Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Better change your default SNMP strings

Status
Not open for further replies.

dibbkd

IS-IT--Management
Oct 12, 2002
100
US
Better change your default SNMP strings, I read on another site (and I tested for myself) that knowing the SNMP strings you can reset the password, reboot the switch, and make other changes.

So if you leave them as "public" and "private", anyone can mess with your Cisco switches.


 
Default behavior for Cisco devices is to disable SNMP. There is no default 'public/private' string. And anyone who sets their community strings to private or public with read/read-write access is asking for trouble.

What are you referring to?
 
Yeah, I don't know what device you are working on, but ciscos do not have snmp enabled by default, and you must set a community string when you enable it, there is no default.

CCNP
 
A. Look at his handle (name)
B. Look at his link
C. Click his link
D. Add A-C and deduce that...ready?

***DRUM ROLL***

He's advertising for dibbsolutions dot cum

:)

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
I know it's been good practice to have them set to your own string, but some don't, and the fact that you can reboot, change the login password from just knowing the SNMP strings is what I was getting it.

 
You cannot reboot the router through snmp without an additional snmp command, and you can only change the password if you make the community RW which is very rare because most people are afraid of the unknown and the fact is most "network engineers" don't know Sh*t, so they will not prepend the RW at the end of the string. And honestly, i have been in hundreds of cisco switches and routers at numerous sites and i have yet to see a rw of private, and those that do you the RW attach and access-list.


CCNP
 
I found out the above recently when helping someone with their switch, they didn't know the telnet or console password, but I was able to reset the password easily with the tool from the link above. (the RW password was also what they thought the telnet/console password should be).

I know there are Cisco password recovery options, but the tool above was actually easier.

I don't use the RW string on my switches (I manage about 50 of them), but know some who do.

Just thought I'd share my experiences, that's all.


 
So I click the link...

"Dibb Solutions is a certified Medisoft reseller who is able to offer the best pricing and support for all Medisoft products. Our mission is to serve healthcare practices by providing the highest quality training and support for Medisoft and Office Hours products. We are committed to offering individualized and comprehensive services in a professional environment. Our team-oriented staff strives to maintain professional and ethical practices to ensure quality services."

And you're telling me that you, "Just thought I'd share my experiences, that's all.", and not trying to sell anything...

now where'd that pesky flyin' pig go...

who cares---it's FREEZING down here in Hell...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Uh, yeah, so my sig points to my website, what's your point?

You think I'm trolling in a Cisco forum trying to pimp out my medical application products? Do I LOOK like a spammer to you?

Should I apologize for having a website in my sig?

Not sure what your problem is.

Not sure how you added up that because I posted something about SNMP vulnerabilities AND I have a website, that MUST mean that I am spamming or whatever it is you think.


 
OK, my apologies...you used a tool from the link above---thought it was from the link to your website. Sorry...many spammers lately, and not that I would want to not give you the benefit of the doubt, but this thread mocked so many others here lately. Still, I judged...and it was founded under false pretenses. My apologies again. Welcome to Tek-Tips.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
No problem, although I don't post here as often as some, I've been a member here since 2002.

The replies to what I thought was being a helpful post to people who may not have been aware of the vulnerability really caught me off-guard.



 
Generally speaking, most people use snmp for reporting/monitoring purposes and not for configuration changes. Enabling RW on your community would mean you've already considered the security concerns relating to that (hopefully).
 
ISP King - I'm afraid you can reboot cisco devices with SNMP - I've certainly done it with a 2950 that had gone haywire and wouldn't respond to telnet or SSH, we suspected it had been attacked.

It's not well documented and I'm not sure how many other devices would accept it but given certain configs (and I agree that on Cisco someone's got to put it in in the first place) you can reboot.

 
Did you not read my post, Go Re-Read it. I said "You cannot reboot the router through snmp without an additional snmp command" Which is snmp-server system-shutdown, or A rw string to change the running config to add that command. Congrats on bringing up the dead post.

CCNP
 
You know what, for those who thought this was a "useless" thread or worse, check out this recent security release by Cisco.

Cisco Security Advisory: Hard-Coded SNMP Community Names in Cisco Industrial Ethernet 3000 Series Switches Vulnerability:


Yeah, they HARD CODED default SNMP strings in their switches. So those of you who may have this model might not have checked, or set them, so thought you had nothing to worry about. Could be others out there in similar situations.


 
Good find, That Model is usually used for special situations (i.e. auto plant), usually with OOB.

CCNP
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top