Menu
Reply
Highlighted
  • 5
  • 0
  • 0
man_in_uk
Joining in
307 Views
Message 1 of 5
Flag for a moderator

SNMP vulnerabilty

Every time I get another letter telling me that my network is open to SNMP problems, I follow the instructions and block the suggested ports on the hub.

Next month, another letter.

Nothing I do is fixing this problem. What do I do next?

Help, please. 

I have tried to find a software tool that might show me what device is causing the problem but none are user friendly enough for me to understand!

0 Kudos
Reply
  • 2.12K
  • 229
  • 648
Superuser
Superuser
225 Views
Message 2 of 5
Flag for a moderator

Re: SNMP vulnerabilty


man_in_uk wrote:

Every time I get another letter telling me that my network is open to SNMP problems, I follow the instructions and block the suggested ports on the hub.

Next month, another letter.

Nothing I do is fixing this problem. What do I do next?

Help, please. 

I have tried to find a software tool that might show me what device is causing the problem but none are user friendly enough for me to understand!


The following post by @ravenstar68 maybe of help where “Using Port Forwarding to drop the inbound traffic” is detailed:

FYI, forward incoming UDP packets on port 161 to an IP address not allocated to a device on your network.

 

  • 14.91K
  • 817
  • 5.32K
Superuser
Superuser
207 Views
Message 3 of 5
Flag for a moderator

Re: SNMP vulnerabilty

I second @用心棒 suggestion about forwarding port 161 to an unused IP address where possible.

However if you want to find out exactly what is responding try using this snmpwalk tool.  You can also try it after applying the port forwarding rule to find out if it's worked.

https://syslogwatcher.com/cmd-tools/snmp-walk/

once dowloaded extract it to a directory that's easy to find e.g c:\snmpwalk and then press Windows key+R in the box that appears type cmd and press enter

Enter the following commands

cd c:\snmpwalk

c:\SnmpWalk>SnmpWalk -r:<Public IP address>
SnmpWalk v1.01 - Copyright (C) 2009 SnmpSoft Company
[ More useful network tools on http://www.snmpsoft.com ]

%Failed to get value of SNMP variable. Timeout.

The above is a good result as nothings responded from the public IP.

I'll show you a comparison with my printer on the local network to show you the output if it does got a response.  Note: in this case my network is safe.  SNMP is meant to work at the LAN level.

c:\SnmpWalk>SnmpWalk -r:192.168.0.38
SnmpWalk v1.01 - Copyright (C) 2009 SnmpSoft Company
[ More useful network tools on http://www.snmpsoft.com ]

OID=.1.3.6.1.2.1.1.1.0, Type=OctetString, Value=EPSON Built-in 11b/g/n Print Server
OID=.1.3.6.1.2.1.1.2.0, Type=OID, Value=1.3.6.1.4.1.1248.1.1.2.1.3.5.69.69.80.83.50
OID=.1.3.6.1.2.1.1.3.0, Type=TimeTicks, Value=22:01:12.70
...
OID=.1.3.6.1.4.1.2699.1.2.1.3.1.1.7.1.2, Type=Integer, Value=1
OID=.1.3.6.1.4.1.2699.1.2.1.3.1.1.7.1.3, Type=Integer, Value=1
OID=.1.3.6.1.4.1.2699.1.2.1.3.1.1.8.1.1, Type=Integer, Value=0
OID=.1.3.6.1.4.1.2699.1.2.1.3.1.1.8.1.2, Type=Integer, Value=0
OID=.1.3.6.1.4.1.2699.1.2.1.3.1.1.8.1.3, Type=Integer, Value=0
OID=.1.3.6.1.4.1.2699.1.2.1.3.1.1.9.1.1, Type=Integer, Value=2
OID=.1.3.6.1.4.1.2699.1.2.1.3.1.1.9.1.2, Type=Integer, Value=2
OID=.1.3.6.1.4.1.2699.1.2.1.3.1.1.9.1.3, Type=Integer, Value=2
%Failed to get value of SNMP variable. Variable does not exist (noSuchName(2))
Total: 708

Note: that the printer sent back 708 different responses.

This is why SNMP is dangerous when exposed to the internet at large.  Not only can it give the attackers a lot of information about a network device, but it also enables them to use that device in DDOS amplification attacks.

By spoofing the return address for the packets they can direct a lot of traffic to a targetted IP using your device amongst others.

Tim

________________________________________


Only use Helpful answer if your problems been solved.

  • 890
  • 31
  • 173
MrHalfAsleep
Well-informed
164 Views
Message 4 of 5
Flag for a moderator

Re: SNMP vulnerabilty

SNMP is used by (networked, not local) printers and should be turned off as it causes problems with routers leaving you unable to print.  Windows support tells you to turn it off.

The option to do so should be on your port settings.







--
The only winning move is not to play.
No system is 100% secure
Ridicule is nothing to be scared of - Adam Ant
The only thing constant - is change. Chris Evans
The internet is a series of tubes
0 Kudos
Reply
  • 14.91K
  • 817
  • 5.32K
Superuser
Superuser
156 Views
Message 5 of 5
Flag for a moderator

Re: SNMP vulnerabilty

Do you have a source for this?  Bear in mind that the printer is on the local wifi network.  So it is a networked printer.

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply