 First we're gonna talk about SMP political breakdown. I had some political dumps. I want to show you guys, but oh, well SNMP has been around since the 80s I like there was a talk earlier today on replacing SMP version 3 with tripwire, which is pretty cool and The guy talked a lot about the same stuff. I'm gonna talk about so I apologize for the overlap But you know, what can you do? SNMP preceded SGMP. The simple gateway management protocol was a lot of bullshit We we there's defining RFCs and and you know, they said hey, we need a way to manage agents You know, we needed a way to manage network electronics and in our infrastructure So what they did was they implemented simple simple protocol Which which defined basically four different types of operations Consisting of get set, you know walk blah blah blah and and and and what we have now is is a sort of a management glue that that kind of Bonds every every enterprise like in infrastructure out there The only viable solution to talking to any any any network electronics in bulk is SNMP This is what Cisco pushes as well. I mean pushes everyone pushes this protocol as the way to do to To to manage your infrastructure and it's kind of it's kind of a shitty thing because SNMP sucks from a security perspective we SNMP version one had a oh Oh, yeah, just open that shit up All right Yeah, let's talk. Okay. Good. Now. We could be in the on the same on the same wavelength some visual on this I hope everyone here's been drinking because I have Let's get drunk afterwards, too I fell off a fence last night and I chipped my tooth and busted my nose It's been a bad weekend man first night. We're out here. We got arrested If anyone here's a lawyer, dude I seriously need some advice because I have to be back in Nevada on September 4th to serve a court date for littering What the fuck are the police thinking out here? Seriously? There's mobsters. There's prostitutes, but fuck I was littering. Hey, who cares right? So anyway, I need advice Anyway, let's talk about SNMP some more is this is this going alright Shit So, I mean how many people here are Come from an enterprise perspective That's what I'm talking about What is that? What does that say? Oh shit Hey, no, that's all we got to do is hit old D Just kind of such it Yeah Or not Yeah, just you you Should see that says view slides, right? So SNMP political breakdown, let's talk about SNMP we can't do. Oh, yeah I'll drink to that Anyway, we're gonna talk something about SNMP. I'm sure everyone's heard a little bit about a lot of hype in the past year We're gonna talk about enterprise infrastructure so Okay, like I said preceded SGMP, you know was designed in order to manage electric a network electronics routers printers even unit servers Allah, if any of you guys are e-pop e-hop guys Www top topless low leaders calm is a nice free BSD box with Fucking SNMP agents running on it. I don't understand these system admins mentality They pull the devices using SNMP and server farms and big big managed infrastructures And so anyway every SNMP conversation requires a communication to end is What we have Through SNMP is something called a manager and an agent Our our agent exists on the device would attempt to manage be a printer router anything our agents what's communicates to the To the network electronics It's our it's kind of our middleman, you know he We talked to the agent or to find out status of the device temperature processor utilization blah blah blah, but We kind of get a little more involved when we start considering our agent also has the capability of Modifying configuration and and you know Adding on to the network electronics like via via you could change IP addresses Possibly you could change passwords security security, you know Stuff but but like what we what we can where we can really do some damage with is When when we we know Exactly what we're looking at We have to know the hardware and we have to know what the hardware supports SNMP so You know SNP transfer mechanism is Default over UDP. How many people here like UDP UDP sucks, right? Come on UDP is connected this connectionless oriented transfer protocol that does not require authentication does not require a handshake Doesn't now require shit. It's it's a blind protocol. We send it fuck. Who cares if it gets it or not So here's some more boring stuff SMI is is it's the RFC, you know that define the structure management information and And really what it did was said hey, this is how this sets the precedent. This is what we're gonna how we're gonna Talk about the language that that manages network electronics It's it's boring stuff and it's called upset abs Abstract syntactical notation version one you guys may have encountered this and you know your directory structure such as LDAP or I I heard Some male transfer protocol was was using the same thing about MIBS MIBS are the definition of There were SMI defines basically when you look at a mid You're not looking anything fancy looking at a text file that says hey This is what our agent does for us and so So our MIBS are life when we're talking about network electronics We want to attack or we want to do something with the MIBS are the first thing we go to and we say hey This if whatever the support by we download the MIBS and we say we have to look through all of them and Figure out what exactly these MIBS can do for us because the MIBS are are basically They define what we can do with SNMP and what we can't do You know and and the protocol itself was defined in RFC 1157 blah blah blah What we have to understand is When we're talking when we're talking the context of SNMP We we're talking about some dumb ass Definitions that get really I mean ITF and all that stuff You know, they they they're very formal and and you know You have to respect them for that because they they are what gives us the capability to have De-interment and stuff like that. So but the process is