Want a quick way to see what GPO's are applied to your local system, just using built in utilities? Using the GUI to manually view what settings are applied is awkward and slow. ?Use the following commands to see what policies are being handed down to the system you're on and what they're enforcing. ?This info can be incredibly handy during a pentest in order to find out the limitations being imposed on a specific system you've compromised.
SNMP, or Simple Network Management Protocol, has been the go-to management protocol of choice for years. As its name declares, it is a simple and efficient way to monitor hosts. Most everything is SNMP capable these days, from servers to switches, and from firewalls to routers. Even most UPS’s and A/C units have it built in. Most installs of SNMP default to SNMPv2, which is dated technology. In 2004, SNMPv3 was introduced as a replacement for v2, touting increased security and better remote configuration. In an SNMPv2 setup, community strings (passwords) and data float by in plain text, allowing anyone in the right spot on the network to capture them. Once you have the community strings, you can query devices for information (and possibly make configuration changes!). SNMPv3 solves this problem by protecting the authentication handshake, and then encrypting all the SNMP data as it crosses the network.
In this quick how-to, I’ll show you how to setup SNMPv3 on a generic Debian Linux machine.
First, grab the snmpd package from apt:
aptitude install snmpd
Right after SNMPD pulls down its dependencies and installs, stop the daemon:
Then we need to make a few configuration changes. For security reasons, SNMP only listens on the localhost interface by default. In order to monitor this Linux box remotely, we need to open that up. Crack open /etc/defaults/snmpd and edit the following line:
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid'
Now we need to disable the default SNMPv2, and create a SNMPv3 user. Open up /etc/snmp/snmpd.conf and scroll down and comment out all the lines starting with com2sec in this section:
# sec.name source community #com2sec paranoid default public #com2sec readonly default public #com2sec readwrite default private
Since we just ‘disabled’ SNMPv2, we need to enable v3 and create a user. Use the command line utility, net-snmp-config to help to create a SNMPv3 user:
net-snmp-config --create-snmpv3-user -ro -A sadWFqeq3421 -X fferlGq5247 -a SHA -x AES snmpv3user -ro is read-only user -A sadWFqeq3421 is the authentication passphrase -X fferlGq5247 is the privacy passphrase -a SHA is how the authentication passphrase will be stored (MD5 or SHA) -x MD5 is how the SNMP data will be encrypted during transit (DES or AES) snmpv3user is the name of our new user
And if the command went ok, the output should look like this:
adding the following line to /var/lib/snmp/snmpd.conf: createUser snmpv3user SHA "sadWFqeq3421" AES fferlGq5247 adding the following line to /usr/share/snmp/snmpd.conf: rouser snmpv3user
Lets start up the SNMPD service again:
Lets do a quick test to make sure it all worked ok. From another machine with SNMP installed, we can issue a command like the following to query the remote Debian machine, with our new SNMPv3 user, to check the amount of ram installed:
snmpget -v 3 -u snmpv3user -l AuthPriv -x AES -a SHA -X fferlGq5247 -A sadWFqeq3421 10.0.0.45 18.104.22.168.4.1.2021.4.5.0 UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 516528 kB
Looks like it all went well! The output of the last command shows that the machine has 516,528 kB of RAM. For some added security, you can ACL the SNMP service to your query server with some quick iptables rules. These allow ssh from anywhere, SNMP from 10.0.0.42 (your query server) and established connections. Everything else gets dropped:
iptables -I INPUT 1 -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 10.0.0.42/32 -p udp -m udp --dport 161 -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -j DROP
With a SNMPv3 setup, the authentication process and PDU’s (SNMP data) should be encrypted. No more ‘public’ community strings floating by in plain text. The best way to query those SNMP clients is to use a network management application (Cacti is free and a Redspin favorite).