Port 161 – SNMP

Nmap is excellent for quickly discovering hosts running SNMP. Since SNMP uses UDP, make sure you specify UDP scanning.

nmap -sU --open -p 161 10.1.1.1           #Discover host with SNMP enabled
nmap -sU --open -p 161 10.1.1.0/24        #Discover a range of hosts with SNMP enabled
nmap -sU --open -p 161 -iL targets.txt    #Discover hosts from a file with SNMP enabled

onesixtyone is a fast and simple SNMP scanner for discovering SNMP-enabled hosts using a list of community strings.

onesixtyone -i snmp-ips.txt -c community.txt     #Discover valid SNMP community strings across multiple hosts

#Example community.txt:
public
private
manager

Once SNMP is discovered and a valid community string is found, use the following tools and techniques for enumeration.

Using snmpwalk

snmpwalk is a query tool that uses SNMP GETNEXT requests to walk through a subtree of MIB (Management Information Base) values.

snmpwalk -c public -v1 10.1.1.1                                             #Basic SNMP v1 enumeration
snmpwalk -v2c -c community 10.1.1.1                                         #Basic SNMP v2c enumeration
snmpwalk -v3 -l authNoPriv -u username -a MD5|SHA -A passphrase 10.1.1.1    #Basic SNMP v3 enumeraion with authentication without encryption

Common SNMP OIDs:

These Object Identifiers (OIDs) target specific types of system information:

snmpwalk -c public -v1 10.1.1.1 1.3.6.1.4.1.77.1.2.25        #Windows user accounts
snmpwalk -c public -v1 10.1.1.1 1.3.6.1.2.1.25.4.2.1.2       #Running Windows processes
snmpwalk -c public -v1 10.1.1.1 1.3.6.1.2.1.6.13.1.3         #Open TCP ports
snmpwalk -c public -v1 10.1.1.1 1.3.6.1.2.1.25.6.3.1.2       #Installed software
snmpwalk -c public -v1 10.1.1.1 1.3.6.1.2.1.1.5              #Hostname
snmpwalk -c public -v1 10.1.1.1 1.3.6.1.4.1.77.1.2.3.1.1     #Share info
snmpwalk -c public -v1 10.1.1.1 1.3.6.1.4.1.77.1.2.27        #More share info

Using snmp-check

The snmp-check tool provides a more human-readable output for SNMP data and is great for quickly assessing available information.

snmp-check 10.1.1.1    #Enumerates SNMP data in a readable format

Using Nmap NSE Scripts

Nmap has dedicated SNMP scripts to extract specific information like Windows users.

sudo nmap -sU -p 161 --script /usr/share/nmap/scripts/snmp-* 10.1.1.1                 #Run all Nmap SNMP Scripts
sudo nmap -sU -p 161 --script /usr/share/nmap/scripts/snmp-win32-users.nse 10.1.1.1   #Enumerate Windows users via SNMP

Metasploit

Metasploit provides powerful SNMP auxiliary modules for enumeration and brute-forcing.

SNMP enumeration (general)

This module gathers various information via SNMP, including system descriptions and names.

use auxiliary/scanner/snmp/snmp_enum
set RHOSTS 10.1.1.1
set COMMUNITY public
run

SNMP login brute-force

This module attempts to discover valid SNMP community strings using a wordlist.

use auxiliary/scanner/snmp/snmp_login
set RHOSTS 10.1.1.1
set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
run

SNMP version scanner

Use this module to identify which SNMP version the target host supports.

use auxiliary/scanner/snmp/snmp_version
set RHOSTS 10.1.1.1
run

SNMP MIB dump

Acts like snmpwalk to recursively walk SNMP MIB trees and extract information.

use auxiliary/scanner/snmp/snmp_enum
set RHOSTS 10.1.1.1
set COMMUNITY public
run