Hacking networks with SNMP
Exploiting common misconfigurations in network systems allows an attacker to gather and use information to take over and control network devices. This can be done just as easily to core equipment as to Customer-Premises Equipment(CPE). A large scale attack will make it possible to hijack an entire Internet Service Provider(ISP) within a very short time.
This demonstration will be done against a virtualized Cisco network, but the same techniques applies to other vendors like Juniper, HP, Linux and others.
To prevent doing any damage to real networks, I will use GNS3 with Cisco to emulate a basic WAN. As for the attacking computer, a virtual Kali Linux will be attached to the network.
Attacker IP: 18.104.22.168
Cisco configuration example for SNMP and NTP:
ip address 22.214.171.124 255.255.255.0
ip access-list standard management
remark ### NTP ###
remark ### SNMP ###
snmp-server community _________ RW management
line vty 0 4
access-class management in
ntp server 126.96.36.199
The initial scan plays an important role in discovering remote vulnerable devices.
SNMP is configured with a access-lists will still indicate a open port by connecting to it. The access-list will of-course deny any type of requests you make to the device unless the packet comes from a allowed IP.
One of the easiest way to discover what type of network device you are up against, is by running a ntp query.
By configuring “ntp server x.x.x.x”, are we not only synchronizing the device to that time-server, but it also turns the device into a NTP server itself. This allows us to find some unwanted information like equipment type and Refid which is equal to the NTP server’s server, along with a possible target for NTP reflection attacks. Apply some common sense, whois lookups and brute DNS tools – it won’t take long before you know where the management serverpool is. Cisco devices vulnerable to CVE-2014-3309 also seem to be open for NTP queries like this.
ntp server 188.8.131.52
ntp access-group peer management
This can be avoided by configuring a access-list associated with NTP configuration, firewalling the device or Control Plane Policing.
Hacking SNMP Blindfloded
Spoofing UDP packets source address will bypass the SNMP access-list “management”, and by blasting away thousands of passwords/sec may find the SNMP community string. The question is, how do we know when we found the correct community string?
By sending IP spoofed Object Identifiers (OID’s) to the SNMP Management Information Base (MIB), we are able to tell the router to execute a command IF our community string is accepted. Decided to do some performance testing on live equipment and a Cisco 881-k9 where only able to handle 40000 attacks/min due to poor CPU performance. Split a dictionary between 100 CPE’s like the 881-k9 and you will be able to test ~4mill passwords/min.
So, how is this really done?
Spoof source IP: 184.108.40.206,
Destination mr router: 220.127.116.11
Hello mr router. The secret is "public", please ping 18.104.22.168
- wrong secret, request dropped -
Hello mr router. The secret is "private", please ping 22.214.171.124
- correct secret, request accepted -
- sending ICMP packet to 126.96.36.199 as you asked for -
Network sniffer detecting a ICMP packet from mr router(188.8.131.52)
Correct secret was found for mr router between line(RTT+0.1sec) and line(current time)
We got the community – so how to get access?
More spoofing! Send another batch of spoofed OID’s to the router, we are now able to tell the router to upload its configuration to a TFTP server. (I had some issues with TFTP in Kali, so I booted a Ubuntu machine running xinetd with the IP 184.108.40.206.) After analyzing the router configuration, we can make a few modifications like adding a new user and removing the management access-lists for VTY.
Now we can upload the new configuration back to the router with similar OID’s asking the router to download a file from the TFTP server and import it to the running-config.
How to protect your equipment
1. BCP 38/RFC 2827
Source-address filter your network, a router will stop any packets not matching the reverse route for the senders source address. BCP38 should be enabled at the edge of your network facing both customers and other Internet Service Providers. This does not only protect you and other against this type of attacks, but also UDP reflection DDoS attacks.
Warning: A network with asymmetrical routing may experience issues with BCP38
SNMP version 3 offers both username and password support. Spoofing SNMPv3 is way more difficult than SNMPv 1-2c and due to password and packet encryption, discovery handshake and message integrity checks.
Deny NTP and SNMP with Access Control Lists(ACL), Control Plane Policing (CoPP) or firewalls.
Do a network scan on equipment before you deploy a new model to check for unwanted services and ports.
Edit: after speaking with Cisco PSIRT, I was recommended the following materials to fortify and protect network devices. Also, there won’t be any security advisory/CVE since UDP spoofing-attack is a known issue.
Cisco Guide to Harden Cisco IOS Device
Team CYMRU – Secure IOS template