP you might be asking?" Well, there are several reasons.
First of all SNMP is a UDP-based protocol which allows us to perform scanning at a much shorter time than via TCP-based protocols. Another advantage of UDP-based protocols is that the source IP address can be spoofed easily. In the case of SNMP, it means that an attacker could change configuration settings from a spoofed IP address provided that a valid write community string is identified or cracked. Needless to say changing config settings via SNMP can lead to a full compromise. Finally, we have been very involved researching embedded devices lately, and since a significant amount of Internet devices are hackable via SNMP, such protocol was an obvious candidate.
When SNMP read access is all we need for successful pwnage
Gaining SNMP write access is of course usually considered to be a more serious issue than gaining SNMP read access only. However, even if a cracker only gained read access to a device/server via a SNMP community string, sometimes it would possible to extract sensitive information such as usernames and passwords which would eventually lead to a compromise of the targeted systems. In order to accomplish this, all that is needed by the attacker is knowledge of an interesting OID to query. My point is that SNMP read access could be enough to fully own a device!
Examples of juicy leaks via SNMP read access
For instance, Windows servers return the full list of usernames by snmwalking the OID
188.8.131.52.184.108.40.206.2.25. Or how about the BT Voyager 2000 router leaking the ISP credentials including the password? Oh, wait, I almost forgot to mention HP JetDirect printers leaking the admin password via SNMP read access (using OIDs
.220.127.116.11.18.104.22.168.22.214.171.124.13.0). And of course the recently disclosed Dynamic DNS credentials disclosure on ZyXEL Prestige routers via the OID
126.96.36.199.4.1.8188.8.131.52.2.6.0 (see section 2.2 in the paper for more details). You get the point: lots of devices leak way too much information via SNMP read access.
The juicy survey stats!
From a total number of 2.5 million random IP addresses, 5320 IP addresses responded to the submitted SNMP requests. Although this is only %0.2128 of all the IP addresses, we need to keep in mind that most Internet systems with SNMP support correspond to embedded devices, which only make a small portion of the Internet. One query was sent to each random IP using the community string
public, which is often used as the default read community string. The OID queried on each request is
184.108.40.206.220.127.116.11.0 which is the system description (usually returns brand and model). The destination port used was 161/UDP. Although some systems used different default port numbers for SNMP daemons, 161 is definitely the most common one.
In order to protect the innocent, we hid the first two octets of the IP addresses included in our results CSV file:
cat ./2dot5million-random-ips.csv | while read line do echo -en '*.*.'>>./2dot5million-random-ips.hidden.csv; echo $line | cut -d "." -f 3- >> ./2dot5million-random-ips.hidden.csv done
The most common systems found were the following:
- ARRIS Touchstone Telephony Modems
- Cisco routers
- Apple AirPort and Base Station
- ZyXEL Prestige routers
- Netopia routers
- Windows 2000 servers
Obviously, what kind of SNMP-enabled devices are the most popular on the Internet is very interesting information from a research point of view. For instance, if researching remote SNMP vulnerabilities, it would make sense to focus on a type of device that is widely-spread through the Internet.
I'll leave you guys to make your own observations by reading the results CSV file.
Other ZyXEL models not mentioned in this paper might also be vulnerable to the same issues discussed. Additionally, not all ZyXEL models mentioned in this paper have been tested for the same vulnerabilities due to time constraints and lack of full unrestricted access (i.e.: full administrative access was not possible during a penetration test).I recommend you reading the manual for your model in order to find out how to change the default SNMP community strings, or restrict SNMP access from trusted IP addresses only: http://www.zyxel.com/DownloadLibary_ShortName/P-660H-61/user_guide/P-660H-61_3-40(QT).pdf