Re: snmp

From: H Carvey (keydet89@yahoo.com)
Date: Fri Sep 24 2004 - 09:13:24 EDT


('binary' encoding is not supported, stored as-is) In-Reply-To: <20040922220703.54373.qmail@web51105.mail.yahoo.com>

>One of the sysadmins told me that they use in one of
>the networks Snmp and that the community is public.
>
>I want to pen test this issue meaning that I want to
>find ways to retrieve from the devices info, and show
>the IT manager that he must change the community.

Well, I think maybe you're taking the wrong approach.

First off, there are a great many tools that you can use to assist you with this issue...Perl, FoundStone's snscan.exe, IP Browser, etc.

Second, you need to consider what kind of message you're trying to get across. Is the issue that you're trying to address one of the use of SNMP, the use of default community strings, or what? Before you go making your argument to the IT Manager, it might be a good idea to have your ducks all in a row...many a security guy has been shot down and laughed at b/c they took too narrow and too technical a focus.

Some things to consider:
1. In the infrastructure, what is the issue? If SNMP is blocked at the perimeter, and no one from the Internet can arbitrarily access SNMP on your internal network (or whereever it's running), what is your concern?

2. If you're looking at this from a Least Privilege perspective, and the service isn't being used...by all means, disable it.

3. If you're concerned about the use of default community strings, then raise the issue that way...particularly if your company's policy is to not use any default passwords or community strings.

4. Do some checking first, before you make your agrument/recommendations. Are any other settings in use? For example, on Win2K, the default read-only community string is "public", but the service does not install out-of-the-box w/ a read-write community string...so while the values can be read, they can't be altered. Also, on most SNMP implementations that I'm familiar with (most notably Microsoft and Cisco), you can designate from which management hosts to accept queries.

>The reason that I want to do It my self is that I
>don't believe in the way that is just going to him and
>tell him..." its written in the internet that we must
>change public community to something else.

If I were your IT Manager, I'd immediately think that you were not only trying to make a fool out of me and usurp some of my "power", but that you were also, as they say in boxing, leading with your chin (ie, just begging to be knocked out). Be very careful about getting into a turf war with someone, particularly your IT Manager. I say this, b/c if you go to anyone in your company and tell them that they have to fix something for no other reason than b/c it says so on the Internet...well, I think that the assembled masses reading this list would agree that that will only lead to failure.

HTH,

H. Carvey
http://www.windows-ir.com
http://groups.yahoo.com/group/windowsir/

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:06 EDT