SNMP Community String [7:31373]
Is there a way to encrypt the snmp community strings? The strings are security holes since there are tools out there (I know of at least one) capable of deriving the RW strings, given the RO strings. Once the RW strings are known, you can download the config files and hack the passwords although I'm yet to see enable secret passwords cracked (I could be wrong). Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31373t=31373 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: SNMP Community String [7:31373]
Just access-list it. - Original Message - From: Kwame To: Sent: Wednesday, January 09, 2002 8:03 AM Subject: SNMP Community String [7:31373] Is there a way to encrypt the snmp community strings? The strings are security holes since there are tools out there (I know of at least one) capable of deriving the RW strings, given the RO strings. Once the RW strings are known, you can download the config files and hack the passwords although I'm yet to see enable secret passwords cracked (I could be wrong). Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31376t=31373 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: SNMP Community String [7:31373]
Not to sure about that, but you can add access lists to control who is allowed to use those SNMP strings snmp-server community abcd rw 50 access-list 50 permit 1.2.3.4 0.0.0.255 -Original Message- From: Kwame [mailto:[EMAIL PROTECTED]] Sent: 09 January 2002 15:04 PM To: [EMAIL PROTECTED] Subject: SNMP Community String [7:31373] Is there a way to encrypt the snmp community strings? The strings are security holes since there are tools out there (I know of at least one) capable of deriving the RW strings, given the RO strings. Once the RW strings are known, you can download the config files and hack the passwords although I'm yet to see enable secret passwords cracked (I could be wrong). Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31378t=31373 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: SNMP Community String [7:31373]
Try using snmpv3 -Original Message- From: Andrew Larkins [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 5:53 AM To: [EMAIL PROTECTED] Subject: RE: SNMP Community String [7:31373] Not to sure about that, but you can add access lists to control who is allowed to use those SNMP strings snmp-server community abcd rw 50 access-list 50 permit 1.2.3.4 0.0.0.255 -Original Message- From: Kwame [mailto:[EMAIL PROTECTED]] Sent: 09 January 2002 15:04 PM To: [EMAIL PROTECTED] Subject: SNMP Community String [7:31373] Is there a way to encrypt the snmp community strings? The strings are security holes since there are tools out there (I know of at least one) capable of deriving the RW strings, given the RO strings. Once the RW strings are known, you can download the config files and hack the passwords although I'm yet to see enable secret passwords cracked (I could be wrong). Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31392t=31373 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: SNMP Community String [7:31373]
SNMPv3-Version 3 of the Simple Network Management Protocol. SNMPv3 is an interoperable standards-based protocol defined in RFCs 2273-2275. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network. The security features provided in SNMPv3 are: Message integrity-Ensuring that a packet has not been tampered with in-transit. Authentication-Determining the message is from a valid source. Encryption-Scrambling the contents of a packet prevent it from being seen by an unauthorized source. Cisco Source -Message d'origine- De : Andras Bellak [mailto:[EMAIL PROTECTED]] Envoyi : mercredi 9 janvier 2002 15:38 @ : [EMAIL PROTECTED] Objet : RE: SNMP Community String [7:31373] Try using snmpv3 -Original Message- From: Andrew Larkins [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 5:53 AM To: [EMAIL PROTECTED] Subject: RE: SNMP Community String [7:31373] Not to sure about that, but you can add access lists to control who is allowed to use those SNMP strings snmp-server community abcd rw 50 access-list 50 permit 1.2.3.4 0.0.0.255 -Original Message- From: Kwame [mailto:[EMAIL PROTECTED]] Sent: 09 January 2002 15:04 PM To: [EMAIL PROTECTED] Subject: SNMP Community String [7:31373] Is there a way to encrypt the snmp community strings? The strings are security holes since there are tools out there (I know of at least one) capable of deriving the RW strings, given the RO strings. Once the RW strings are known, you can download the config files and hack the passwords although I'm yet to see enable secret passwords cracked (I could be wrong). Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31399t=31373 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: SNMP Community String [7:31373]
First of all, your SNMP string can be encrypted with DES. I think it can be encrypted in MD5 as well, even though I have not personally seen it; however, I have encrypted SNMP string in DES myself. Cisco TACACS freeware does come with a generate_passwd utility that will allow you to encrypt a text string into DES. I use this utility on Linux/BSD platform and it works great. If you want to encrypt your string in MD5, I suggest that you do that on a Linux machine. If you have root privilege, you can create a user, assign that user a password that matches the string of your choice. After that, you can retrieve the MD5 hash string from the /etc/shadow (only root can read this file). This is a very simple task. The next question you ask is that if the enable secret password, which is an MD5 hash, can be cracked. The answer is a resounding YES. I use a program called John the Ripper (available on Unix platform) to crack MD5 hash password. Now granted that it takes longer to crack MD5 password thatn DES or 3DES; however, if the MD5 password is dictionary-based and/or less than 8 characters long, it takes less than a day to crack the password. I've personally tested it on a dual-processor PIII 600MHz with 256MB of RAM. Finally, how do you protect yourself? Well, for SNMP, use version 3 because everything is encrypted (make sure your IOS supports it). Make everyone who logs onto the router/switch authenticate via TACACS. Enable aaa authorization and aaa accounting on the router/switch. Having done all that, the only time that you will ever use the enable secret password on the router is when your router loses connectivity with the TACACS server. Therefore, it will be useless for anyone who happen to decode your enable secret password anyway. Last, if you really want to be secure, do not telnet to the router, use Secure Shell (SSH) instead. That way, your router/switch will be protected from password sniffer and cracker. Cisco only supports SSH version 1 which sucks big time but it is still better than telnet. - Original Message - From: Kwame To: Sent: Wednesday, January 09, 2002 8:03 AM Subject: SNMP Community String [7:31373] Is there a way to encrypt the snmp community strings? The strings are security holes since there are tools out there (I know of at least one) capable of deriving the RW strings, given the RO strings. Once the RW strings are known, you can download the config files and hack the passwords although I'm yet to see enable secret passwords cracked (I could be wrong). Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31497t=31373 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]