SNMP

Enumeration techniques on SNMP

NMap

We can use default nmap scripts to enumerate SNMP:

nmap -p 161 -sCV -sU 10.129.230.96 -v

As you can see it gives much information:

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-netstat: 
|   TCP  0.0.0.0:22           0.0.0.0:0
|   TCP  0.0.0.0:389          0.0.0.0:0
|   TCP  127.0.0.1:25         0.0.0.0:0
|   TCP  127.0.0.1:3306       0.0.0.0:0
|   TCP  127.0.0.1:5432       0.0.0.0:0
|   TCP  127.0.0.1:7878       0.0.0.0:0
|   TCP  127.0.0.1:44184      127.0.1.1:80
|   TCP  127.0.0.1:44188      127.0.1.1:80
|   UDP  0.0.0.0:68           *:*
|   UDP  0.0.0.0:123          *:*
|   UDP  0.0.0.0:161          *:*
|   UDP  0.0.0.0:162          *:*
|   UDP  10.129.230.96:123    *:*
|_  UDP  127.0.0.1:123        *:*
| snmp-interfaces: 
|   lo
|     IP address: 127.0.0.1  Netmask: 255.0.0.0
|     Type: softwareLoopback  Speed: 10 Mbps
|     Status: up
|     Traffic stats: 462.86 Kb sent, 462.86 Kb received
|   VMware VMXNET3 Ethernet Controller
|     IP address: 10.129.230.96  Netmask: 255.255.0.0
|     MAC address: 00:50:56:94:4d:43 (VMware)
|     Type: ethernetCsmacd  Speed: 4 Gbps
|     Status: up
|_    Traffic stats: 17.52 Mb sent, 9.14 Mb received
| snmp-sysdescr: Linux monitored 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64
|_  System uptime: 1h11m22.25s (428225 timeticks)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 6f3fa7421af94c6500000000
|   snmpEngineBoots: 36
|_  snmpEngineTime: 1h11m22s
| snmp-win32-software: 
|   adduser_3.118+deb11u1_all; 2023-11-09T10:00:55
|   alsa-topology-conf_1.2.4-1_all; 2023-11-09T10:03:58
|   alsa-ucm-conf_1.2.4-2_all; 2023-11-09T10:03:58
|   anacron_2.3-30_amd64; 2023-11-09T10:03:58
|   analog_2:6.0-22+b1_amd64; 2023-11-09T10:04:01
|   ansible_2.10.7+merged+base+2.10.8+dfsg-1_all; 2023-11-09T10:18:59
|   apache2-bin_2.4.56-1~deb11u2_amd64; 2023-11-09T10:03:45
|   apache2-data_2.4.56-1~deb11u2_all; 2023-11-09T10:03:46
|   apache2-doc_2.4.56-1~deb11u2_all; 2023-11-09T10:04:02
|   apache2-utils_2.4.56-1~deb11u2_amd64; 2023-11-09T10:03:46
|   apache2_2.4.56-1~deb11u2_amd64; 2023-11-09T10:03:46
|   apparmor_2.13.6-10_amd64; 2023-11-09T09:57:17
|   apt-listchanges_3.24_all; 2023-11-09T10:03:51
. . . [SNIP] . .

Or scripts specific for SNMP:

nmap -p 161 --script "snmp*" -sU 10.129.230.96 -v

snmpwalk

SNMPWALK is a command-line tool used to retrieve information from network devices using the Simple Network Management Protocol (SNMP). It's essential for network monitoring and management.

What is SNMPWALK?

SNMPWALK queries SNMP-enabled devices by traversing the Management Information Base (MIB) tree structure. Instead of requesting individual values, it walks through the entire MIB or a specified subtree, retrieving multiple related values in sequence.

How SNMP Works

SNMP operates on a manager-agent architecture. The SNMP manager (your computer running snmpwalk) sends requests to SNMP agents (running on network devices like routers, switches, servers). These agents respond with information stored in their MIB databases.

Basic Syntax

snmpwalk [OPTIONS] AGENT [OID]

AGENT: The target device's IP address or hostname OID: Object Identifier specifying where to start the walk (optional)

Common Options

-v: SNMP version (1, 2c, or 3) -c: Community string (password for SNMPv1/v2c) -u: Username (for SNMPv3) -l: Security level (noAuthNoPriv, authNoPriv, authPriv) -a: Authentication protocol (MD5 or SHA) -A: Authentication password -x: Privacy protocol (DES or AES) -X: Privacy password -O: Output format options

Practical Examples

Basic SNMPv2c query:

bash

snmpwalk -v2c -c public 192.168.1.1

Query specific OID (system information):

bash

snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.1

SNMPv3 with authentication:

bash

snmpwalk -v3 -u admin -l authPriv -a SHA -A mypassword -x AES -X myprivkey 192.168.1.1

