Scanning the Internet with SNMP
This is a great article that reveals the results of Gnucitizen.org scanning the Internet for open SNMP (Simple Network Management Protocol) ports.
First they detail why SNMP makes such a juicy target, namely the UDP port scans are fast and SNMP holds a wealth of infomation.
Gnucitizen scanned 2.5 million IP’s and 5320 responded to the SNMP request. This is astounding number when you conisder that two rookie mistakes must be made for this to happen.
1. An internet facing device has SNMP enabled
2. It is configured with the default community string of “public”
I really can’t believe that I haven’t thought of trying this before on a smaller scale.
In response allow me the latitude of giving a word of warning and education. We often assume that it is highly crafted sophisticated attacks that threaten our networks when more commonly the vulnerability is the result of lazy and/or ignorant admins.
Every time you add a network device make sure to do at least 2 things,
1. Change the default password,
2. Secure SNMP either by changing the default community strings or even better use SNMPv3, if you aren’t going to use SNMP then disable it.
You’d be amazed how many times I can plug into a hardwire port fire up a SNMP scanner and get tons of info from switches and other network devices. Take the time to do it right.
For more info on SNMP start with the Wikipedia and follow to the RFC’s.