Wednesday, July 25, 2012

Port/Service Scanning using SNMP

Simple Network Management Protocol (SNMP) is used for remote monitoring and managing of hosts, routers, switches or any device connected to network SNMP works on 161/UDP, SNMP Trap on 162/UDP.

By default SNMP comes with two community strings
        public (read only access)
        private (read/write access)

Community strings or User names  with read only access rights can also be used to Scan a machine remotely for open TCP/UDP ports. The community string which I am using is "mysnmp" with read/write permissions.


Below snapshot gives information about process/service names running on the machine.


Evading IDS/IPS
Generally we use NMAP for scanning a remote machine to figure out open TCP or UDP ports. Most of the IDS/IPS might detect the Scans and flag an alert. SNMP scan might evade IDS/IPS because we are sending a legitimate SNMP request to remote devices.

Protection
Remove unnecessary MIBs which are not being used.

Other articles which might be of interest
http://darshanams.blogspot.in/2010/11/wireshark-remote-packet-capture-bit-of.html
http://darshanams.blogspot.in/2012/05/cain-and-abel-password-cracking.html

Enjoy !!!