We created a great base for SNMP vulnerability assessment in the last post. SNMPv2c offers a few more threats to consider when doing vulnerability management or blackbox fuzzing. I also am excited to share the infamous SNMPv2c DRDoS I found a few years back. So with hast on we go.
As you can see I have taken the time to highlight our new additions to our Attack Model for SNMPv2c. Not much has changed.
As you can see Proxy Agents are a new big thing however you will likely not see this implemented during an assessment. Personally I never have. Should you get the opportunity try crafting a spoofed PDU response from an SNMPv1 to the SNMPv2c Proxy Agent to inject a false trap notification. There is too much trust emphasized on the Proxy Agent. You can do this simply with SNMP_PacketGenerator and wireshark.
We also gain Inform in this version. Inform is our acknowledgement packet. Just like TCP ACK. Inform is used when an SNMPv2 Trap is set, and triggered. This is to ensure receipt of the notification.
SNMPv2 Trap is irrelevant. I placed it here just so you could look at it. SNMPv2 was never adopted by the community due to its security oddly enough. It was overtaken by SNMPv2c and SNMPv2u to a lesser extent which offered more lax security for the administrators to do there job easier. *facepalm*
Get Bulk is a great new addition to SNMPv2. It allows a single request to do what used to take thousands. Snmpwalk in SNMPv1 worked by sending a Get Next request after every receipt from the previous request. SNMP Get Bulk says I want every OID beneath this part of the MIB OID tree for our device. Saves bandwidth, hurries the response along. Right?
So the real improvement is a single request packet that can grab the entire MIB OID subtree, and also the base MIB OID. Generally given request headers length and the SNMP message sequence length the request is about 80 bytes. Give or take a few. For a response that can total 30 to 40 response packets. Limited each by the UDP packet length of 1514 bytes. On a spoofable protocol!
To put that into prospective that is like throwing a baseball at a brick wall and having the brick wall fall on you. An average 900x Distributed Reflective Denial of Service attack presents itself in the case of the MS Windows MIB OID 18.104.22.168.
To see a sample of this attack for yourself you can refer to my simple SNMPv2c_DRDoS. This tool can be used to show the attack against a single MS SNMPd implementation.
An old friend Fugi wrote a c script, snmpdos, to weaponize it a few years back. Worth checking out if you would like to see it done in c.