Simple Network Management Protocol

SNMP protocols 1,2 and 2c do not encrypt its traffic. So it can be intercepted to steal credentials.

SNMP is used to manage devices on a network. It has some funny terminology. For example, instead of using the word password the word community is used instead. But it is kind of the same thing. A common community-string/password is public.

You can have read-only access to the snmp. Often just with the community string public.

Common community strings

  • public
  • private
  • community

Here is a longer list of common community strings: https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/wordlist-common-snmp-community-strings.txt

MIB - Management information base

SNMP stores all the data in the Management Information Base. The MIB is a database that is organised as a tree. Different branches contain different information. So one branch can be username information, and another can be processes running. The “leaf” or the endpoint is the actual data. If you have read-access to the database you can read through each endpoint in the tree. This can be used with snmpwalk. It walks through the whole database tree and outputs the content.

snmpwalk

snmpwalk -c public -v1 <ip>

community string and which version

This command will output a lot of information. Way too much, and most of it will not be relevant to us and much we won’t understand really. So it is better to request the info that you are interested in. Here are the locations of the stuff that we are interested in:

  • 1.3.6.1.2.1.25.1.6.0 System Processes
  • 1.3.6.1.2.1.25.4.2.1.2 Running Programs
  • 1.3.6.1.2.1.25.4.2.1.4 Processes Path
  • 1.3.6.1.2.1.25.2.3.1.4 Storage Units
  • 1.3.6.1.2.1.25.6.3.1.2 Software Name
  • 1.3.6.1.4.1.77.1.2.25 User Accounts
  • 1.3.6.1.2.1.6.13.1.3 TCP Local Ports

Now we can use this to query the data we really want.

snmpenum

#snmp-check

This is a bit easier to use and with a lot prettier output.

snmp-check -t <ip> -c public

Nmap

Since SNMP is using UDP we have to use the -sU flag.

nmap -iL ips.txt -p 161,162 -sU --open -vvv -oG snmp-nmap.txt

Onesixtyone

With onesixtyone you can test for open ports but also brute force community strings. I have had more success using onesixtyone than using nmap. So better use both.

Metasploit

There are a few snmp modules in metasploit that you can use. snmp_enum can show you usernames, services, and other stuff. https://www.offensive-security.com/metasploit-unleashed/snmp-scan/