formalized as protocol That's really simple and giving it a lot of dendoms and stuff like that And it's it's kind of gets complex even when we're talking about four operations in version one. So So we have to get our terminology down and the thing is The terminology changes a little from vendor to vendor, but we're all used to that, right? So In SNMP, yeah, please I'll change that In SNMP The way we have structured our information is is through the the object identifiers using Abstract syntactical notation and it's a tree like structure just like anything else you guys want no value You guys want active directory same thing tree, you know We start out a route we go down all these organizations. I've registered, you know and blah blah blah and goes gets down The most important thing we have to deal with is mid to Every single SNMP enabled device in the world supports mid to as of now I mean it's pretty bold claim, but I swear God. It's true You know mid to is is is what we use to talk to interfaces on we could talk to interfaces on a server mid to supported by Windows Boxes and supported by Unish boxes, whatever We we love mid to mid to is how we get the most information Especially from a management perspective when we're doing protocol baselines and stuff like that mid to is how we get on our The utilization of our interface and stuff like that, but it also defines interfaces interfaces come become really important later So whenever you want to talk to an SNP enabled device you just work your way down the tree most of its You know Independent of the vendor that the device is made by but you get into what's called the private The the private leaf and the privates where your your three calm your proprietary Cisco three calm links It's all that stuff is and and they let you do some pretty funky stuff. So just research that security fund Security issues are not discussed in this memo RFC 1157 that sets the precedence for SNMP security basically our passwords are we don't even have a user password based mechanism for authenticating devices what we have is Community strings that until SMB version three all we had was a single word that led us gave us Any kind of access we want to on a network electronic. So so basically all we have to do is Get access to the management VLAN Of the enterprise and and look at one single packet that that that that their management station is Pulling devices with and we have access to their infrastructure. It's it's really easy I mean like there's a lot of there's a lot of you know Documentation out there on securing your management infrastructure But in reality, this isn't a viable solution For some of like a bureaucratic perspective because our managers have more pull more pull than our security personnel Everyone knows that right our the people who give us money For you know supporting on our network say hey, we like pretty graphs We like things we can see if a security guy does his job, right? You don't see shit You just see your network working if a management guy does his job, right? He says here you go, man Here's here's all these green graphs And you know this is what our network this is what our network looks like at this time of day This is you know, they define how our quality service agreements are working with ISPs and shit like that So managers have a lot more pull and security people especially in like a segregated environment There's all that bureaucracy going on. So Our managed policies take precedence over our security policies and this this gets really crazy This this this lets us attack networks that are huge. So First simple operations, this is the SMB version one This is the first the first protocol, you know transfer mechanism that we we're gonna talk about and Basically what we have is a get we we ask our agent For a specific, you know Thing about the device we say hey How are you doing today? Are you are you sad? Are you happy? How's your temperature? We say how's your process of utilization? We just send a get packet. We don't care if it gets it or not We'll send it again. It's UDP Then we have our set Sets what we use to attack our sets are are the mechanism in which we compromise networks with And we're gonna talk a little bit more about that and traps traps are what our agents do for us This is how management infrastructure lives is to traps and and someone else called inform which is a more formal trap Our traps will get us will tell us Tell us our network is behaving a certain way based on thresholds and and Stuff we've defined on the agent and I'll get next just says hey after you get this Get this value after this specific or ID which is the ID is is the part in the tree Is the numbers in the tree? Here's a protocol dump? As you can see what I did here I plugged into a campus network sat down with my fun little Toshiba laptop that doesn't work for shit and said hey I'm gonna I'm just gonna watch I was I was on a student VLAN and they were passing SMB traffic back and forth You know hey, this is what community stream we're using and it was a set request. It was so cool I was just like thank you, you know we can we can This is probably one of the biggest universities in Southern California, and we have access to anything we want to on them on the network And basically this is our you know the kind of a formalized packet We have two parts a message header and the political diagram here or you know and we just in our packet We have a version numbers a community string as a header and our PDU is really the meat We're gonna talk a little bit about PDU is more because When we're when we're attacking in the blind which is basically Every time you're gonna attack using SMP. You're going you're not gonna know how the agent responds From from a managed perspective So we're talking about man the middle tax sending SMP packets and and seeing what happens our error codes are very important So so our error status is as where we learn to