Simple Network Management Protocol (SNMP) is a protocol used for managing devices on the network. It is often overlooked and left in its default condition with the default device community strings. SNMP uses these community stings to access the devices in either read or write mode.
If an adversary has access to the open ports and knows the community strings, they can use this access to view or change the configuration of the device. In some cases, passwords and other sensitive information can be extracted from the device. This information could be used by an attacker to gain access to other systems within the organisation, which is referred to as Lateral Movement.
On a recent assignment, we found a device with the SNMP and HTTPS ports available to the internet and was using the default read and write strings for SNMP management, which was just blank. Although the login credentials for the admin account had been changed, the guest account credentials were still in the default state of a blank password, we also had full SNMP access.
Here is how the story unfolded from the point of identifying the open ports. We took this from being a device found on the internet to full admin control in under 5 minutes.
Found open port with Nmap scan, enumerated accounts and confirmed no string needed to log in.
Connected to the device with the admin string and no password, this is the default configuration for SNMP on this device.
Logged in with the guest account as the admin account isn’t using the default password. Please note the empty contact name.
Used the admin string to change the config of the switch.
Config change confirmed.
Tracked down the OID string that controls user permissions.
Escalated privileges of the guest account to admin.
OID confirms privileges escalated.
Logged in to the web panel and confirmed admin access.
To protect yourself against these types of attacks is very straightforward. SNMP community strings should be treated in the same way as passwords and therefore the same principles apply to pick a good SNMP string as a good quality password.
We recommended to implement the following password policy for SNMP configured devices:
- Use alphanumeric, special characters and spaces to create the passphrase
- Use passphrases at least 32 characters long
- Change the passphrase frequently
- Do not reuse passphrases
For this specific engagement, we also question should these ports be available to the internet?