RE: Routes that are susceptible to SNMP

From: Pete Herzog (lists@isecom.org)
Date: Thu Feb 06 2003 - 10:15:15 EST

• Next message: User C0d3r: "Re: Symantec A/V - netscan password in registry"
• Previous message: Dario N. Ciccarone: "RE: Using ARP to map a network"
• In reply to: Rod Strader: "RE: Routes that are susceptible to SNMP"
• Next in thread: Rob Shein: "RE: Routes that are susceptible to SNMP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You say this is a gray area but really it comes down to whether or not the router belongs to the ISP and is on the ISP property or is leased and managed by the ISP and on your client's property. If it's on ISP ground, it's not a gray area-- it's black.

You do not have permission to test anything that belongs to the ISP and is on their ground. You may notify your client and explain the situation meaning that there is a risk involved.

If the router is at the client's site then you may test it since the only one who would get hurt by the failure of that router is your client. In this case, you are responsible for telling your client the flaws of the router and encouraging them to take proper measures at correcting the problem(s). This has been considered a gray area for a long time but really it comes to proper testing. It is a leased device and should be tested as long as the same persons who ordered the test are the only ones who must endure damages of failures and traffic load.

Speak with the client and explain what you found and the risk. As a tester, it is important to keep the client in the know on what you are doing with regular e-mail updates or phone calls when the test lasts more than 2 days. The client may or may not decide to shut the hole now but that would not affect the overall goal of the test which is to find and fix the security problems of the Internet presence.

The internationally accepted rules of engagement for security testing will be available in the next OSSTMM (www.osstmm.org).

Sincerely,
-pete.

-----Original Message-----
From: Rod Strader [mailto:Strader@doeren.com]
Sent: Wednesday, February 05, 2003 1:21 AM
To: Kevin Reynolds; pen-test@securityfocus.com
Subject: RE: Routes that are susceptible to SNMP

To all I am not trying to get into the ISP just want to know how to help the client notify them about the issue.
 
The tool I use does a trace route and tells information that it finds along the way. In this case it discovered the gateway before the client had a community string of public.
 
The information displayed is in the information window which I cut out and pasted for all of your input.
 
I believe this is on the gray area, where the service provider is providing a service to the client and their community string could leave the client open to potential harm.
 
I have not tested the gateway merly used the information the tool has provided about the path to the target.
 
My question is how do I provide this information to the client so they can give the information to their provider. With out trouble on anyones part.
 

        -----Original Message-----
        From: Kevin Reynolds [mailto:reynolds25@adelphia.net]
        Sent: Tue 2/4/2003 7:01 PM
        To: Rod Strader; pen-test@securityfocus.com
        Cc:
        Subject: Re: Routes that are susceptible to SNMP
        
        

        What about the private community string? Good chance that the RW community
        string is still private.
        
        Kevin
        
        
        ----- Original Message -----
        From: "Rod Strader" <Strader@doeren.com>
        To: <pen-test@securityfocus.com>
        Sent: Tuesday, February 04, 2003 1:55 PM
        Subject: Routes that are susceptible to SNMP
        
        
        Good day everyone,
        
        I am currently on a vulnerability assessment gig and found that a router
        on the way to my clients target is susceptible to snmp with a community
        string of public. This device when looking at it shows the arp table
        having my clients targets IP address in it. What is the general
        consensus of how dangerous this is to my client. I don't know if I can
        change anything with same community string but I can review all the
        information on the device. Here is some of the information I found
        walking the mib:
        
        Description: Ascend Max-1800 BRI S/N: 8371001 Software +6.0.10+
        
        This device appears to be the gateway router before their email server.
        The arp table still has the target in it.
        
        Please comment!
        
        Rod Strader
        
        
        
        
        
        ----------------------------------------------------------------------------
        This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
        Service. For more information on SecurityFocus' SIA service which
        automatically alerts you to the latest security vulnerabilities please see:
        https://alerts.securityfocus.com/
        
        
        
        

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: User C0d3r: "Re: Symantec A/V - netscan password in registry"
• Previous message: Dario N. Ciccarone: "RE: Using ARP to map a network"
• In reply to: Rod Strader: "RE: Routes that are susceptible to SNMP"
• Next in thread: Rob Shein: "RE: Routes that are susceptible to SNMP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:27 EDT