masscan 0.0.0.0/0 -pU:161 --banners
SNMP is the "simple network management protocol", which is the Internet standard monitoring devices (like temperature and traffic rates), getting alerts from devices (like when the power fails), and most importantly, controlling devices. It's such a dangerous protocol that it should never be exposed to the public Internet. I should get back zero responses to my scan -- but I'm getting millions.
My query is a "GET" request for "sysName" and "sysDescr". These are relatively harmless bits of information, which is why I'm scanning for them: they are the fields that I'm most likely to get back in response. Most people don't mind exposing those fields. In future scans, I'm going to look for more sensitive information, like MAC addresses, or RMON.
This is just a sampling of early results. The most popular values for "sysName" are:
288176 CableHome
145375 TD5130
123819 Unknow
119946 Broadcom
108174 CHT
79667 unnamed
48492 Innacomm
36876 KWS-1040G
28779 DSL-2640B
27768 P-660R-T1
27447 router
25229 WA3002G4
24178 ADSL Modem/Router
22738 ADSL
20528 Speedy
19828 Telefonica
18884 D-Link
18384 nobrand
17136 DSL-2500U
15755 Beetel
13175 Sprint
12374 Siemens SE261
12032 RTL867x ADSL Modem/Router
11782 DNA-A211-I
10971 unknown
9738 USR9111
9362 tc
9136 AXIMCom
The first thing to notice about this is how this list is dominated by home cable/DSL modems. Also notice the item on the bottom of the list: AXIM is a well known manufacturer of Internet connected cameras. That could be lots of run to play with.
You see lots of devices in this list because it's usually supposed to be the human-configured name for a computer. Devices tend to be deployed without humans interacting with them, and hence come with factory preset names.
The most popular values for "sysDescr" are:
189979 P-660HW-D1
132290 Software Version 3.10L.01.
122354 Linux WNR1000v2 2.6.15 #199 Thu Jan 28 09
79667 ucd-snmp-4.1.2/eCos
74816 P874S5AP_20120106W
74654 Linux ADSL2PlusRouter 2.6.19 #2 Wed Aug 22 19
74435 Technicolor CableHome Gateway <
73785 CBW700N <
65439 System Description
55851 Thomson CableHome Gateway <
52248 Wireless ADSL Gateway
41910 Hardware
39351 Linux ADSL2PlusRouter 2.6.19 #7 Tue Apr 9 17
38372 Ubee PacketCable 1.5 W-EMTA <
36038
31197 Netopia 3347-02 v7.8.1r2
30728 P-660HW-T1 v2
28390 Apple Base Station V3.84 Compatible
28311 GE_1.07
27017 ZXV10 W300
21765 P-660R-T1 v3s
19930 Linux KWS-1040G 2.4.25-LSDK-5.3.1.48 #1 Sat Jun 12 14
19753 Software Version 1132_061507-3.08L.BSNL_02.
19534 ARRIS DOCSIS 2.0 / SIP 2.0 Touchstone Telephony Modem <
18121 W3400V6-4.06L.01-TM
15993 Linux ADSL2PlusRouter 2.6.19 #2 Mon Feb 13 14
15165 router
15116 4 Port VDSL IAD
14870 BCW700J <
13577 Residential ADSL Gateway
13428 450TC2
13250 P-660HW-T1 v3
12984 Linux localhost 2.4.17_mvl21-malta-mips
12496 Cisco Internetwork Operating System Software
12163 Software Version 3.12L.BSNL_01.
12158 HP ETHERNET MULTI-ENVIRONMENT
12155 Apple AirPort - Apple Inc., 2006-2012. All rights Reserved.
12068 DSL-2600U
12032 RTL867x System Description
11997 Linux KWS-1040G 2.4.25-LSDK-5.3.1.48 #1 Thu Sep 3 18
11617 P-660RU-T1 v2
Again, you see an overwhelming number of home devices. These come with model numbers, which is great, because it gives you a good list of products to avoid. Home cable/DSL modems should have zero ports exposed to the public Internet -- especially SNMP of all ports. If you have one of these vendors, like Zyxel or Arris, you are just begging to be hacked.
Note that both these lists exhibit a "long tail". There are hundreds of thousands of unique strings -- these are just the most popular. Although, as you can see, often time a minor version change creates a unique string. Thus, while a Zyxel device is the top of the list, that may be just because they don't have much variability in their version strings, rather than being either the worst vendor or the most popular vendor.
The bigger danger is that these devices can be (and are being) leveraged in devastating SNMP reflection/amplification attacks in the tens of gb/sec.
ReplyDeleteCan/Are you going to post the data from your scans? I am interested in this data but would rather not scan everyone again.
ReplyDelete