SNMP-based vswitch intrusion Intranet penetration

The SNMP protocol is often used for device management and monitoring in LAN Management, and the weakness of SNMP has become the key to our penetration.

Only one community string is required to use the SNMP management device. The so-called password usually uses the default public/private password or weak password, and it is easier to crack the SNMP password or guess the dictionary. This allows us to scan and manage vswitches.

First, we need to set up an intranet server as a stepping stone. By observing and scanning its network segment, we can roughly find the network structure of the LAN, but this may be just the tip of the iceberg. We can seize several switches to make it easy. First, we will scan for SNMP activation and weak passwords for a network segment.

A vswitch with a weak password is successfully found. The visual test is a layer-3 Switch in section C.

In this way, we can perform MIB walk and browser to capture some important information.
For example, its ip route table, port list, and even Vlan Allocation Table

 

We found its uplink CIDR block from the IP table and port table. 10.0.0.X performs an SNMP scan on the CIDR block again.

Hey. Many weak passwords are scanned. Of course, public is a read-only community string, but this is enough for our penetration. At the same time, we also discovered the top-layer egress route and egress switch address, which can be used for penetration.

P.s. In fact, we can crack the community string of the switch's read and write permissions through brute force or dictionary guesses. In this way, the vswitch can be fully managed. For example, if a port is down, the entire network may be disconnected or even the entire switch is closed (warning: operating the core switch may have a major impact, so proceed with caution ).

After obtaining the SNMP read permission of these vswitches. We can easily understand the network structure and IP Address Allocation and functions of each network segment. The rest is local penetration for an IP segment or a function. Such as monitoring CIDR blocks, access control CIDR blocks, accounting systems, office CIDR blocks, and external server segments.

In general, the experience of vswitch intrusion I have summarized is that it goes up and down first, finds the trunk, then goes smoothly, finds every branch, distinguishes its role, and forms an overall system network. The entire LAN is under your control.

Of course, you can also use TELNET for vswitch intrusion, but it takes a long time to crack the attack. Generally, the vswitch has three chances of trial and error, which causes a lot of trouble to crack the attack. In fact, we can manage the vswitch without such high permissions as telnet. This document is an example.
This method was used to win provincial border egress switches about four years ago. This problem also exists in foreign vswitches. The SNMP Management Weakness of layer-3 switching is inevitable. Even in some highly secure areas, it is easy to crack and guess. It is estimated that the only solution is to kill the SNMP function or set a super-long abnormal SNMP password.

Postscript:
This article aims to provide an SNMP-based vswitch intrusion-based intranet penetration method and ideas, as well as some simple tests. You are welcome to discuss the specific methods and methods. I believe this method is useful in large and medium-sized local area networks.