SNMP Enumeration
#Overview
Simple Network Management Protocol (SNMP) operates on UDP port 161 (queries) and 162 (traps). SNMPv1 and SNMPv2c use "community strings" for authentication -- essentially shared passwords that default to public (read-only) and private (read-write). Improperly secured SNMP services leak extensive system information including running processes, network interfaces, user accounts, installed software, and listening services by walking the Management Information Base (MIB) tree.
#Prerequisites
- Tools: snmpwalk, onesixtyone, snmp-check, snmpenum, nmap
- Access Level: Network access to UDP port 161
- Wordlists: Common community string list (public, private, manager, internal, admin, cisco, snmp)
#Detection & Enumeration
#Community String Discovery
# onesixtyone -- fast community string brute-force
onesixtyone -c /usr/share/wordlists/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.10.10.161
# nmap SNMP script for community string detection
nmap -sU -p 161 --script snmp-brute 10.10.10.161
# Manual snmpwalk test with 'public'
snmpwalk -v 2c -c public 10.10.10.161
BASH
Flag Explanations:
-v 2c: SNMP version 2c (most common). Use-v 1for legacy SNMPv1.-c: Community string (think of this as the password)
#MIB Tree Enumeration
Once a valid community string is discovered, walk the MIB tree:
# Walk the entire MIB tree (can be large, dump to file)
snmpwalk -v 2c -c public 10.10.10.161 > snmp_full.txt
# Specific OIDs of interest
snmpwalk -v 2c -c public 10.10.10.161 1.3.6.1.2.1.25.4.2.1.2 # Running processes
snmpwalk -v 2c -c public 10.10.10.161 1.3.6.1.2.1.1 # System info (hostname, uptime)
snmpwalk -v 2c -c public 10.10.10.161 1.3.6.1.2.1.2 # Network interfaces
snmpwalk -v 2c -c public 10.10.10.161 1.3.6.1.2.1.25.2 # Storage information
snmpwalk -v 2c -c public 10.10.10.161 1.3.6.1.4.1.77.1.2.25 # Windows user accounts
snmpwalk -v 2c -c public 10.10.10.161 1.3.6.1.2.1.25.6 # Installed software
# snmp-check (automated enumeration script)
snmp-check -c public -v 2c 10.10.10.161
BASH
#Key OID Reference
| OID | Information Retrieved |
|---|---|
| 1.3.6.1.2.1.1 | System description (hostname, OS version, uptime) |
| 1.3.6.1.2.1.2 | Network interfaces (IP addresses, MACs, traffic stats) |
| 1.3.6.1.2.1.25.1.6 | Running processes |
| 1.3.6.1.2.1.25.2 | Storage devices and partitions |
| 1.3.6.1.2.1.25.4.2.1 | Running software/services with paths |
| 1.3.6.1.2.1.25.6 | Installed software inventory |
| 1.3.6.1.4.1.77.1.2.25 | Windows local user accounts |
| 1.3.6.1.2.1.6.13 | TCP connection table |
| 1.3.6.1.2.1.7.5 | UDP listener table |
#SNMPv3 Enumeration
# SNMPv3 enumeration (authPriv)
nxc snmp <target> -u snmpuser -p snmppass --snmp-version 3
snmpwalk -v3 -l authPriv -u snmpuser -A snmppass -a MD5 -x DES -X privpass 10.10.10.10
BASH
#Additional SNMP Techniques
# Custom wordlist with onesixtyone
onesixtyone -c /usr/share/seclists/Discovery/SNMP/custom-wordlist.txt 10.10.10.10
# SNMP write community string testing
snmpwalk -v2c -c private 10.10.10.10 1.3.6.1.2.1.1
# If write community works, you can modify SNMP values
# Quick SNMP check via nmap
nmap -sU -p 161 --script=snmp-info 10.10.10.10
BASH
#Vendor-Specific Community Strings
# Vendor-specific community strings to try
# Cisco: cisco, localnet, private
# Juniper: juniper
# HP: public, private, manager
# Dell: dell, public
BASH
#Common Pitfalls
- SNMP typically uses UDP, which means packets can be dropped silently. If
snmpwalktimes out with a known-good community string, try again -- it may be a network issue. - Community strings are case-sensitive.
Publicis not the same aspublic. - SNMPv3 uses authentication and encryption. If SNMPv3 is configured, community string brute-force will not work. Look for SNMPv3-specific tools.
- Some SNMP implementations restrict which OIDs are returned to unauthenticated users even with a valid community string.
- Firewalls may block UDP 161 inbound. Internal SNMP enumeration is more likely to succeed.
#OPSEC Considerations
- SNMP queries are connectionless UDP packets and are harder to trace back than TCP connections, but each query is logged by SNMP-aware network monitoring tools.
- SNMP brute-force (onesixtyone, snmp-brute) sends a burst of UDP packets per candidate -- the packet count itself is suspicious.
- Full MIB tree walks (
snmpwalkwithout OID) generate massive SNMP traffic and may trigger data exfiltration or network anomaly alerts. Snort and Suricata have rules for excessive SNMP queries. - SNMPv1/v2c traffic is cleartext and can be intercepted. The community string is visible in every packet.
- Many organizations monitor for SNMP access from non-management IPs. Be aware of expected vs. unexpected source IPs.
- SNMP is often overlooked in hardening guides so it remains a viable enumeration vector, but successful exploitation of an exposed SNMP service on an internet-facing host will generate immediate alerts.
#Post-Exploitation Value
- Running processes reveal installed software versions for vulnerability research and kernel exploits.
- Network interface enumeration reveals internal IP addressing and subnet topology.
- Installed software inventory maps the patch level and identifies exploitable applications.
- Windows user account enumeration via the LanManager MIB provides a user list for password spraying.
- System uptime (via sysUpTime OID) indicates patch cycle windows -- recently rebooted servers may have new patches applied.
#Cross-References
#Tool References
| Tool | Description | Link |
|---|---|---|
| snmpwalk | SNMP MIB tree walker (Net-SNMP suite) | Built into most Linux distros |
| onesixtyone | Fast SNMP community string scanner | https://github.com/trailofbits/onesixtyone |
| snmp-check | Automated SNMP enumeration script | https://github.com/pwnieexpress/pwn_plug_sources |
| nmap (snmp-brute) | Nmap NSE for community string brute-force | Built into nmap |
| snmpenum | Perl SNMP enumeration script | Built into Kali |
#Source Machines
- SNMP is less frequently used in HTB Linux/Windows boxes but remains critical for network device and printer enumeration in enterprise environments. The technique is included for completeness as it commonly appears in real-world internal penetration tests.