Re: SNMP False Positives

From: Ben Klang (ben.klang@transchannel.com)
Date: 04/12/02


From: Ben Klang <ben.klang@transchannel.com>
To: pen-test@securityfocus.com
Date: 12 Apr 2002 16:42:05 -0400


I have noticed similar responses from our HP-UX boxes. This includes
HP-UX 10.20 and 11.00. Nessus reported that any string sent was a valid
community name.

-BAK

On Thu, 2002-04-11 at 15:26, Cox, Michael wrote:
> I'm getting a lot of "default community string enabled" false positives from
> Nessus, Retina, and verified with SNMPing.
>
> On certain boxes, Nessus and Retina report that every string they check is
> enabled. When running SNMPing and "pinging" a Solaris 8 box I am told the
> service is enabled and available. I get this response no matter what
> community string I use. The output from tcpdump is below which seems to say
> that the requested object doesn't exist. Can anyone help me out here and
> explain this? I've seen this 20-30 times (and I think they are all Solaris
> boxes, but I need to double-check). I'm guessing that they (Sun) don't
> implement the standard MIB II variables, or something, since the request is
> just asking for the system name. The tools must have been written to look
> for any GetResponse, even if it is an error. Of course, that raises the
> question of why Solaris is sending anything, even errors, to invalid
> communities; any request from an invalid community should be dropped. Or,
> maybe I'm barking up the wrong tree entirely, and someone will have a better
> answer.
>
> Many thanks in advance!
>
> Mike
>
>
> windump: listening on\Device\Packet_{BFF5A60B-F6E6-42FC-B01E-6C4CBD86B5FC}
> 15:20:46.996306 arp who-has hogan.itg.ti.com tell cna9815016
> 15:20:46.996718 arp reply hogan.itg.ti.com is-at 0:3:ba:8:50:3c
> 15:20:46.996731 cna9815016.1734 > hogan.itg.ti.com.161: |30|26|02|01SNMPv1
> |04|
> 06C=abc123 |a0|19GetRequest(25)|02|01|02|01|02|01|30|0e
> |30|0c|06|08system.sysNa
> me.0|05|00 (ttl 128, id 5981, bad cksum 0!)
> 15:20:46.997434 hogan.itg.ti.com.161 > cna9815016.1734: |30|26|02|01SNMPv1
> |04|
> 06C=abc123 |a2|19GetResponse(25)|02|01|02|01 noSuchName|02|01@1|30|0e
> |30|0c|06|
> 08system.sysName.0=|05|00 (DF) (ttl 255, id 25971)
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
>






Relevant Pages

  • Re: Filtering on a subreport
    ... EXISTS (SELECT Community FROM Locations WHERE ((Locations.OrgID = ... You need to work on the way you build the string until it generates this kind of result. ... > (except the query in my choosecom combo box code (and the combo box> works ... >>> dialouge box where the user chooses the community from a list ...
    (microsoft.public.access.reports)
  • Re: Subqueries
    ... I would try making sure that you delimited the text string with either quotation marks or an apostrophe. ... perhaps you could post the complete query that is the record source for the report. ... It is a database with information on various organizations. ... Next, to make this way user friendly, I have created a dialouge box where the user chooses from a list of counties which populates the community list. ...
    (microsoft.public.access.queries)
  • Re: groupthink and cranks (the trouble with physics)
    ... When studying the sociology of the community, Smolin accuses string ... theorists of groupthink. ...
    (sci.physics.relativity)
  • Why I can not remove the default SNMP Community string Public ?
    ... I addedd a new community string name: Services MMC --> snmp service ...
    (microsoft.public.win2000.general)
  • Can not remove snmp default community name Public
    ... I addedd a new community string name: Services MMC --> snmp service ...
    (microsoft.public.win2000.networking)