Use of SNMP passwords and related knowledge

Many people begin to understand that for WIN2K, after the TCP139 and 445 ports are disabled, the security will be improved a lot, at least a lot

System information cannot be scanned.

In general, this is indeed the case. However, to achieve truly perfect security, you still need to consider whether there will be any hidden risks from every detail.

For example, for a fully installed WIN2K or a system that has started the Simple Network Management Protocol (SNMP ),

This is a critical risk that exposes your system to everyone.

　

I. Start with SNMP

SNMP, Simple Network Management Protocol, and Simple Network Management Protocol. The protocol used to manage nodes on an IP network.

Almost all network devices and network operating systems support SNMP.

Next we will introduce community strings,

I do not know what it means.

A "query password" should not be too old.

When a special client application is used, the "query password" community strings verification will obtain

The corresponding permissions (read-only or read/write) are used to access the Management Information Library (MIB) in SNMP.

The Management Information Library (MIB) stores all the important information of the system.

That is to say, if we can know the "query password" of community strings, We can spy on the system information.

Unfortunately, many network equipment manufacturers and operating system manufacturers use the comparison in their initial status.

The unified "query password" provides us with sufficient convenience.

　

Ii. Scanning WIN2K

For WIN2K, once the Simple Network Management Protocol is installed and started, the system will

UDP 161 snmp

UDP 162 snmptrap

Two ports.

We will not go into details about what to do. Note that UDP port is used, not TCP port.

At the same time, the WIN2K system supports the initial "query password" community strings: public

We only need to use the tool snmputil in a Resource Kit to conveniently obtain a lot of information.

Here you can download: http://www.patching.net/abu/tools/win/snmputil.exe

A Brief Introduction to usage

Snmputil is the program name.

Get.

Getnext is interpreted as obtaining the next information.

It can be understood as getting a bunch of information (well, it should be said that all database subtree/subdirectory Information)

Agent.

Community: Well, it's the "community strings" and "query password" pull.

Oid. This is the Object Identifier ).

The oid can be understood as a digital identifier for storing tree resources by various types of information in the MIB Management Information Library.

Okay. For more information, see related articles.

Start spying information:

Try to get the current process list of the target machine

Snmputil.exe walk peer ip public. 1.3.6.1.2.1.25.4.2.1.2

[! -- Empirenews. page --] attempts to obtain the user list of the target machine system

Snmputil walk peer ip public. 1.3.6.1.4.1.77.1.2.25.1.1

Haha

Is it easy to discover the information of the other party?

Of course, such commands can do a lot

Sort out the following columns:

Snmputil walk peer ip public. 1.3.6.1.2.1.25.4.2.1.2 List System Processes

Snmputil walk peer ip public. 1.3.6.1.4.1.77.1.2.25.1.1 list of system users

Snmputil get peer ip public. 1.3.6.1.4.1.77.1.4.1.0 list domain names

Snmputil walk peer ip public. 1.3.6.1.2.1.25.6.3.1.2 List Installed Software

Snmputil walk peer ip public. 1.3.6.1.2.1.1 list system information

　

3. Recommended tools

Snmputil is enough to scan network hosts, just because it is a tool under the command line.

Furthermore, super-normal oid identifiers are not that easy to input.

Here I recommend two very good network management tools, of course, their other role is snmp spying.

　

IP Network Browser of SolarWinds 2001

IP Network Browser is an snmp Browser tool that allows you to enter the correct community strings "Query Password"

Any available information on the WIN2K/NT system running the snmp service.

In, we can see that the "query password" is public.

In the Accounts (account) form, we have obtained the same feedback as the snmputil command line method.

Powerful functions.

The entire SolarWinds software package includes more network management tools. I will continue to introduce them in other articles later.

　

LANguard Network errors 2.0

This is a comprehensive network security scanning tool. Its main function is to display the NETBIOS host name, MAC address, and search for each host.

Sharing, operating system type judgment, and test the security of shared passwords, etc., output in html format.

Main function interface:

Select the SNMP option on the left and right-click the SNMPWalk function.

The structure of the MIB tree is displayed in a very intuitive graphical interface. You can directly select the corresponding directory tree.

Alternatively, you can directly enter the oid number to query the corresponding information of the target host.

For example, account information:

Of course, there are some more advanced and applicable features of the LANguard Network plugin.

For example, brute force cracking community strings.

It will be very effective.

　

4. How to Prevent snmp-based spying Scanning

Note that the communication port of the snmp service is a UDP port, which is easily overlooked by most network administrators.

Some Network Management Configuration servers often block the establishment of NetBIOS Null Sessions, so they think the system security is quite guaranteed.

Without knowing it, the SNMP service brings great risks to the system.

The most convenient and easy solution is to disable or uninstall the SNMP service.

If it is inconvenient to disable the SNMP service, you can modify the SNMP service attribute of the registry or graphic interface directly.

Perform Security Configuration.

Start -- program -- management tool -- Service -- SNMP Service -- Property -- Security

 

In this configuration interface, you can modify community strings, that is, the group name that Microsoft calls.

I am talking about "query password ". Alternatively, you can configure whether to allow SNMP query from some security hosts.

However, friends in the NT4 environment must modify the registry.

Modify community strings in

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSNMPParametersValidCommunities]

To change the public name to another name.

If you want to restrict the allowed ip addresses for SNMP query, you can enter

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSNMPParametersPermittedManagers]

Add a string named "1" with the Host IP address to be allowed.

Of course, if multiple machines are allowed, the names must be "2, 3, 4" and so on.

　

At this point, SNMP-based Information spying and protection policies are also basically finished.

Many of the names or explanations in this article are self-stated, not comprehensive and formal, but for beginners, there should be some

Help