What many network administrators don’t realize, is not only the depth of information exposed by SNMP but the fact that a writeable SNMP community can be leveraged to gain complete control over a device. In the case of Cisco IOS, a writeable SNMP community can be used to download the running device configuration AND modify the running configuration. A router with telnet disabled and a complex serial password can be hijacked nearly instantly through a writeable SNMP community. The Metasploit Framework provides a SNMP brute force tool, written as an auxiliary module, which can leverage a wordlist of common passwords to identify valid communities and determine whether they are read-only or read-write. In addition to the basic brute force module, Metasploit now contains a module (submitted by community contributor “pello”), that can use a writeable SNMP community to download the running device configuration.
Metasploit Express and Metasploit Pro use these two modules to automatically grab the configuration files of vulnerable devices. During a discovery scan, the SNMP brute force tool is launched in the background with a small wordlist of common communities. If any of these passwords work and the community is detected as writeable, the product will configure a local TFTP service and download the running configuration file. Since the SNMP protocol is now integrated into the intelligent brute force component of the product, the same now applies to communities guessed during a brute force run. The brute force component uses a highly tuned list of communities in addition to the dynamically generated passwords for that project. This tuned list is derived from a research project that involved scraping web forms for pasted configuration files, extracting and brute forcing the embedded passwords, and then analyzing the results to determine what passwords are most commonly used, including SNMP communities. The results of this project were surprising, I would never have guessed that “public@es0″ and “private@es0″ were widely used due to an example configuration included in the Cisco documentation.
The last two protocols I want to discuss are Telnet and SSH. These protocols both provide access to a remote command shell on the target device, usually as non-privileged user. The most notable difference from penetration testing perspective, is that SSH often requires knowledge of a remote username and password, where Telnet is often configured with password-only authentication. The Metasploit Framework contains modules for brute forcing both of these protocols and will automatically create an interactive session when the brute force process succeeds.
Metasploit Express and Metasploit Pro have always supported attacks against network devices using the Telnet and SSH protocols, but with the latest release, now leverage the tuned password list from our password analytics research. This results in some unusual passwords floating to the top of the wordlist, but is extremely effective against real-world configurations. Without giving too much away, I can say that some ISPs are notorious for using static passwords to configure customer-owned equipment.