SNMP enumeration

Background

SNMP runs on port 161 by default.
SNMP protocol versions 1, 2, and 2c have no traffic encryption. Only version 3 has proper encryption and authentication.
Traditional SNMP protocols have weak authentication schemes. Some servers are left with default public and private community strings.

Device Discovery

With nmap

sudo nmap -sU --open -p 161 $NETWORK -oA nmap/snmp

With onesixtyone

onesixtyone

-c takes a file with Community Strings
-i takes a file with target IP addresses

# using default community string values
echo -e "public\nprivate\nmanager" > community
for ip in {1..254}; do echo 10.11.1.$ip; done > ips
onesixtyone -c community -i ips

MIB Enumeration

See MIB for a table of useful MIB values.

snmpwalk

-c to specify community string
-v to specify SNMP protocol version
-t to specify timeout period (e.g., 10)
If mib-value is not given, the whole MIB tree is dumped.
- Example: 1.3.6.1.2.1.25.4.2.1.2 for running Windows processes

snmpwalk -c <comstr> -v <snmp-ver> -t <timeout> <ip> [<mib-value>]

snmp-check

-c to specify community string (default: public)
-v to specify SNMP protocol version
-t to specify timeout period (e.g., 10)

Security Memo

Recent Notes

SMART

Bossa Nova

ZFS

post-rock

2024-09-27

SNMP enumeration

Background

Device Discovery

With nmap

With onesixtyone

MIB Enumeration

snmpwalk

snmp-check

Graph View

Table of Contents

Backlinks