Many NMS systems work better when deployed using simple network management protocol (SNMP). SNMP allows for greater detail in data versus inference. E.g. without SNMP, the NMS tool relies on aggregating bandwidth and connections it sees, versus using SNMP where it can access the router and query an interface. So what is at risk here:
Routes: In segregated environments, there are VLANs, multiple routes sometimes to different providers, destinations, and so forth. As an attacker, I would always be interested in those routes, it helps me discover more of an attack surface.
Systems: Where I would have to manually discover what is on the network, the NMS makes is simple for me because it is a single source of discovery versus me having to fire off say NMAP to discover everything on my own. This keeps my network noise minimal.
Versions: Along with systems, and routes, the NMS makes my life simpler as an attacker since most NMS systems contain versions of software and systems. Rather than performing system fingerprints, I can just query the NMS system for specifics. E.g.: "Which of these 1000 systems are Windows 2003 systems, and what is their patch level? (To be used for isolating exploits).
Credential Reuse: Many organizations forget about credential re-use. The more accounts on the NMS the higher the likelihood someone is re-using their credentials. E.g. username (on NMS): jsmith password: Passw0rd1 in this situation a junior admin has an account on the NMS. His password was cracked, and now I as an attacker can use that password to pivot around the organization. Depending on how you have your NMS configured, it may be possible to access an NMS, and get all the data I need without accessing say an Active Directory server.
There are plenty of issues with NMS systems regarding what, and how an attacker can leverage that data. I love targeting NMS based systems, and often find that organizations who deploy them, do not address these issues. (Segregation, isolation, monitoring)
