Wi-Fi Technology Forum - Wireless Reports and Papers

A threat posed by SNMP use over WLAN

The SNMP threat on Wireless Lan environment


Operating Access Point administration on wireless link can have very dangerous side effects. In fact, considering various attacks on WEP, performed with tools easily retrievable on the Internet, you have to consider your wireless link 802.11b absolutely untrustable. This could be a first-and-only reason to avoid performing confidential operation via this link. Now I show what are the risks associated with wireless SNMP administration.

Let’s consider Access Point IP address fixed to 153.69.254.250 and management station IP fixed to 153.69.254.53. The WLAN administrator runs the proprietary application to manage the access point, shipped on CD-ROM in bundle with the wireless equipment. As previously said, out-of-the-box Community Name has been set to public.

First of all, the administrator changes this value to a new name, hopefully following the rules used to build a robust password. For the sake of simplicity of this paper (and only for this!) I suppose this Community Name is set to rw_pwd. The administrator can use this string to access (exactly as a password) the proprietary management application on the client side or to access directly the Access Point, using SNMP packets. For this reason, the Community Name let the administrator (and whoever knows it!) to read and write on Access Point configuration.

If a malicious eavesdropper is listening on this Wireless LAN and his attacks on WEP are successful, here’s what he can learn of the network

Snapshot 1

The Snapshot 1 shows that the SNMP Community Name, set to rw_pwd, has been sent in cleartext (over WEP) from the management station to the Access Point. This matches with the password to access the management application: in this way, malicious eavesdropper knows the administration password to read/write the access point, meaning that he shares with administrator the access point management.

What about the robustness of the password that administrator choose, if it is sent in cleartext over a WEP channel? No meaning, obviously, except to avoid brute force attacks to management application, in case of unsuccessful attacks to WEP.



Snapshot 2




Now, if the hacker wants to be visible, he could possibly change WEP keys and Community Name to his favorites. For example, he changes the Community Name to readwrite_pwd. This operation is performed, as the previous one, in cleartext over WEP, as shown in Snapshot 2 . Now the legitimate administrator, if he cannot hack back the hacker, cannot ever access the Access Point (Snapshot 3 ), but he is still responsible for it! So, the only countermeasure, in this situation, is to plug-out the access point and restart it with manufacturer settings.





Snapshot 3


What about the risks for this network if hacker doesn’t want to be visible? They rise, because he has access to all management information and nobody knows it.

-------------------------------------------

Bio: Dr Gianluigi Me is a staff member of the Wi-Fi Technology Forum and a WLAN editor. With years experience on network security (especially on mobile architectures), he is an IEEE author and a Lecturer at the University Tor Vergata of Rome, Italy.

Contacts: Gianluigi Me, gianluigi@wi-fiforum.com

To contact us, use editor@wi-fitechnology.com

Wi-Fi Technology Forum© 2003, 2004-, permission to use this paper outside the scope of this site should be gained beforehand. However, permission for a paragraph and a link to this material is hereby granted.

Added:  Thursday, October 28, 2004
Submitter: Administrator | webmaster@wi-fitechnology.com
Score:
hits: 5395
Language: eng
Page: 2/2