SNMP (Simple Network Management Protocol)

Default Port: 161/UDP, 162/UDP (Traps)

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is widely used for network monitoring and management. SNMP exposes management data in the form of variables on the managed systems, which describe the system status and configuration. These variables can then be queried (and sometimes set) by managing applications.

Connect

Interaction with SNMP-enabled devices is typically done using command-line tools that can send SNMP requests to an agent.

Using snmpwalk

snmpwalk is a command-line application that uses SNMP GETNEXT requests to query a network entity for a tree of information.

# For SNMPv1/v2c (most common for pentesting due to weaker security)
snmpwalk -c <community_string> -v1 <target_ip>
snmpwalk -c <community_string> -v2c <target_ip>

# Example: Walking the entire MIB tree
snmpwalk -c public -v2c 192.168.1.1

# Example: Walking a specific OID
snmpwalk -c public -v2c 192.168.1.1 .1.3.6.1.2.1.1.1.0 # sysDescr

Using snmp-check

snmp-check is another useful tool for enumerating SNMP information in a human-readable format.

snmp-check -t <target_ip> -c <community_string>
# If community string is unknown, it might try default ones like 'public'
snmp-check -t 192.168.1.1

Using snmpget

snmpget is used to retrieve a specific MIB (Management Information Base) object value from an SNMP agent.

snmpget -v2c -c <community_string> <target_ip> <OID>
# Example
snmpget -v2c -c public 192.168.1.1 sysDescr.0

Recon

Identifying an SNMP Server

Nmap is effective for discovering SNMP services on the default UDP port 161.

nmap -sU -p 161 --open <target_ip>

Nmap can also use scripts to gather more information.

nmap -sU -p 161 --script snmp-info <target_ip>

Banner Grabbing

While SNMP is a UDP-based protocol and doesn't have traditional "banners" like TCP services, querying basic OIDs can reveal system information which serves a similar purpose.

# Using snmpget to retrieve system description (sysDescr)
snmpget -v1 -c public <target_ip> .1.3.6.1.2.1.1.1.0
snmpget -v2c -c public <target_ip> sysDescr.0

Enumeration

Enumeration involves discovering readable (and potentially writable) community strings and extracting valuable information via SNMP.

Discovering Community Strings

Community strings are like passwords for SNMPv1 and SNMPv2c. Common default strings are "public" (read-only) and "private" (read-write).

Tools like onesixtyone or Metasploit modules can be used for brute-forcing community strings.

# Using onesixtyone
onesixtyone -c /path/to/community_string_list.txt <target_ip>

# Using Nmap script
nmap -sU -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=community_strings.txt <target_ip>

Enumerating System Information

Once a valid community string is found, tools like snmpwalk or snmp-check can be used to enumerate a wealth of information.

# Using snmp-check for a comprehensive enumeration
snmp-check -t <target_ip> -c <community_string>

# Walking common MIBs
snmpwalk -c <community_string> -v2c <target_ip> system # System information
snmpwalk -c <community_string> -v2c <target_ip> interfaces # Network interfaces
snmpwalk -c <community_string> -v2c <target_ip> ipAddrTable # IP addresses
snmpwalk -c <community_string> -v2c <target_ip> hrSystemUptime # Host Uptime
snmpwalk -c <community_string> -v2c <target_ip> hrStorageTable # Storage Info
snmpwalk -c <community_string> -v2c <target_ip> hrSWRunTable # Running Software

Using Nmap Scripts for Enumeration

Nmap has several scripts for SNMP enumeration:

# Enumerate system information
nmap -sU -p 161 --script snmp-sysdescr <target_ip> -sV

# Enumerate network interfaces
nmap -sU -p 161 --script snmp-interfaces <target_ip> -sV

# Enumerate listening TCP/UDP ports
nmap -sU -p 161 --script snmp-netstat <target_ip> -sV

# Enumerate running processes
nmap -sU -p 161 --script snmp-processes <target_ip> -sV

Assessment with Metasploit (for enumeration tasks)

Metasploit offers modules for scanning and enumerating SNMP.

msfconsole
msf > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(scanner/snmp/snmp_enum) > set RHOSTS <target_ip>
msf auxiliary(scanner/snmp/snmp_enum) > set COMMUNITY <community_string> # Defaults to public
msf auxiliary(scanner/snmp/snmp_enum) > run

msf > use auxiliary/scanner/snmp/snmp_enumusers # If enumerating users on Windows via SNMP
msf auxiliary(scanner/snmp/snmp_enumusers) > set RHOSTS <target_ip>
msf auxiliary(scanner/snmp/snmp_enumusers) > run

msf > use auxiliary/scanner/snmp/snmp_enumshares # If enumerating shares on Windows via SNMP
msf auxiliary(scanner/snmp/snmp_enumshares) > set RHOSTS <target_ip>
msf auxiliary(scanner/snmp/snmp_enumshares) > run

Attack Vectors

Default and Common Community Strings

The most common misconfiguration is the use of default community strings like "public" (read-only) and "private" (read-write). Attackers will always try these first.

snmpwalk -c public -v1 <target_ip>
snmpwalk -c private -v1 <target_ip>

If "private" or another writeable community string is found, it can lead to device modification.

Bruteforcing Community Strings

If default strings don't work, brute-forcing is the next step.

