In-Reply-To: <20040922220703.54373.qmail@web51105.mail.yahoo.com>
One of the sysadmins told me that they use in one of
the networks Snmp and that the community is public.
I want to pen test this issue meaning that I want to
find ways to retrieve from the devices info, and show
the IT manager that he must change the community.
Well, I think maybe you're taking the wrong approach.
First off, there are a great many tools that you can use to assist you with
this issue...Perl, FoundStone's snscan.exe, IP Browser, etc.
Second, you need to consider what kind of message you're trying to get across.
Is the issue that you're trying to address one of the use of SNMP, the use of
default community strings, or what? Before you go making your argument to the
IT Manager, it might be a good idea to have your ducks all in a row...many a
security guy has been shot down and laughed at b/c they took too narrow and too
technical a focus.
Some things to consider:
1. In the infrastructure, what is the issue? If SNMP is blocked at the
perimeter, and no one from the Internet can arbitrarily access SNMP on your
internal network (or whereever it's running), what is your concern?
2. If you're looking at this from a Least Privilege perspective, and the
service isn't being used...by all means, disable it.
3. If you're concerned about the use of default community strings, then raise
the issue that way...particularly if your company's policy is to not use any
default passwords or community strings.
4. Do some checking first, before you make your agrument/recommendations. Are
any other settings in use? For example, on Win2K, the default read-only
community string is "public", but the service does not install out-of-the-box
w/ a read-write community string...so while the values can be read, they can't
be altered. Also, on most SNMP implementations that I'm familiar with (most
notably Microsoft and Cisco), you can designate from which management hosts to
accept queries.
The reason that I want to do It my self is that I
don't believe in the way that is just going to him and
tell him..." its written in the internet that we must
change public community to something else.
If I were your IT Manager, I'd immediately think that you were not only trying
to make a fool out of me and usurp some of my "power", but that you were also,
as they say in boxing, leading with your chin (ie, just begging to be knocked
out). Be very careful about getting into a turf war with someone, particularly
your IT Manager. I say this, b/c if you go to anyone in your company and tell
them that they have to fix something for no other reason than b/c it says so on
the Internet...well, I think that the assembled masses reading this list would
agree that that will only lead to failure.
HTH,
H. Carvey
http://www.windows-ir.com
http://groups.yahoo.com/group/windowsir/
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