Get interface information:

bash

snmpwalk -v2c -c public 192.168.1.1 ifDescr
```

## Common OIDs

- **1.3.6.1.2.1.1**: System information (sysDescr, sysUpTime, sysContact)
- **1.3.6.1.2.1.2**: Interfaces (ifNumber, ifTable)
- **1.3.6.1.2.1.4**: IP information (ipForwarding, ipRouteTable)
- **1.3.6.1.2.1.6**: TCP information
- **1.3.6.1.2.1.25**: Host resources (memory, storage, processes)

## SNMP Versions Comparison

**SNMPv1**: Original version, uses community strings (plain text), limited security
**SNMPv2c**: Improved performance, still uses community strings
**SNMPv3**: Most secure, supports authentication and encryption

## Output Format

Standard output shows OID, type, and value:
```
SNMPv2-MIB::sysDescr.0 = STRING: Linux server 5.4.0-42-generic
SNMPv2-MIB::sysUpTime.0 = Timeticks: (123456789) 14 days, 6:56:07.89

Troubleshooting Common Issues

Timeout errors: Check firewall rules (UDP port 161), verify the device has SNMP enabled, confirm correct community string or credentials

Permission denied: Community string may be read-only, or you may lack permissions for certain OIDs

Unknown OIDs: Install additional MIB files, use numeric OIDs instead of names

Readability

Understanding MIBs (Management Information Bases)

MIBs are hierarchical databases that define the structure of data that can be retrieved from network devices via SNMP. Think of them as dictionaries that translate between human-readable names and numeric Object Identifiers (OIDs).

Switching mibs to all in snmpwalk:

snmpwalk -c public -v2c -m all 10.129.230.96

But before it, we need to edit snmp config file:

sudo nano /etc/snmp/snmp.conf

And uncomment last string:

And install mibs downloader:

sudo apt install snmp-mibs-downloader

After that you can see human-readable output:

RFC1213-MIB::ipAdEntAddr.10.129.230.96 = IpAddress: 10.129.230.96
RFC1213-MIB::ipAdEntAddr.127.0.0.1 = IpAddress: 127.0.0.1
RFC1213-MIB::ipAdEntIfIndex.10.129.230.96 = INTEGER: 2
RFC1213-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1
RFC1213-MIB::ipAdEntNetMask.10.129.230.96 = IpAddress: 255.255.0.0
RFC1213-MIB::ipAdEntNetMask.127.0.0.1 = IpAddress: 255.0.0.0
RFC1213-MIB::ipAdEntBcastAddr.10.129.230.96 = INTEGER: 1
RFC1213-MIB::ipAdEntBcastAddr.127.0.0.1 = INTEGER: 0
RFC1213-MIB::ipRouteDest.0.0.0.0 = IpAddress: 0.0.0.0
RFC1213-MIB::ipRouteDest.10.129.0.0 = IpAddress: 10.129.0.0
RFC1213-MIB::ipRouteDest.169.254.0.0 = IpAddress: 169.254.0.0
RFC1213-MIB::ipRouteIfIndex.0.0.0.0 = INTEGER: 2
RFC1213-MIB::ipRouteIfIndex.10.129.0.0 = INTEGER: 2
RFC1213-MIB::ipRouteIfIndex.169.254.0.0 = INTEGER: 2
RFC1213-MIB::ipRouteMetric1.0.0.0.0 = INTEGER: 1
RFC1213-MIB::ipRouteMetric1.10.129.0.0 = INTEGER: 0
RFC1213-MIB::ipRouteMetric1.169.254.0.0 = INTEGER: 0
RFC1213-MIB::ipRouteNextHop.0.0.0.0 = IpAddress: 10.129.0.1
RFC1213-MIB::ipRouteNextHop.10.129.0.0 = IpAddress: 0.0.0.0

OneSixtyOne

What is onesixtyone?

Onesixtyone is a fast, efficient SNMP scanner designed specifically for brute-forcing SNMP community strings. Unlike snmpwalk which queries devices with known credentials, onesixtyone helps discover which devices have SNMP enabled and what community strings they're using.

Why onesixtyone?

Traditional SNMP scanners are slow because they wait for timeouts on each failed attempt. Onesixtyone uses asynchronous I/O, allowing it to send hundreds of requests simultaneously without waiting for responses. This makes it significantly faster than tools like snmpwalk for scanning multiple hosts.

Speed Comparison

snmpwalk: Sequential, waits for each timeout (~5 seconds per failed attempt)
onesixtyone: Parallel, can scan 65,536 hosts in under 13 minutes
Typical use: Scan entire subnets in seconds to minutes

Command-Line Options

-c <file>: File containing community strings to try (one per line) -i <file>: File containing IP addresses/hosts to scan (one per line) -o <file>: Output results to file -d: Enable debugging output -w <n>: Wait n milliseconds between packets (default: 10) -q: Quiet mode (minimal output) -p <port>: SNMP port (default: 161) -l: Log devices that don't respond

Practical Examples

Single Host, Single Community String

bash

onesixtyone 192.168.1.1 public
```

### Single Host, Multiple Community Strings
Create a community file (`community.txt`):
```
public
private
community
snmp
secret
cisco
admin

Run the scan:

bash

onesixtyone -c community.txt 192.168.1.1

Multiple Hosts, Single Community String

bash

onesixtyone 192.168.1.0/24 public
```

### Multiple Hosts, Multiple Community Strings

Create hosts file (`hosts.txt`):
```
192.168.1.1
192.168.1.10
192.168.1.50
10.0.0.1