attack where we learn how our attack has has has has you know been being a Implemented in the agent and there's other stuff request idea PDU type. We're just you know packet structure so and then we move on to SMP version 2 and Really the only the only there's three versions SMP version to the finding RFC's and And the thing was nobody liked the way it was performing. They defined management. They defined like security but It didn't work out, you know just because this proprietor property proprietary stuff was was sort of pushing over all these other people and and We had what's called SMP version to see which is the same exact thing as SMP version one Same security mechanisms Community strings. That's it. The only thing that's different is is our error codes and sort of the protocol operation It's but you know, we When we attack an SMP version one enabled agent or an SMP version two enabled agent Same thing, you know no different SMP version three is that we have to worry about Our error codes are here, you know probably the most important error for you guys is to look for is called a Bad value when you get a bad value back from an agent He's gonna tell you he's telling you that That that that Specific operation you you you try to Tell him to do is not working and this applies totally in the context of sets when you try and set something and And that type of set set set value doesn't it is not he's not capable of doing He's gonna tell you bad value man. Sorry. I'm not accepting this and and see sets are a shitty thing because a lot of times Like in in our mibs we have to we have to set other things We have to send sets to other parts of the mid before we can set certain certain, you know other things like for instance Our favorite mid from a management perspective is called our monitor remote monitoring Mib and that lets us do alarms and stuff like that We aren't allowed to modify our arm on table until we've we've set The the operational status of the arm on mid such as trap such as it's by default on on most devices User defined but in order to edit it we have to say we have to set that to to be code 3 which is Mib and progress It's it's like it's a lot of BS, but SNMP version 2 more error codes and this this gives us Error codes are would give us a fingerprinting capabilities We have to listen to error codes when we're attacking a man's network because they tell us especially When we don't have the ability to know what we're We don't have the ability to know how how our stuff's performing ahead of time shit Exactly I'll drink to that Neither, huh, I didn't pay to all other day seriously, but Okay, so let's move on without the fancy pictures Um So we're talking about aircoats Drinking yeah, um Let's get to something interesting because this is just killing me I'm talking Okay, S&P version 3 it's all the talk these days, right, you know, oh shit Authenticated management protocol, you know deep by default 56 bit key DS key space Wow No, you know S&P version 3 the way it's in the main enterprise You know you have to know what you're doing like very well. You have to come from as a key background Well, it's just not viable. It's a lot of work and managers. Don't do this. This seriously I I swear I'm come from a managed consulting background. I do, you know Big stuff for big companies and see how their infrastructure is working and and they just don't like to it's it's it's so much work And the reason why is S&P version 3 took a whole new thing. They said hey, we need security We need we need a way to authenticate Messages and conversations. We also need to encrypt our data So what they did was they defined something called the user management model, which is an RFC to two five seven four And it can and all S&P diagrams consist of two parts. It's called message global data, which is our header our Message security parameters, which is a life and message data, which is our The part of it like our variable bindings and stuff like that. So our message security parameters are how we define How we're gonna authenticate by default S&P version three still Even if we if even if we enable it on our device We still have to define a way we can talk using it and we have to define users We have to define the context when the users are allowed to talk to our devices And we have to bind it to a specific S&P engine that the engine is what what? When when computer with the hash gives us our and our pass faves gives us our encrypted key so So we need to we need to do a lot of stuff in order to get this infrastructure up and running and and So let's say we're looking at a network with With tight security We got we got mad devices talking only S&P version three with encrypted authentication and encrypted data, you know The handshake everything's going on and we're like we can't we can't sniff it. We can't do anything How are we gonna compromise this network? the the the main point of our attack needs to be at the user the user The systems table or usm, you know, it's It's it's it's in It's resides on the agent It's it gets kind of fuzzy here because like It's not it's it's it's weird. It's not an SNMP enabled like entity or Terminology it exists out S&P. We can't talk to our USM table with SNMP It's it's defined in the RFC. So we have to do is we have to circumvent this Meaning we have to attack our router using different different different methodologies IE, you know, you know breaking our The the protocol structures such as attack us plus, you know faking handshake stuff like that So that's when we start look that's when we start attacking the entire infrastructure and with S&P version three We we don't have too many options as of now except from an exploitable perspective Recently there was there's there's a these guys from the old University Published what's called the protest test suite, right? And the test suite was was attacking them It was doing S&P injection of you know specific PDUs on