Back to All Modules

SNMP Exploitation

#Overview

Simple Network Management Protocol (SNMP) on UDP port 161 provides device information and configuration. SNMP versions 1 and 2c use community strings as passwords (default "public" for read, "private" for write). SNMP enumeration reveals processes, network interfaces, installed software, and user accounts. Write community access enables configuration modification and, in some cases, remote command execution.

#Prerequisites

  • snmpwalk / snmp-check (Linux)
  • onesixtyone for community string brute-forcing
  • snmpset for write operations

#Detection & Enumeration

nmap -sU -p 161 --script snmp-info,snmp-processes <IP>              # SNMP detection
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-communities.txt <IP>  # Community brute force
BASH

#Read Community String Enumeration

snmpwalk -v 2c -c public <IP>                                       # Dump entire MIB tree
snmpwalk -v 2c -c public <IP> 1.3.6.1.2.1.25.4.2.1.2               # Running processes
snmpwalk -v 2c -c public <IP> 1.3.6.1.2.1.25.2.3.1.4               # Storage units
snmpwalk -v 2c -c public <IP> 1.3.6.1.2.1.1.5                      # System hostname
snmpwalk -v 2c -c public <IP> 1.3.6.1.2.1.25.6.3.1.2               # Installed software
snmpwalk -v 2c -c public <IP> 1.3.6.1.4.1.77.1.2.25                # Windows user accounts
snmp-check <IP> -c public                                            # Automated enumeration tool
BASH

#Exploitation / Execution

#Process Listing for Target Enumeration

snmpwalk -v 2c -c public <IP> 1.3.6.1.2.1.25.4.2.1.2 | grep -i "sensitive\|password\|secret\|admin"
BASH

#Write Community String Abuse

Write community strings allow modification of device settings:

snmpset -v 2c -c private <IP> <OID> <type> <value>                 # Modify SNMP value
BASH

#SNMP Extended for RCE

Some devices support SNMP extensions that can trigger commands. Check for NET-SNMP-EXTEND-MIB objects:

snmpwalk -v 2c -c private <IP> NET-SNMP-EXTEND-MIB::nsExtendObjects
BASH

#Common Pitfalls

  • Warning: SNMP is UDP, so firewalls may drop responses silently -- always verify with -v flag for debugging
  • Warning: Default community strings vary by vendor (e.g., Cisco uses "private" for write, APC uses "apc")

#OPSEC Considerations

  • Shield: SNMP walk generates repetitive traffic patterns detectable by IDS
  • Shield: Write operations are heavily logged on enterprise devices

#Post-Exploitation Value

  • Process enumeration reveals running security software, databases, and services
  • Software enumeration reveals patch levels and potential vulnerabilities
  • User account enumeration provides usernames for password spraying

#Cross-References

#Tool References

ToolLink
snmp-checkhttps://github.com/pwnieexpress/pwn_plug_sources/blob/master/src/snmpcheck/snmpcheck-1.8.pl
onesixtyonehttps://github.com/trailofbits/onesixtyone

#Source Machines

  • Quick (Hard, Linux) - SNMP enumeration for process discovery