What goes wrong if I have your SNMP RW string for a Cisco Device? Digitalsurgn Follow Apr 17, 2019 · 5 min read

With your SNMP (write) string ,an attacker can completely wipeout your router , reboot and put in rommon mode remotely .

I am assuming that ,we know that what SNMP is for and with the help of community strings ,one can query and change configurations remotely through SNMP.

Imagine what if , an attacker have the SNMP strings of CISCO network device and that string have read and write authority over the device. Attacker also got the access-list which allows only particular IP addresses to communicated with devices over SNMP( if there is access-list defined for the SNMP configuration ),otherwise ignore this part . So with having the above mentioned information ,

What could go wrong?

attacker can format the OS partition of the device (i.e. bootflash) (Remotely ) attacker can erase the startup-config of the device (Remotely ) attacker can put device in ROMMON (Remotely ) attacker can reboot the device (Remotely )

The point 4 is the most important as it has the biggest impact among the rest of the 3 points.

WHY ?

For those who don’t know how configurations is loaded in CISCO network devices or the partitions of CISCO network device,

1(a). if attacker format OS partition means, the router will still be running, as the OS already loaded in RAM . Formatting bootflash(the partition where the booting IOS file saved),means that upon reload there is no OS File (.bin) , so router will not be able to load operating system.(reference: bootflash https://learningnetwork.cisco.com/thread/120379)

2(a). If attacker erase the startup-config of the device the device will be running as normal, as the running configurations are already loaded in the RAM as running-config ,where as the startup-config is saved in the nvram. The router load the startup-config during booting process into RAM and named them running-config . Any thing changed in startup-config will not be effected until it is reloaded into running-config during boot process or manually giving a command to write.(reference: running-config vs startup-config https://study-ccna.com/running-startup-configuration/)

3(a). If attacker put device in ROMMON by changing the register value . it will not take an effect until the device is reloaded . Once the device will reload then it will be booted in ROMMON , because of the changed value of register.(reference: what is rommon https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-1/rommon/configuration/guide/rm41crs/rm41over.html )

4(a). So commanding the device to get reload remotely over SNMP with write string is the most dangerous thing ,if its used by a malicious user.

According the CISCO all the devices are factory-set have default configuration of “no snmp-server system-shutdown” means over SNMP no one can reload the router with a SNMP reload command / mib(reference: what is snmp mib ?https://www.paessler.com/info/snmp_mibs_and_oids_an_overview ) ,But the catch is that malicious user can change this setting over SNMP with help of this command “snmp-server system-shutdown” and then issue reload command through SNMP to reload the router remotely . (reference: PAGE 42 https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/command/nm-snmp-cr-book/nm-snmp-cr-s5.pdf )

SNMP (reference:https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol) is UDP based and there is no 3-way handshake required (which is the case of TCP ) , so IP Spoofing is very easily possible and for that ,credits goes to Darren McDonald tool Cisco-SNMP-Slap .This tool can do IP spoofing(reference:https://www.iplocation.net/ip-spoofing)(to bypass access-list for SNMP communication) and can request the CISCO network device to upload its configuration to a defined TFTP server .

I have modified this script to perform all the above 4 points mentioned and named it as CISCO-SNMP-SPAT.

Attacking Scenario

As per the above simple diagram , the target router should be accessible over Internet OR over LAN(in case of internal Pentesting), but router port 161 should be open to receive the SNMP packets from the attacker machine.The tftp server can be same as attacker machine or same where on network and reachable to the router (so router can get config from the tftp).

So now we required the below information :

SNMP community/private string (write)( This string can be acquired by a number of means , including brute-force attack using nmap script snmp-brute etc. (reference :https://thehacktoday.com/snmp-brute-fast-snmp-brute-force-enumeration-cisco-config-downloader-and-password-cracking-script/ ) ACL information (incase there is ACL to spoof the IP address, otherwise ignore this)(reference: http://www.cathayschool.com/using-access-lists-to-protect-snmp-access-a552.html) The target IP address of the router . An attacker machine over the internet / LAN ( incase LAN based attack)(Kali linux etc.) A tftp Server ready to push the configuration to the network device( it could be the same machine from where attacker attack.)(tftp https://github.com/acaitch/tftpgui/blob/master/tftpgui.py) The python Cisco-SNMP-SPAT script .

The action:

The script do the IP Spoofing to bypass the ACL and send SNMP mibs.(incase of ACL configured) In three stage attack of Script , it will 1st remove the FLASH (IOS bin file) from bootflash by formatting the bootflash. A in second stage a tftp configuration will be pushed to the device from the tftp ,which have Config register value set to 2142 mode and set “snmp-server system-shutdown” ( to receive a reload command over SNMP.)(reference: https://www.cisco.com/c/en/us/support/docs/routers/2500-series-routers/6201-lose-config-6201.html) A single SNMP mib to remove startup-config (so that upon reload there is no config and as its already formatted at this stage the bootflash memory ,so no booting IOS) A single SNMP mib to reload the router to finish the story.

This shows the impact of loosing the SNMP string(write) of CISCO device .

Incase there is no ACL the IP spoofing part can be ignored and directly attack possible on the router .

Once router reload after the last SNMP mib of the script ,the router will boot in rommon mode with no OS and no configurations.

The modified code of the Darren McDonald tool Cisco-SNMP-Slap is available this location with the name of CISCO-SNMP-SPAT.

The Solution :

This kind of attack can be avoided by below points , as it based on a number of factors :