On version one of the protocol and they're doing Asian overflowing and stuff like that, you know exploiting viable buffer overflows No See as in one is is the way we define a hierarchy of the way we define our mids It's the it's only it's only a way of Like our agents exist in they don't know about a someone they exist independently The protest test suite was attacking the way agents interpreted data regardless of the way that that was sent. They were centering, you know with most of our with most of our Our definitions which I kind of want to show you there was like that we define an ASN this this Specific OID has read write access Has you know, it's a string type or it's an integer. It's a gauge blah blah blah So what we can do is is say Hey, we could try and overflow the string It only takes so many you know so many characters before it breaks and with the agents That existed on on that device soon once didn't know how to handle the overflow and stuff like that so that's the way from like like a strictly codable and like like you know, you know You know perspective of of of attacking using like exploits where We we have to use approach test suite and and the idea is they've given us Because they did a lot of work and they did a really good job As far as the the big misconception is that that Somehow nibs and abstracts in track note and syntactic on location all that stuff is all tied together but But it's it's not it's not true like We can talk as long as we can send a packet to these people. They don't care what what it is The way they interpreted it is is going to be the thing that that makes us break or you know, not the system but Like let me talk a little bit more about nibs and nibs are just a database of managed objects that the agent monitors and manipulates It's a way of us thinking about a database of managed objects the SMI provides a way to define using ASM and What we need to do when we're looking at all the nibs we want to exploit is is um You get a mimp come on because they do the work for us. So, you know probably your best bet as far as as tools those is a net SNMP Awesome awesome. It's just a programming library is all kinds of extensions and everyone's writing writing for it Like they're doing a great job keeping up the date and patching it and anything like that and supports the SNP vision 3 So we could do a lot with it. It's a little less less, you know user friendly than your standard management like Interfaces, but we don't care about that. We're trying to break into systems. We're not trying to look pretty so And here's here's kind of what I want to show you about nibs examples, but but no, so What we want to do when we're trying to attack something is is we want to Exactly We want to we want to talk about Oceans 11 a little bit. Have you guys ever seen the movie Oceans 11? The shitty remake with bad pit and George Cooney, what are they doing Oceans 11? They brought three casinos and the way they did it was They built The same vault as the casino did right they from the ground up. They did everything ahead of time When we're breaking into a network and we want to we want to use managed protocols as our attack You know our attack vector we want To know we want to know exactly how these attacks are Coalated in the environment and responded to so the more you can get If you could write your own agent that responds just like that, you know, the more stuff you can get That that is analog to the network the better off you are just like in Oceans 11 Because if not, we're gonna be attacking in the blind It's just gonna be like hijacking a tcp session. We're not gonna know what the fuck's going on We're just gonna have to say hey, let's try it, you know sequence numbers and everything but like So and the thing is there's so much information out there because vendors want their devices to be in is easy to manage so We can we use that we use our nibs we use our compiles we use our tools We set up an environment that emulates this type of network and we say hey Let's let's go out When we're inside a network We want to look for two things traps and informs Traps are one way, you know Dumps of what's going on on the network and and those are what tells us the most about in the information those tells it those tells us two key things the trust relationship on the management network and and Where we need to look to break the management sector Traps will always be sent to a management station That basically manages the entire network or you know a segment of it. So When we look at the trap we're gonna try and identify where it's going and what's what it contains traps usually by default contain same community strings that Other networks the other The manage devices communicate it's not a two-way thing that people who met like it's like a like a symmetric like you know Conversation it's not you don't need the same community community strings to talk back to network management station that you do to ask the questions so So that's what we're looking for the informs are a little more formal. It's a way of Being Making sure your trap has gotten there. It's just a handshake saying hey I got this message the only time informs are not gonna work is When your network goes down and when you can't get your your datagram to the device So yeah Cisco Or system this guy our favorite SNMP tools scripts Two different scripts to just scripting stuff is not SNMP which I talked about which is the best good stuff Go get if you like SNP. Also, we have a tickle TLK and Scotty, which is the interpreted language is super simple It's really cool language dude, and we want it We we it has a lot of potential as as just being simple robust We can do what we want with it with you know complex polling and search methods The next best thing the the thing that's our life if we're going after a network with With SNMP as our attack recorders sniffers we have to use sniffers Even if the data is