Third Time's Not a Charm: Exploiting SNMPv3 for Router Fingerprinting

TL;DR

This paper demonstrates that SNMPv3 can be exploited to remotely fingerprint network devices, revealing detailed configurations and identifiers, which poses security risks and offers new insights into global router deployment.

Contribution

We introduce a novel active scanning technique that exploits SNMPv3 for large-scale device fingerprinting and alias resolution, revealing widespread vulnerabilities.

Findings

Fingerprint over 4.6 million devices globally

Identify 350,000 routers via active SNMPv3 scans

Highlight security vulnerabilities in current SNMPv3 deployments

Abstract

In this paper, we show that adoption of the SNMPv3 network management protocol standard offers a unique -- but likely unintended -- opportunity for remotely fingerprinting network infrastructure in the wild. Specifically, by sending unsolicited and unauthenticated SNMPv3 requests, we obtain detailed information about the configuration and status of network devices including vendor, uptime, and the number of restarts. More importantly, the reply contains a persistent and strong identifier that allows for lightweight Internet-scale alias resolution and dual-stack association. By launching active Internet-wide SNMPv3 scan campaigns, we show that our technique can fingerprint more than 4.6 million devices of which around 350k are network routers. Not only is our technique lightweight and accurate, it is complementary to existing alias resolution, dual-stack inference, and device fingerprinting approaches. Our analysis not only provides fresh insights into the router deployment strategies of network operators worldwide, but also highlights potential vulnerabilities of SNMPv3 as currently deployed.