Tuesday, October 01, 2013

I'm scanning udp/161 (SNMP) right now

I'm scanning the entire Internet for SNMP (UDP port 161) right now:

masscan -pU:161 --banners

SNMP is the "simple network management protocol", which is the Internet standard monitoring devices (like temperature and traffic rates), getting alerts from devices (like when the power fails), and most importantly, controlling devices. It's such a dangerous protocol that it should never be exposed to the public Internet. I should get back zero responses to my scan -- but I'm getting millions.

My query is a "GET" request for "sysName" and "sysDescr". These are relatively harmless bits of information, which is why I'm scanning for them: they are the fields that I'm most likely to get back in response. Most people don't mind exposing those fields. In future scans, I'm going to look for more sensitive information, like MAC addresses, or RMON.

This is just a sampling of early results. The most popular values for "sysName" are:

 288176 CableHome
 145375 TD5130
 123819 Unknow
 119946 Broadcom
 108174 CHT
  79667 unnamed
  48492 Innacomm
  36876 KWS-1040G
  28779 DSL-2640B
  27768 P-660R-T1
  27447 router
  25229 WA3002G4
  24178 ADSL Modem/Router
  22738 ADSL
  20528 Speedy
  19828 Telefonica
  18884 D-Link
  18384 nobrand
  17136 DSL-2500U
  15755 Beetel
  13175 Sprint
  12374 Siemens SE261
  12032 RTL867x ADSL Modem/Router
  11782 DNA-A211-I
  10971 unknown
   9738 USR9111
   9362 tc
   9136 AXIMCom

The first thing to notice about this is how this list is dominated by home cable/DSL modems. Also notice the item on the bottom of the list: AXIM is a well known manufacturer of Internet connected cameras. That could be lots of run to play with.

You see lots of devices in this list because it's usually supposed to be the human-configured name for a computer. Devices tend to be deployed without humans interacting with them, and hence come with factory preset names.

The most popular values for "sysDescr" are:

 189979 P-660HW-D1
 132290 Software Version 3.10L.01.
 122354 Linux WNR1000v2 2.6.15 #199 Thu Jan 28 09
  79667 ucd-snmp-4.1.2/eCos
  74816 P874S5AP_20120106W
  74654 Linux ADSL2PlusRouter 2.6.19 #2 Wed Aug 22 19
  74435 Technicolor CableHome Gateway <
  73785 CBW700N <
  65439 System Description
  55851 Thomson CableHome Gateway <
  52248 Wireless ADSL Gateway
  41910 Hardware
  39351 Linux ADSL2PlusRouter 2.6.19 #7 Tue Apr 9 17
  38372 Ubee PacketCable 1.5 W-EMTA <
  31197 Netopia 3347-02 v7.8.1r2
  30728 P-660HW-T1 v2
  28390 Apple Base Station V3.84 Compatible
  28311 GE_1.07
  27017 ZXV10 W300
  21765 P-660R-T1 v3s
  19930 Linux KWS-1040G 2.4.25-LSDK- #1 Sat Jun 12 14
  19753 Software Version 1132_061507-3.08L.BSNL_02.
  19534 ARRIS DOCSIS 2.0 / SIP 2.0 Touchstone Telephony Modem <
  18121 W3400V6-4.06L.01-TM
  15993 Linux ADSL2PlusRouter 2.6.19 #2 Mon Feb 13 14
  15165 router
  15116 4 Port VDSL IAD
  14870 BCW700J <
  13577 Residential ADSL Gateway
  13428 450TC2
  13250 P-660HW-T1 v3
  12984 Linux localhost 2.4.17_mvl21-malta-mips
  12496 Cisco Internetwork Operating System Software
  12163 Software Version 3.12L.BSNL_01.
  12155 Apple AirPort - Apple Inc., 2006-2012.  All rights Reserved.
  12068 DSL-2600U
  12032 RTL867x System Description
  11997 Linux KWS-1040G 2.4.25-LSDK- #1 Thu Sep 3 18
  11617 P-660RU-T1 v2

Again, you see an overwhelming number of home devices. These come with model numbers, which is great, because it gives you a good list of products to avoid. Home cable/DSL modems should have zero ports exposed to the public Internet -- especially SNMP of all ports. If you have one of these vendors, like Zyxel or Arris, you are just begging to be hacked.

Note that both these lists exhibit a "long tail". There are hundreds of thousands of unique strings -- these are just the most popular. Although, as you can see, often time a minor version change creates a unique string. Thus, while a Zyxel device is the top of the list, that may be just because they don't have much variability in their version strings, rather than being either the worst vendor or the most popular vendor.


Roland Dobbins said...

The bigger danger is that these devices can be (and are being) leveraged in devastating SNMP reflection/amplification attacks in the tens of gb/sec.

Unknown said...

Can/Are you going to post the data from your scans? I am interested in this data but would rather not scan everyone again.