encrypted the sniffers are going to tell us everything We need to know of the higher hierarchy and the topology stuff like that so and and that's the thing That's that's kind of what's appealing about using this to attack networks is Is it's unintrusive? We don't have to do anything. We don't have to install back doors. We don't have to you know Compromising like file servers anything like that we use with what the networks have implemented already They don't know we're there if we do this right they can't intrusion detection If we if we're using the trust relationship on a managed VLAN intrusion detection doesn't mean shit You know we exploit the way these these these These devices exist in the hierarchy The next best thing is if we're attacking blindly we have to brute force our community strings The problem with that is if they're they're doing trap handling, right? They're gonna they're gonna set traps back to network management station saying The authentication fail this person's trying to brute force So we have to think of creative ways to attempt using you know really long Changes in in in timing and stuff like that. So it's it's brute forces are sloppy And like like I was talking about the purpose test suite is it's kind of it's it's it's it's in Java in compiled files and and we have to do like We have to What's going on? Yeah For this test we whatever Arm on let's talk a little bit more about arm on as an unintrusive packet sniffer We can have network electronics that support the arm on nib Let us sniff packets on their network without them knowing about it if we do it, right? so what we have to do is is We have to we have to send On Cisco devices that require exact access as the command line to enable arm on like sniffing so That's one one of the key things and getting an arm on you know Mib to tell you stuff is compromising a Cisco router and by then you're like hey, but other network electronics are our more more susceptible to arm on attacks and We have to look for two two key things in the in the in the tree Are our filter and our capture tables we implement our filter and capture table Using our our PDU's and all set up an interface that's that besides in promiscuous mode and we'll iterate all the data The PDU's that pass the filter tests are then forwarded to the capture buffer table To set up the data channel a vacant index must be determined which is our which is our interfaces The channel says it should be to create requests. Oh Shit Yeah, but anyway, basically we have to do look for two things. You're on my mid The filter and capture groups and and from there read it and it's it's straightforward We and this way we install a sniffer on Major hardware that that will like like for example companies 65 or 9 They're they're they're the land switch Enables us to look at all traffic passing across its interfaces just using SNP That's the competent managers. They'll be able to find out what's going on and it's not They'll they'll see I This is fear loathing in Las Vegas So We like our month our month's very good We can we can break a lot of stuff with it and our month is also the way we make a lot of money if we're interested in managing because managers of our month it tells us every way it tells us our top talkers host top-end stuff like that It's what does our traps and and our model like the thing about arm on it's still made it's still like SNMP The only thing is when they define the RFC they define make matrices style like architecture It was like a big thing back then because they were doing like, you know straightforward, you know tables so it's it's it's it was it was like kind of a kind of a step forward in the management world so We want to talk about reconnaissance how when we're looking at a network and we want to break it What are we gonna do from an SNP perspective? We want to identify the network first big thing is the the the access lists Access list detection from SNP perspective sucks because When we're using version one version two and we're sending our packets We're gonna get the same response from an axe access access list device as We would if we were using the wrong community string. So this is where sniffing comes in and this is where Where are So so I It's Microsoft Hey, so the best way where we're going to get into the network Is um Oh So when we're getting into a network the best bet is is is through the DMZ Because our DMZ is typically typically not managed correctly either they're letting in They're not they don't have the proper ingress filtering and stuff like that So so we're the way we want to do is is go after a host in the DMZ You know be it a web server, you know or anything like that And that will give us the trusted capabilities and inside the network Using SNMP cuz I wish I had that fucking picture, but I forgot to write it. I was drunk so basically our Like like let's say our firewall has segmented the DMZ from the private network and you know, they're doing that They're doing all kinds of great stuff Managers will enable SNMP political passes from the DMZ to the private segment No implementation of a firewall is gonna let SMB traffic pass from that from the outside inside It's just not it's it's not a real real situation. You're gonna find in the wild so but from the DMZ It's different. I've seen it. So look there first if you can't get there then the only thing is you got to get internal access and Our internal access comes from another way, you know number way social engineering. I don't need to describe that to you Everyone here is pretty much educating that once inside We have to attack the management VLAN normally our management VLAN VLAN suck Right, I mean, they're not they're not secured by any means even in like the most standard of them implement implementations We're looking at a VLAN that will if they do it right, they're not gonna let you route they're not gonna they're not gonna let you route between a management