Run comprehensive scan:

bash

onesixtyone -c community.txt -i hosts.txt

Scan Entire Subnet

bash

onesixtyone -c community.txt 192.168.1.0/24

Save Results to File

bash

onesixtyone -c community.txt -i hosts.txt -o results.txt

Quiet Mode with Output

bash

onesixtyone -q -c community.txt -i hosts.txt -o found.txt

Adjust Scan Speed

bash

# Faster (less reliable on slow networks)
onesixtyone -w 5 -c community.txt 192.168.1.0/24

# Slower (more reliable)
onesixtyone -w 50 -c community.txt 192.168.1.0/24
```

## Output Format

Standard output shows successful discoveries:
```
Scanning 256 hosts, 7 communities
192.168.1.1 [public] Linux server 5.4.0-42-generic
192.168.1.10 [private] Cisco IOS Software, C2960 Software
192.168.1.50 [public] HP J9729A 2920-48G Switch
```

Each line contains:
- IP address
- [Community string] in brackets
- System description (sysDescr)

## Creating Effective Community Lists

### Default Community Strings
```
public
private
community
snmp
manager
admin
security
secret
cisco
```

### Vendor-Specific Strings
```
# Cisco
cisco
CISCO
c1sco
admin

# HP
hp
HP
hpinvent

# 3COM
3com
admin
password

# Dell
dell
DELL
admin
```

### Common Patterns
```
company_name
location_name
read
write
monitor
network
root
default

Download Pre-Made Lists

SecLists repository has extensive SNMP community string lists:

bash

wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/SNMP/common-snmp-community-strings.txt

Advanced Techniques

Scan Multiple Subnets

bash

# Create subnet list
echo "192.168.1.0/24" > subnets.txt
echo "192.168.2.0/24" >> subnets.txt
echo "10.0.0.0/24" >> subnets.txt

# Scan all subnets
for subnet in $(cat subnets.txt); do
    onesixtyone -c community.txt $subnet -o results_$(echo $subnet | tr '/' '_').txt
done

Combine with Other Tools

Chain with snmpwalk for detailed enumeration:

bash

# First, discover devices
onesixtyone -c community.txt 192.168.1.0/24 -o discovered.txt

# Then enumerate each one
while read line; do
    ip=$(echo $line | awk '{print $1}')
    community=$(echo $line | awk '{print $2}' | tr -d '[]')
    echo "Enumerating $ip with $community"
    snmpwalk -v2c -c $community $ip > "${ip}_full_walk.txt"
done < discovered.txt

Integration with nmap:

bash

# First scan for open SNMP ports
nmap -sU -p 161 192.168.1.0/24 -oG snmp_hosts.txt

# Extract IPs and scan with onesixtyone
grep "161/open" snmp_hosts.txt | awk '{print $2}' > live_snmp.txt
onesixtyone -c community.txt -i live_snmp.txt

Parse and Format Results

bash

# Extract only IPs and community strings
onesixtyone -c community.txt -i hosts.txt | awk '{print $1, $2}' > credentials.txt

# Count successful discoveries
onesixtyone -c community.txt 192.168.1.0/24 | grep -c "\["

# Sort by device type
onesixtyone -c community.txt 192.168.1.0/24 | grep -i "cisco" > cisco_devices.txt
onesixtyone -c community.txt 192.168.1.0/24 | grep -i "linux" > linux_devices.txt

PreviousPort Scanning 2 NextCheatsheets

Last updated 13 days ago

hashtagNMap

hashtagsnmpwalk

hashtagWhat is SNMPWALK?

hashtagHow SNMP Works

hashtagBasic Syntax

hashtagCommon Options

hashtagPractical Examples

hashtagTroubleshooting Common Issues

hashtagReadability

hashtagUnderstanding MIBs (Management Information Bases)

hashtagOneSixtyOne

hashtagWhat is onesixtyone?

hashtagWhy onesixtyone?

hashtagSpeed Comparison

hashtagCommand-Line Options

hashtagPractical Examples

hashtagSingle Host, Single Community String

hashtagMultiple Hosts, Single Community String

hashtagScan Entire Subnet

hashtagSave Results to File

hashtagQuiet Mode with Output

hashtagAdjust Scan Speed

hashtagDownload Pre-Made Lists

hashtagAdvanced Techniques

hashtagScan Multiple Subnets

hashtagCombine with Other Tools

hashtagParse and Format Results

NMap

snmpwalk

What is SNMPWALK?

How SNMP Works

Basic Syntax

Common Options

Practical Examples

Troubleshooting Common Issues

Readability

Understanding MIBs (Management Information Bases)

OneSixtyOne

What is onesixtyone?

Why onesixtyone?

Speed Comparison

Command-Line Options

Practical Examples

Single Host, Single Community String

Multiple Hosts, Single Community String

Scan Entire Subnet

Save Results to File

Quiet Mode with Output

Adjust Scan Speed

Download Pre-Made Lists

Advanced Techniques

Scan Multiple Subnets

Combine with Other Tools

Parse and Format Results