Bruteforcing with Hydra

Hydra does not natively support SNMP brute-forcing as SNMP is UDP based and connectionless, making traditional Hydra login checks difficult. Tools like onesixtyone, snmpbrute (from SECFORCE), or Nmap/Metasploit scripts are preferred.

Bruteforcing with Nmap

nmap -sU -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=wordlist.txt <target_ip>

Bruteforcing with Metasploit

msfconsole
msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(scanner/snmp/snmp_login) > set RHOSTS <target_ip>
msf auxiliary(scanner/snmp/snmp_login) > set PASS_FILE /path/to/community_wordlist.txt
msf auxiliary(scanner/snmp/snmp_login) > run

SNMPv3 Credential Cracking

SNMPv3 is more secure but can be vulnerable if weak credentials are used or if engine ID is known. Tools like snmp-brute.py (part of the snmpwn toolset) or custom scripts might be used if SNMPv3 user enumeration is possible. Capturing SNMPv3 traffic can also allow offline password cracking attempts against the hashed credentials.

Exploiting Write Access (Set Requests)

If a read-write community string (e.g., "private") is discovered, an attacker can modify the device's configuration. This is highly dangerous. The snmpset command is used for this.

# Example: Changing the system name (sysName OID: .1.3.6.1.2.1.1.5.0)
# Syntax: snmpset -v[1|2c] -c <rw_community_string> <target_ip> <OID> <type> <value>
snmpset -v2c -c private <target_ip> .1.3.6.1.2.1.1.5.0 s "NewSystemName"

# Potentially more harmful:
# - Modifying routing tables
# - Shutting down interfaces
# - Uploading/downloading device configurations (e.g., on Cisco devices via TFTP related OIDs)
# - Clearing logs

Care must be taken as incorrect snmpset commands can render a device unusable.

Information Disclosure

Even with read-only access, SNMP can reveal a vast amount of sensitive information:

• Network topology (routing tables, ARP caches)
• Device configurations (though full configs are usually transferred via TFTP triggered by SNMP)
• Usernames (especially on Windows systems)
• Running services and processes
• Software versions (leading to vulnerability identification)
• Security policies

Post-Exploitation

Common SNMP OIDs for Information Gathering

A vast amount of information can be gathered by querying specific OIDs. Some key OIDs include:

• 1.3.6.1.2.1.1.1.0 (sysDescr): System description.
• 1.3.6.1.2.1.1.5.0 (sysName): System name.
• 1.3.6.1.2.1.2.2.1.2 (ifDescr): Interface descriptions.
• 1.3.6.1.2.1.4.20.1.1 (ipAdEntAddr): IP addresses on interfaces.
• 1.3.6.1.2.1.4.22.1.3 (ipNetToMediaPhysAddress): ARP table (IP to MAC).
• 1.3.6.1.2.1.25.4.2.1.2 (hrSWRunName): Running programs.
• 1.3.6.1.2.1.25.6.3.1.2 (hrSWInstalledName): Installed software.
• 1.3.6.1.4.1.77.1.2.25 (host.hrStorage.hrStorageTable.hrStorageEntry.hrStorageDescr): Storage descriptions (Windows).
• 1.3.6.1.4.1.2021.11 (UCD-SNMP-MIB::ssCpuSystem): System CPU load (Net-SNMP).

Modifying Configuration (if write access)

If a read-write community string is compromised, an attacker can alter the device's configuration. This could involve:

• Changing device hostnames or contact information.
• Adding or deleting static routes.
• Shutting down or enabling interfaces.
• Modifying ACLs (Access Control Lists).
• Triggering configuration uploads/downloads to/from a TFTP server controlled by the attacker.

# Example: Setting an interface administratively down (ifAdminStatus OID: 1.3.6.1.2.1.2.2.1.7.interface_index)
# To set interface with index 1 down (integer value 2 for 'down')
snmpset -v2c -c private <target_ip> .1.3.6.1.2.1.2.2.1.7.1 i 2

Data Exfiltration (e.g., network configs)

On some devices (like older Cisco IOS), SNMP can be used to trigger the copying of the running or startup configuration to a TFTP server. If an attacker controls the TFTP server, they can exfiltrate the full device configuration. This often involves setting specific OIDs related to TFTP server IP, filename, and initiating the copy.

Example OIDs for Cisco:

• 1.3.6.1.4.1.9.9.96.1.1.1.1.2 (ccCopyProtocol): Set to TFTP (1).
• 1.3.6.1.4.1.9.9.96.1.1.1.1.3 (ccCopySourceFileType): Running config (4) or startup config (3).
• 1.3.6.1.4.1.9.9.96.1.1.1.1.4 (ccCopyDestFileType): Network file (1).
• 1.3.6.1.4.1.9.9.96.1.1.1.1.5 (ccCopyServerAddress): TFTP server IP.
• 1.3.6.1.4.1.9.9.96.1.1.1.1.6 (ccCopyFileName): Filename on TFTP server.
• 1.3.6.1.4.1.9.9.96.1.1.1.1.14 (ccCopyEntryRowStatus): Set to 'active' (4) to start.

Leveraging SNMP for Network Mapping

The information gathered from SNMP (ARP tables, routing tables, CDP/LLDP neighbor information) can be used to map out segments of the internal network, identify other potential targets, and understand network topology.