07 Apr, 2023

Simple Network Management Protocol (SNMP)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

Simple Network Management Protocol (SNMP), and it is a protocol used to manage and monitor network devices. It operates by sending messages between SNMP-enabled devices, allowing administrators to monitor performance, configure and control devices remotely, and troubleshoot network problems. SNMP is based on a hierarchical structure of management information called the Management Information Base (MIB) and has several versions, with SNMPv3 being the most secure.

SNMP common ports

Port 161: This is the default port for SNMP. It is used for receiving SNMP requests from network management systems.

Port 162: This port is used for receiving SNMP traps from network devices. Traps are unsolicited messages sent by devices to alert network management systems of important events or conditions.

Tools for using protocol

Manual Tools:

  • snmpwalk – A command-line tool used to retrieve information from SNMP-enabled devices.

  • snmpget – A command-line tool used to retrieve a single value from an SNMP-enabled device.

  • snmpset – A command-line tool used to set values on an SNMP-enabled device.

  • snmptrap – A command-line tool used to send SNMP trap messages to a manager or receiver.

  • SNMP MIB Browser – A manual tool used to browse and query the SNMP MIBs (Management Information Bases) of SNMP-enabled devices.

  • Net-SNMP – A suite of SNMP-related tools that includes snmpwalk, snmpget, snmpset, and snmptrap, as well as other utilities for SNMP management.

  • SNMP Tester – A manual tool that can simulate an SNMP agent and respond to SNMP requests for testing purposes.

  • MIB Viewer – A manual tool used to browse and query the SNMP MIBs of SNMP-enabled devices.

  • Paessler SNMP Tester – A manual tool that can query SNMP-enabled devices and display the results.

  • Ethereal – A manual network protocol analyzer that can capture and display SNMP traffic for analysis.

Automated Tools:

  • Nagios – An open-source monitoring system that uses SNMP to monitor the health and status of network devices and services.

  • Cacti – An open-source network monitoring tool that uses SNMP to collect and graph data on network traffic and device performance.

  • PRTG Network Monitor – A commercial network monitoring tool that uses SNMP to monitor network devices and services, as well as other protocols.

  • Zabbix – An open-source network monitoring tool that uses SNMP to monitor network devices and services, as well as other protocols.

  • Observium – An open-source network monitoring tool that uses SNMP to monitor network devices and services, as well as other protocols.

  • SolarWinds Network Performance Monitor – A commercial network monitoring tool that uses SNMP to monitor network devices and services, as well as other protocols.

  • Librenms – An open-source network monitoring tool that uses SNMP to monitor network devices and services, as well as other protocols.

  • OpenNMS – An open-source network monitoring tool that uses SNMP to monitor network devices and services, as well as other protocols.

  • NetXMS – An open-source network monitoring tool that uses SNMP to monitor network devices and services, as well as other protocols.

  • Spiceworks Network Monitor – A free network monitoring tool that uses SNMP to monitor network devices and services.

Last five known CVE for SNMP

• CVE-2023-26602: ASUS ASMB8 iKVM firmware through 1.14.51 allows remote attackers to execute arbitrary code by using SNMP to create extensions, as demonstrated by snmpset for NET-SNMP-EXTEND-MIB with /bin/sh for command execution.

• CVE-2023-22401: An Improper Validation of Array Index vulnerability in the Advanced Forwarding Toolkit Manager daemon (aftmand) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). On the PTX10008 and PTX10016 platforms running Junos OS or Junos OS Evolved, when a specific SNMP MIB is queried this will cause a PFE crash and the FPC will go offline and not automatically recover. A system restart is required to get the affected FPC in an operational state again. This issue affects: Juniper Networks Junos OS 22.1 version 22.1R2 and later versions; 22.1 versions prior to 22.1R3; 22.2 versions prior to 22.2R2. Juniper Networks Junos OS Evolved 21.3-EVO version 21.3R3-EVO and later versions; 21.4-EVO version 21.4R1-S2-EVO, 21.4R2-EVO and later versions prior to 21.4R2-S1-EVO; 22.1-EVO version 22.1R2-EVO and later versions prior to 22.1R3-EVO; 22.2-EVO versions prior to 22.2R1-S1-EVO, 22.2R2-EVO.

• CVE-2023-22400: An Uncontrolled Resource Consumption vulnerability in the PFE management daemon (evo-pfemand) of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause an FPC crash leading to a Denial of Service (DoS). When a specific SNMP GET operation or a specific CLI command is executed this will cause a GUID resource leak, eventually leading to exhaustion and result in an FPC crash and reboot. GUID exhaustion will trigger a syslog message like one of the following for example: evo-pfemand[<pid>]: get_next_guid: Ran out of Guid Space … evo-aftmand-zx[<pid>]: get_next_guid: Ran out of Guid Space … This leak can be monitored by running the following command and taking note of the value in the rightmost column labeled Guids: user@host> show platform application-info allocations app evo-pfemand | match “IFDId|IFLId|Context” Node Application Context Name Live Allocs Fails Guids re0 evo-pfemand net::juniper::interfaces::IFDId 0 3448 0 3448 re0 evo-pfemand net::juniper::interfaces::IFLId 0 561 0 561 user@host> show platform application-info allocations app evo-pfemand | match “IFDId|IFLId|Context” Node Application Context Name Live Allocs Fails Guids re0 evo-pfemand net::juniper::interfaces::IFDId 0 3784 0 3784 re0 evo-pfemand net::juniper::interfaces::IFLId 0 647 0 647 This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R3-S3-EVO; 21.1-EVO version 21.1R1-EVO and later versions; 21.2-EVO versions prior to 21.2R3-S4-EVO; 21.3-EVO version 21.3R1-EVO and later versions; 21.4-EVO versions prior to 21.4R2-EVO.

