RE: SNMP Testing

From: Jeff Gercken (JeffG_at_kizan.com)
Date: 03/22/05

  • Next message: RUXCON Call for Papers: "RUXCON 2005 Call for Papers" 
    Date: Mon, 21 Mar 2005 18:33:44 -0500
To: "Gregory Bell" <gjbell1@gmail.com>, <pen-test@securityfocus.com>

    I've had the best success with snooping for snmp traffic and maybe some
    arp spoofing, cam table poisoning, hsrp/vrrp theft, etc. Community
    string reuse is typically high so if you find one it is likely good for
    something else. A single spoofed UDP packet could make serious
    configuration changes if adequate controls aren't in place (and RW is
    used, of course).

    SNMP is typically associated with clear text transmissions and weak
    authentication (community strings) but v3 was ratified by the IETF in
    1998 which provides for strong authentication and encryption of data.
    Since then it has been ratified periodically to incorporate new
    technologies and most recently added AES cipher support (June 2004).

    The Microsoft snmp agent only supports weaker versions 1 and 2c. While
    just about every snmp monitoring application (OpenView, Tivoli, mrtg,
    Concord, etc) supports v3 it is curious why MS hasn't taken this step.
    One could go on an on with speculations as to why but a number of
    companies have jumped in to develop snmp agent replacements that do
    support v3.

    http://www.mg-soft.si/agent.html
    http://www.nudesignteam.com/agent.html
    http://marksw.com/snmpv3agent/windowsagent.html

    Does anyone have any experience with any of these or similar products?

    -Jeff

    -----Original Message-----
    From: Gregory Bell [mailto:gjbell1@gmail.com]
    Sent: Wednesday, March 16, 2005 11:51 PM
    To: pen-test@securityfocus.com
    Subject: SNMP Testing

    Hello all,

    I was wondering if anyone could point me to some good resources on pen
    testing SNMP. We have 2 main reasons for wanted these resources/tools:
    1)identifying possible vulnerabilities exposed with various SNMP
    implemenations
    2)Correlate actual malicious/suspicious SNMP traffic in our IDS to
    better identify false positives associated with various SNMP related
    signatures.

    I'd appreciate any help you can give.

    Thanks,

    --Greg

  • Next message: RUXCON Call for Papers: "RUXCON 2005 Call for Papers"