SNMP: How to Avoid SNMP Reconnaissance

What is the SNMP protocol and what is it for?

Its abbreviations in English correspond to Simple Network Management Protocol . In Spanish, it means Simple Network Management Protocol . It is one of the protocols that has been in force for the longest time, specifically since 1988. Initially, switches and routers could be managed by this protocol, today, it is possible to have the SNMP protocol for practically any device that manages to connect to a network. Also, it is possible to carry out both monitoring and adjustments in the configuration of the remotely monitored devices.

This is a datagram oriented protocol. Any of the managed devices will have an agent that communicates with the central device, which manages them. Said agent will send information to said central device, the content of which will be stored in a database called MIB (Management Information Base) . What is this? It is a hierarchical way of organizing the information collected from any SNMP device that is connected to the network.

What you can know thanks to a MIB (Management Information Base)

It is good to recognize that the MIB is a terrific source of valuable information regarding the network and its connected devices. However, what information can we find?

• Users : This can describe the number of user accounts and the names of each. Also, it is possible to know about the user groups and the information regarding the creation of the accounts of each one.
• Installed programs : The list of programs on one or more computers can be easily obtained using SNMP. In this way, we will be able to know the versions of what is installed. For what? This can determine if the computer has versions that are vulnerable to attacks.
• Open ports : Cybercriminals can also take advantage of open ports by obtaining information via SNMP, rather than performing a scan that could leave the cybercriminal himself in evidence with network administrators.

SNMP versions available

In total, we can have three versions of SNMP. All of them are used until today. What distinguishes each of them is the way they are implemented and the security measures they have. On the latter, we must mention the « community string «. The community string consists of a password, which is used to authenticate to a central device (the one it manages) using a private community string .

We quote the SNMP versions below:

• SNMPv1: This is the most insecure version of the protocol in terms of security measures. Since it uses authentication using plain text. The default community string is set to public .
• SNMPv2c: It has slight improvements compared to version 1, especially in terms of performance and security. However, it is not compatible with the first version, so it is necessary to have this version specifically to use it. SNMPv2c is the most used version, although v3 is the one we should always use.
• SNMPv3: This is a much better version in relation to the security measures it includes. So too, their performance. Incorporated integrity and encryption checks at the time of authentication. Unfortunately, it has not yet been implemented to a large extent in most organizations, although it is recommended to use this version.

SNMP Reconnaissance

This is a type of attack and, in turn, is one of the phases of a computer attack. Why? Because “Reconnaissance” (in Spanish, recognition) is both a type of attack and one of the phases of an attack. Anyone who wants to attack a network, for example, performs reconnaissance to get the best results after the “core” attack. It is like a phase of gathering valuable information that will serve to execute the specific attacks.

However, recognition or “Reconnaisance” is also considered an attack itself. Because, as we know that this allows information to be collected, such collection is not authorized. Not only can we know about the main data of the devices connected to the network. We can also know about the system resources that each one has, the services that they use and the vulnerabilities that they have.

DDoS attacks, for example, tend to have better results after a recognition phase. So we can say that recognition serves as a bridge for a variety of attacks that use the information collected.

If you use Kali Linux , it is possible to use the snmp-check tool. This tool will allow you to easily apply the protocol through command lines. By executing a few commands, you will be able to obtain the following data from a certain connected device:

• System information (hostname, description, time connected, IP address)
• Network information (number of datagrams received and sent, default TTL and others)
• IP Data ( IP Address, Subnet Mask and Gateway)
• Information about each of the device’s network interfaces (example, whether it is on or off)
• Device information (manufacturer name, model, and more)
• Routing data

Note: This type of SNMP vulnerability exploit applies only to versions v1 and v2.

You may be able to access more information than mentioned. This varies greatly depending on the device you connect to. However, it is easy to notice that you can know a lot about the device in question and the network to which it is connecting. This practical Kali tool will allow you to recreate what a cybercriminal can obtain from the devices that are part of the target of his attack.

If you want to avoid attacks derived from SNMP Reconnaisance , first of all, you have to disable the protocol of any device that doesn’t need it.

As we mentioned, SNMP was originally developed for routers and switches. Consequently, we could reserve this protocol for that class of devices, in the event that the requirements dictate it. On the other hand, the default content of the public and private community strings must be changed, as is the case with passwords that are difficult to guess, in order that a malicious user does not use the default strings that are always used in the protocol. SNMP.