VLAN and And you know a student on or whatever else they got so That doesn't mean crap though. It's easy to get around and and what the hell is this? SNMP is also a great way to transport viruses just kidding and I don't know how to use what does this What the fuck Oh My god, oh shit Why is SNMP a viable attack mechanism? Huh Not what we want to replace web pages people or deface replace whatever We're not gonna replace index that htm worth SNMP. It's out there toplesslawyers.com we have people but we want to we want to look at Ways of compromising networks not ways of compromising web servers, all right We're not there if you can learn a nice sappy overflow great. It's a lot easier. I think he takes a lot of work When we this is the key thing when we have ways of Communicating properly to network electronics and keep in mind. Did anybody see that the talk on? On printers and stuff like that overflows using CDP that was great That will give you a great perspective on how we can compromise a major network We can we can look at printers. We can look at UPS is with smart management cards We can look at it, you know any type of network electronic that has SNP agents enabled on it and there's it's everywhere So so what we have to do is we have to get creative and we have to look at Jet-direct cards and we say hey we can come rise down jet-direct cards and Exploit the trust relationship between jet-direct managers and the jet-direct printers. We can compromise UPS is the same way And it's it's super easy That talk was really awesome, and I have to give that guy a lot of respect, but I don't know SNMP has a tool for attacking recon reconnaissance SNMP lets us take over an entire network Given the conditions are measures like everything else SNMP Can give us complete access to their infrastructure and will belong to us But we have to know a few key things community strings What type agents are running and more importantly the management hierarchy which I think is coming up So now we're management So these are the key protocols we see in a network Network management is basically the way of You know managing large amounts of network electronics We have a network with 10,000 nodes and 300 plus routers You're not gonna be able to go out to every single one and say hey, what's your MAC address? So we have to we have to we have to centralize our Way of querying these things and this is where met network management servers come in and also our network management protocols SNMP being number one, and then we have like stuff like sys log and Cisco to discover protocol And you know that the network time protocol and all that stuff so NTP NTP is is a management protocol We can we can look at to maybe maybe get a little more You know slide in under and under like the the normal the normal ways of what they're looking at like from a security perspective so NTP is all does a synchronized time between Electronics, and it normally goes outside to do that one of those big university like a timer clocks And so and so there's ways of authenticating it, but it's normally not authenticated like it's it's it's because it's so simple So it's a way of communicating to our major routers who synchronize time on their land slash plan and and and we have to If we can't do other if we have no other mechanism NTP is a way to go so CDP Jesus Christ CDP is like oh my god one of the craziest protocols. I've ever seen my life Do those guys who gave a talk talk about exploiting Cisco is is they're writing to the kernel, you know Using CDP as as their attack vector. It was it was insane CDP is so fucking informative That that we can know everything about a network just by sticking a laptop on one of the ports and saying hey They're just they're just watch Here's our CDP protocol dumb Okay, you guys can't see that but oh well. This is this is basically a device telling a 6509 Hey, this is what kind of stuff. This is what software version. I'm running. This is where I am This is how I work talk back to me. I miss you. So the CDP CDP is is is No, it's it's the glue that binds Cisco devices and and if you guys ever seen a Jeremy Rodstock He's he did a lot of this stuff. So I don't want to get into like, you know, like, you know This type of like security mechanisms because we can authenticate CDP We can do stuff with it, but by default same as all the other protocols It's it's it's like it's almost broadcast over their land saying hey, this is where we do the typical thing managers do to give you will do is segment this by V1, but You know we can get around that Sis log to sis log is, you know, it's our favorite thing centralizes logging and and and it's We're met where a lot of people don't understand is sis log is not a way to get to receive traps sis log is is Is it sort of? The log server. It's what what happens to our network electronics when we need to log something a single event Trap clearing is a completely different thing but these both these two things are our Are kind in the same analog because we can we can exploit the trust between sis log and Traps and stuff like that just like anything else and typically when a server is Like a sis log server Like any of these servers are running multiple server versus and this is what we need to identify is that is that These management servers are so susceptible to attacks and and they're wide open as long as we can compromise to be land They they are easily the most attackable piece device on the network just because They have to get so much information from the rest of the network and what we're talking about in the enterprise context There's a shitload of information. So what are we going to do to help out our infrastructure? We're going to implement access lists. We're going to segregate traffic by VLAN Which should prevent sniffing, but really doesn't and we're going to Hopefully filter management traffic at the fire and at the firewalls if you if you want to do