I've had the best success with snooping for snmp traffic and maybe some
arp spoofing, cam table poisoning, hsrp/vrrp theft, etc. Community
string reuse is typically high so if you find one it is likely good for
something else. A single spoofed UDP packet could make serious
configuration changes if adequate controls aren't in place (and RW is
used, of course).
SNMP is typically associated with clear text transmissions and weak
authentication (community strings) but v3 was ratified by the IETF in
1998 which provides for strong authentication and encryption of data.
Since then it has been ratified periodically to incorporate new
technologies and most recently added AES cipher support (June 2004).
The Microsoft snmp agent only supports weaker versions 1 and 2c. While
just about every snmp monitoring application (OpenView, Tivoli, mrtg,
Concord, etc) supports v3 it is curious why MS hasn't taken this step.
One could go on an on with speculations as to why but a number of
companies have jumped in to develop snmp agent replacements that do
support v3.
http://www.mg-soft.si/agent.html
http://www.nudesignteam.com/agent.html
http://marksw.com/snmpv3agent/windowsagent.html
Does anyone have any experience with any of these or similar products?
-Jeff
-----Original Message-----
From: Gregory Bell [mailto:gjbell1@gmail.com]
Sent: Wednesday, March 16, 2005 11:51 PM
To: pen-test@securityfocus.com
Subject: SNMP Testing
Hello all,
I was wondering if anyone could point me to some good resources on pen
testing SNMP. We have 2 main reasons for wanted these resources/tools:
1)identifying possible vulnerabilities exposed with various SNMP
implemenations
2)Correlate actual malicious/suspicious SNMP traffic in our IDS to
better identify false positives associated with various SNMP related
signatures.
I'd appreciate any help you can give.
Thanks,
--Greg
