 |
The Simple Network Management Protocol (SNMP) is extensively used in today's networks to provide configuration and monitoring for a wide variety of networked devices. Core Internet Gateways to small information appliances continue to use SNMP for their network management needs. |
|
|
| SimpleSleuth, is an easy-to-use, Windows-based test tool that probes for vulnerabilities in SNMP implementations. Using this tool, you can: |
|
- Check if the devices in your network are vulnerable to a "denial-of-service" attack using SNMP.
- Check if a vendor's patch actually fixes previously known vulnerabilities and does not introduce new ones.
|
|
| The CERT advisory, dated February 12, 2002(CA-2002-03), showed that products from a wide variety of vendors were susceptible to "denial-of-service" attacks, when these implementations were made to process invalid SNMP packets. |
|
| |
|
| More recently, on April 20, 2004, a Technical Cyber Security Alert - TA04-111B, was issued which indicated that Cisco routers and switches were vulnerable to a DOS attack when processing SNMP requests on trap/inform response ports. |
|
| |
|
| SimpleSleuth, with its associated test modules, sends thousands of invalid packets to the SNMP implementation under test and checks if the implementation is able to handle them without failure. Since the SNMP protocol uses the ASN.1 BER (Basic Encoding Rules) to encode SNMP packets, the invalid packets sent by SimpleSleuth typically fall into two categories: |
|
- badly encoded packets
- bad value packets that are correctly encoded.
|
|
| This allows the different components within an SNMP implementation that decode packets and then process them, to be checked for vulnerabilities. |
|
| |
|
| SimpleSleuth provides an easy to use interface that simplifies vulnerability testing and enables users to specify the type of test packets to send and then pin-points the packet that caused the vulnerability. Its modular architecture maximizes ROI by allowing users to purchase only the needed test suite modules. Six test moudles are available: |
|
To Test Agent Implementations: |
|
- SNMPv1 Agent Test Module
- SNMPv2c Agent Test Module
- SNMPv3 Agent Test Module
|
| To Test Manager Implementations: |
|
- SNMPv1 Manager Test Module
- SNMPv2c Manager Test Module
- SNMPv3 Manager Test Module
|
|
| The SNMPv1 Agent Test Module includes more than 189,000 malformed SNMPv1 test packets that exercise the SNMPv1 GET, GETNEXT and SET operations. The test packets are dynamically created allowing the user control over the various values used in the packet. The test packets are made up of badly encoded and bad valued ASN.1 BER packets. |
|
| |
|
| The SNMPv2c Agent Test Module includes more than 272,000 malformed SNMPv2c test packets that exercise the SNMPv2c GET, GETNEXT, SET and GETBULK operations. The test packets are dynamically created allowing the user control over the various values used in the packet. The test packets are made up of badly encoded and bad valued ASN.1 BER packets. |
|
| |
|
| The SNMPv3 Agent Test Module includes more than 443,000 malformed SNMPv3 test packets that exercise the SNMPv3 GET, GETNEXT, SET and GETBULK operations. The test packets are dynamically created allowing the user control over the various values used in the packet. The test packets are made up of badly encoded and bad valued ASN.1 BER packets. SimpleSleuth supports SNMPv3 discovery to learn the corresponding engine ids and creates packets accordingly. |
|
| |
|
| The SNMPv1 Manager Test Module includes over 200,000 SNMPv1 TRAP and GET RESPONSE packets. Like the SNMPv1 Agent Module, it too sends badly encoded and bad values packets, but to a management application. The traps can be sent to any SNMP Trap/Event application, while the SNMPv1 RESPONSE packets require a SNMP Manager to initiate an SNMP query (like a discovery query). |
|
| |
|
| The SNMPv2c Manager Test Module includes over 451,000 SNMPv2c TRAP and GET RESPONSE packets. It also sends badly encoded and bad values packets, but to a SNMPv2c management application. The traps can be sent to any SNMP Trap/Event application, while the SNMPv2c RESPONSE packets require a SNMPv2c Manager to initiate an SNMP query (like a discovery query). |
|
| |
|
| The SNMPv3 Manager Test Module includes over 500,000 SNMPv3 Trap and Inform packets and over 500,000 GET RESPONSE and REPORT packets. It also sends badly encoded and bad values packets, but to a SNMPv3 management application. The traps and informs can be sent to any SNMP Trap/Event application, while the SNMPv3 RESPONSE and REPORT packets require a SNMPv3 Manager to initiate an SNMP query (like a discovery query). |
|
| |
|
| In addition to the user interface, the SimpleSleuth can also be run in an unattended mode by specifying the tests to be conducted in a command file. |
|
| |
|
|
| Operation |
| Only a few simple steps are required to test an SNMP implementation. They are: |
- Configure the settings. Valid defaults are already set.
- Select the tests to be run or ALL.
- Specify the IP address of the device under test, and click on start.
|
| Detailed results are stored in associated files that pin-point vulnerabilities. |
| |
|
| Benefits |
- Improve security and reliability of both your network devices and your management applications.
- Quickly check implementations for SNMP vulnerabilities to DoS attacks.
- Verify if vendor's patches fix vulnerabilities and do not introduce new ones.
|
|
| Features |
- Easy-to-use GUI allows you select different types of tests.
- Test packets are dynamically created and configurable to match your environment.
- Check agent vulnerabilities to malicious attacks by sending badly encoded and bad valued SNMP packets.
- Tests can be configured to check agent status after each bad packet transmission.
- Check management application vulnerabilities to malicious attacks and rogue agents by sending bad TRAPs and GET RESPONSES.
- Supports both IPv4 and IPv6.
|
|
| Supported IETF RFC's |
|
| SNMPv1 |
- RFC 1157 - Simple Network Management Protocol
|
| |
| SNMPv2 |
|
| |
| SNMPv3 |
|
