Hacking networks with SNMP

Summary
Exploiting common misconfigurations in network systems allows an attacker to gather and use information to take over and control network devices. This can be done just as easily to core equipment as to Customer-Premises Equipment(CPE). A large scale attack will make it possible to hijack an entire Internet Service Provider(ISP) within a very short time.

This demonstration will be done against a virtualized Cisco network, but the same techniques applies to other vendors like Juniper, HP, Linux and others.

Virtualization
To prevent doing any damage to real networks, I will use GNS3 with Cisco to emulate a basic WAN. As for the attacking computer, a virtual Kali Linux will be attached to the network.
Attacker IP: 80.200.43.20
Cisco configuration example for SNMP and NTP:

 

Discovering devices
The initial scan plays an important role in discovering remote vulnerable devices.
nmap
SNMP is configured with a access-lists will still indicate a open port by connecting to it. The access-list will of-course deny any type of requests you make to the device unless the packet comes from a allowed IP.
One of the easiest way to discover what type of network device you are up against, is by running a ntp query.

By configuring “ntp server x.x.x.x”, are we not only synchronizing the device to that time-server, but it also turns the device into a NTP server itself. This allows us to find some unwanted information like equipment type and Refid which is equal to the NTP server’s server, along with a possible target for NTP reflection attacks. Apply some common sense, whois lookups and brute DNS tools – it won’t take long before you know where the management serverpool is. Cisco devices vulnerable to CVE-2014-3309 also seem to be open for NTP queries like this.
ntpq

This can be avoided by configuring a access-list associated with NTP configuration, firewalling the device or Control Plane Policing.
Hacking SNMP Blindfloded
Spoofing UDP packets source address will bypass the SNMP access-list “management”, and by blasting away thousands of passwords/sec may find the SNMP community string. The question is, how do we know when we found the correct community string?

spoofing
By sending IP spoofed Object Identifiers (OID’s) to the SNMP Management Information Base (MIB), we are able to tell the router to execute a command IF our community string is accepted. Decided to do some performance testing on live equipment and a Cisco 881-k9 where only able to handle 40000 attacks/min due to poor CPU performance. Split a dictionary between 100 CPE’s like the 881-k9 and you will be able to test ~4mill passwords/min.

So, how is this really done?

snmpcrack
We got the community – so how to get access?
More spoofing! Send another batch of spoofed OID’s to the router, we are now able to tell the router to upload its configuration to a TFTP server. (I had some issues with TFTP in Kali, so I booted a Ubuntu machine running xinetd with the IP 80.200.43.21.) After analyzing the router configuration, we can make a few modifications like adding a new user and removing the management access-lists for VTY.

Now we can upload the new configuration back to the router with similar OID’s asking the router to download a file from the TFTP server and import it to the running-config.
console

How to protect your equipment
1. BCP 38/RFC 2827
Source-address filter your network, a router will stop any packets not matching the reverse route for the senders source address. BCP38 should be enabled at the edge of your network facing both customers and other Internet Service Providers. This does not only protect you and other against this type of attacks, but also UDP reflection DDoS attacks.
Warning: A network with asymmetrical routing may experience issues with BCP38
2. SNMPv3
SNMP version 3 offers both username and password support. Spoofing SNMPv3 is way more difficult than SNMPv 1-2c and due to password and packet encryption, discovery handshake and message integrity checks.

3. Filtering
Deny NTP and SNMP with Access Control Lists(ACL), Control Plane Policing (CoPP) or firewalls.

4. Testing
Do a network scan on equipment before you deploy a new model to check for unwanted services and ports.

Edit: after speaking with Cisco PSIRT, I was recommended the following materials to fortify and protect network devices. Also, there won’t be any security advisory/CVE since UDP spoofing-attack is a known issue.
Cisco Guide to Harden Cisco IOS Device
Team CYMRU – Secure IOS template

2 Responses to “Hacking networks with SNMP”

  1. GartZen says:

    Nice article …. Can you tell us what’s your source ?
    Maybe It’s linked to an APT ? or detected during a mass attack on ISP’s routers ?

    • Torstein says:

      Thanks!
      There are no source on this, no mass attack or any APT. At least not yet.
      Made this out of an idea I had while labbing some time ago. I decided to combine the weakness of UDP spoofing and the lack of authentication handshake in SNMPv2 or lower into a attack.

Leave a Reply

Your email address will not be published. Required fields are marked *