Network Topology Discovery and Exploitation

Threats tend to be ignored if the impact of those threats is not fully understood. SNMP is a good example of a frequently ignored threat. Enabling public Read Only SNMP on a network device may open a door for attackers to map a network topology without generating a lot of suspicious network traffic. It's possible that port 161 queries from the Internet are suspicious, but might be overlooked if they originate from a compromised host on the local network. This paper isn't meant to be a discussion of preventing data collection through SNMP, but an attempt to highlight how much information can be gathered by a read only SNMP community and no other access to network devices. The following assumptions pertain to the network devices included in this analysis: these network devices have already been scanned and identified as using SNMP; the read only SNMP community is known for all devices; the RO community has no restrictions; and all devices are within reach of the information gathering host.
 
The concepts demonstrated here may be applied to information that has been gathered through other methods. Network analysis involves merging multiple data sets, like BGP, ARP, SNMP, netflow, network device configurations, and security appliance data. SNMP was chosen as an example because of the ability to obtain multiple types of data with one protocol. Using techniques in this paper, the topology of an ethernet network is determined at different OSI layers. The goal of this paper is to piece together network topology with different data types, the method of gathering the data is secondary. All IPs and Autonomous Systems used are for educational purposes only.
 
Download the full paper here: http://lgscout.com/papers/LGTechpaper_Network_Topology_Discovery_and_Exp...