SNMP enumeration

Background

• SNMP runs on port 161 by default.
• SNMP protocol versions 1, 2, and 2c have no traffic encryption. Only version 3 has proper encryption and authentication.
• Traditional SNMP protocols have weak authentication schemes. Some servers are left with default public and private community strings.

Device Discovery

With nmap

See Options

sudo nmap -sU --open -p 161 $NETWORK -oA nmap/snmp

With onesixtyone

onesixtyone

• -c takes a file with Community Strings
• -i takes a file with target IP addresses

# using default community string values
echo -e "public\nprivate\nmanager" > community
for ip in {1..254}; do echo 10.11.1.$ip; done > ips
onesixtyone -c community -i ips

MIB Enumeration

See MIB for a table of useful MIB values.

snmpwalk

• -c to specify community string
• -v to specify SNMP protocol version
• -t to specify timeout period (e.g., 10)
• If mib-value is not given, the whole MIB tree is dumped.
  • Example: 1.3.6.1.2.1.25.4.2.1.2 for running Windows processes

snmpwalk -c <comstr> -v <snmp-ver> -t <timeout> <ip> [<mib-value>]

snmp-check

• -c to specify community string (default: public)
• -v to specify SNMP protocol version
• -t to specify timeout period (e.g., 10)