it right, you know Do intrusion detection in your VLAN do do you know? Firewalling in your VLAN as well as the rest of your network You got it you got this is the this is the part of your network that owns the rest of your network So we have to we have to pay very like a lot of attention to this and the thing is it's not giving too much too much of perspective or whatever the word is I'm drunk so TACS plus TACS plus we like TACS plus. This is the way we authenticate manage devices TACS plus is pretty cool. It's better than radius, but it's it's it's susceptible to Replay shit But you know yeah, the TACS plus just like any other implementations is Not that we're authenticated. We play tax our way to get into TACS plus, you know enable networks TACS plus is over TCP radius is our UDP. So you guys know the difference. It's It's it's like if we're looking outside, you know like from the outside TACS plus is is not going to be a liable way to get in Radius is not doing a liable way to get in you're gonna have to be creative and look at the DMZ first But when we do get in we want to pay attention to you know the triple authentication stuff We want to pay attention to what's going on because this is the management hierarchy. We are attacking so Then and here's more you know and and like like like everything else This is usually centralized over The the the specific areas of the network using something like Cisco secure, you know access control server, but Access control server is just like everything else. We can break it through it just using them Watching the way in which the the man the network is managed And this is kind of what I'm trying to get across there, buddy It's the way in which people manage networks Also tells us the way in which we can break into it. So And like our network management security is kind of a joke we have we have our we have our you know $50,000 solutions that let us pull, you know hundreds of devices open views, you know number one Cisco works all that stuff to volley in the center and these things These things are running a shit load of services and a shit load of just Unneeded stuff like like you look at you look at like a HP UX box with open view on it You do you want to end map against it? You'll see like fuck it like like 15 ports open. It's a joke Like and and the way we can get into the server is there's there's too many ways Like it's it's too possible. Like we have the protest test suite as an SNMP attack vector We also have we all we also have you know our replay attacks and stuff like that. So what we could do is is is We want to we want to break into these servers We can all we need to know is where they are and how to talk to them and that's the sniffing part and I think I'm done So anybody have any questions? Questions comments is Shakira in the crowd. I can't want to talk to her porn we were throwing porn at cars Yeah, it was crazy But we're you know, it's too much point Las Vegas. I just kind of want I want to spread the word You know because I didn't think the cars were getting enough porn Okay, oh, this is a good question. Um, we'll see because NTP and NTP assumes It's trust relationship, right? We're asking a a specific device outside of our network to centralize our time so So if we set up a bogus NTP server, there's there's issues. It's more of like a like a DOS thing like if we set up Improper timing when we try and synchronize with our timing there's issues that come come come on come up when we When when a processor does like like the timing like stuff So it kind of breaks breaks a router architecture and sort of removes the device from the network That's the only thing I've seen I've heard there's other ways It's more it's more of the trust relationship. It gives us a way to communicate to our network electronics and sort of fingerprint What we're talking to Yeah, yeah, exactly. Well, that's why yeah, and that's why NTP authentication is like the most important like managed Protocol because it's it's something that's coming from outside our network So we have to look at It should be key anything that's talking to our devices and telling us synchronization information is Is it's the most important thing because it tells us how our devices are supposed to perform perform Right But you have to go pick one your device won't just go out there and say hey There's an there's an automated NTP server that you Yeah, yeah Right I Really Right, right Well, yeah, it's it's it's time It's obviously it's not like that that big of an issue on your network The thing is it gives us potentials for for you know denial service and stuff like that That's the reason I mentioned it's not it's not like it's not it's not a practical attack. You see in the wild It's not it's it's it's it's kind of worthless, but but it's a it's a management protocol just like all the others and so Yeah, see there you go Yeah, it's it's not it the synchronization is keen in inside because when you when you're Your master route are doing, you know, hopefully doing redundant NTP like Polling and stuff like that is pushing out times to the rest of you the rest Do your edge like the rest of your switches and stuff like that It's it's screws everything up like what if your servers aren't synchronized the same thing as your as your as your Managed electronics then like I mean things don't work correctly So I haven't it's it's fun stuff any other questions Too much, but I want some more so if anyone wants to go party Shakira especially Well porn, right Causa or Well, let's make it. Let's just go walk down the street Don't find some porn and you know, I just want to give a shout out to the Muppet babies They're they're like an extinct species. I'm also endangered. So we need to look up the Muppet babies No, they're all good. Trust me. We love them But anyway It's the last talk of the day. So so I hope everyone had a good time and Let's party and let's do math Anilic number theory