Six Simple Network Management Protocol (SNMP) servers expose their UDP port 161 to the Internet. SNMP is a network management protocol and allows network and host configurations to be queried and set. The servers are configured with SNMPv3 which supports authentication and encryption. SNMPv3 allows the extraction of basic information from an SNMPv3 GET request such as the vendor name, MAC address, and uptime. Exposing SNMPv3 to the Internet also allows attackers to launch brute force password attacks.
Exposing unnecessary services to the Internet increases the attack surface and allows attackers to launch brute force password attacks against SNMP.
Limit network access to the SNMP port (UDP 161) to a set of whitelisted IP addresses instead of exposing the port to the Internet.
- Nmap: Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
Command
sudo nmap -sUV -p 161 <server ip>
Vulnerable Output
Starting Nmap 7.12SVN ( https://nmap.org ) at 2016-07-12 14:18 EDT
Nmap scan report for <server ip>
Host is up (0.069s latency).
PORT STATE SERVICE VERSION
161/udp open snmp Cisco SNMP service; ciscoSystems SNMPv3 server
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.77 seconds
Command
nmap -sUV -p 161 --script snmp-ios-config --script-args snmpcommunity=public <server ip>
Vulnerable Output
Nmap scan report for <server ip>
Host is up (0.069s latency).
PORT STATE SERVICE VERSION
161/udp open snmp Cisco SNMP service; ciscoSystems SNMPv3 server
| snmp-info:
| enterprise: ciscoSystems
| engineIDFormat: mac
| engineIDData: 00:e8:65:49:f1:d9
| snmpEngineBoots: 3
|_ snmpEngineTime: 31d22h33m27s