• CVE-2023-20016: A vulnerability in the backup configuration feature of Cisco UCS Manager Software and in the configuration export feature of Cisco FXOS Software could allow an unauthenticated attacker with access to a backup file to decrypt sensitive information stored in the full state and configuration backup files. This vulnerability is due to a weakness in the encryption method used for the backup function. An attacker could exploit this vulnerability by leveraging a static key used for the backup configuration feature. A successful exploit could allow the attacker to decrypt sensitive information that is stored in full state and configuration backup files, such as local user credentials, authentication server passwords, Simple Network Management Protocol (SNMP) community names, and other credentials.

• CVE-2023-20009: A vulnerability in the Web UI and administrative CLI of the Cisco Secure Email Gateway (ESA) and Cisco Secure Email and Web Manager (SMA) could allow an authenticated remote attacker and or authenticated local attacker to escalate their privilege level and gain root access. The attacker has to have a valid user credential with at least a [[privilege of operator – validate actual name]]. The vulnerability is due to the processing of a specially crafted SNMP configuration file. An attacker could exploit this vulnerability by authenticating to the targeted device and uploading a specially crafted SNMP configuration file that when uploaded could allow for the execution of commands as root. An exploit could allow the attacker to gain root access on the device.

Useful information

– SNMP uses UDP port 161 for communication between the SNMP manager and SNMP agent.

– SNMPv1 and SNMPv2c use community strings for authentication, which are plain-text strings that are transmitted in clear text. SNMPv3 provides more secure authentication methods such as MD5 and SHA-1 hashing algorithms.

– SNMP agents can generate traps, which are unsolicited messages sent to the SNMP manager to report events such as system errors, security breaches, and device failures.

– SNMP is commonly used for monitoring network performance, device availability, and configuration management.

– SNMP can be vulnerable to attacks such as unauthorized access, denial-of-service (DoS), and information disclosure.

Books for studies SNMP

Essential SNMP, Second Edition by Douglas Mauro and Kevin Schmidt – This book provides an introduction to SNMP and covers the basics of SNMP architecture, MIBs, SNMPv1, SNMPv2c, SNMPv3, and other SNMP-related protocols.

Understanding SNMP MIBs by David Perkins – This book covers the basics of SNMP MIBs, including how to read and interpret MIBs, how to create custom MIBs, and how to troubleshoot MIB-related issues.

SNMP, SNMPv2, SNMPv3, and RMON 1 and 2 by William Stallings – This book provides an overview of SNMP and its variants, as well as RMON (Remote Monitoring), which is another protocol for monitoring network devices.

SNMP Application Developer’s Guide by Mark A. Miller – This book covers SNMP programming for developers, including SNMP architecture, MIBs, SNMPv1, SNMPv2c, SNMPv3, and SNMP-related protocols.

SNMP Network Management by William Stallings – This book provides an in-depth look at SNMP, including SNMP architecture, MIBs, SNMPv1, SNMPv2c, SNMPv3, and SNMP-related protocols, as well as network management applications and tools.

Understanding SNMPv3 by David T. Perkins – This book covers SNMPv3, which is the most secure version of SNMP, providing encryption and authentication to prevent unauthorized access and ensure data integrity.

The Simple Book: An Introduction to Networking Management by Marshall T. Rose – This book provides an introduction to SNMP and other network management protocols, as well as best practices for managing network devices.

SNMP-Based ATM Network Management by Hui-Huang Hsu – This book covers SNMP-based network management for Asynchronous Transfer Mode (ATM) networks, which are used for high-speed data transfer.

SNMP at the Edge: Building Effective Service Management Systems by Greg Ferro and Dale Liu – This book covers SNMP-based service management for enterprise networks, including network design, architecture, and troubleshooting.

SNMP, SNMPv2, SNMPv3, and RMON 1 and 2 by William Stallings (Revised Edition) – This updated edition covers the latest developments in SNMP and related protocols, including SNMPv3 security enhancements, and RMON2 network monitoring.

List of Payload for SNMP

  • GET Request PDU payload: Contains an Object Identifier (OID) for the data that is being requested.

  • GET Response PDU payload: Contains the value of the requested data, as well as an error status and error index if applicable.

  • SET Request PDU payload: Contains the OID and the new value to be set.

  • TRAP PDU payload: Contains information about the event that triggered the trap, such as the OID, the value, and a timestamp.

Mitigation

  1. Restrict access to SNMP devices to only authorized personnel. This can be achieved through the use of access control lists (ACLs) or other mechanisms, such as firewalls or VPNs.

  2. SNMPv3 provides authentication and encryption mechanisms to protect SNMP messages from unauthorized access or tampering. Make sure to use strong authentication and encryption methods, such as SHA-256 or AES.

  3. SNMP community strings are like passwords that allow access to SNMP devices. Change the default community strings to strong, unique values to prevent unauthorized access.

  4. If SNMP is not required on a device, disable it. This reduces the attack surface and minimizes the risk of SNMP-related vulnerabilities.

  5. Monitor SNMP traffic to detect anomalous activity, such as unauthorized access attempts or unusual patterns of SNMP requests.

  6. Keep SNMP devices up-to-date with the latest security patches and firmware updates to minimize the risk of known vulnerabilities.

Conclusion

SNMP is a protocol for network management and monitoring that can be vulnerable to various attacks. Mitigation techniques include implementing access control, using SNMPv3 with strong authentication and encryption, changing default community strings, disabling SNMP on non-essential devices, monitoring SNMP traffic, and keeping devices up-to-date.

Other Services

Ready to secure?

Let's get in touch