Simple Network Management Protocol
Environment Variables / Setup
export IP=
export PORT=161
Phase 1: SNMP Enumeration
Nmap SNMP Scripts
nmap -sU -p $PORT --script=snmp-* $IP
SNMPwalk - Community String Testing
# Default community strings
snmpwalk -c public -v1 $IP
snmpwalk -c private -v1 $IP
snmpwalk -c manager -v1 $IP
# Try version 2c
snmpwalk -c public -v2c $IP
Community String Brute Force
# With onesixtyone
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $IP
# With hydra
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt -v $IP snmp
Phase 2: SNMP Information Gathering
System Information
# System description
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.1.1.0
# System uptime
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.1.3.0
# System contact
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.1.4.0
# System name
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.1.5.0
# System location
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.1.6.0
Network Interfaces
# Interface information
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.2.2.1.2
# Interface statistics
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.2.2.1.10
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.2.2.1.16
Routing Table
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.4.21.1.1
ARP Table
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.4.22.1.2
Phase 3: Windows-Specific SNMP
Users
# Windows users
snmpwalk -c public -v1 $IP 1.3.6.1.4.1.77.1.2.25
# User accounts
snmpwalk -c public -v1 $IP 1.3.6.1.4.1.77.1.2.25.1.1
Running Processes
# Windows processes
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.25.4.2.1.2
# Process path
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.25.4.2.1.4
Installed Software
# Software installed
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.25.6.3.1.2
Open Ports
# TCP connections
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.6.13.1.3
# UDP connections
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.7.5.1.2
Phase 4: Extended SNMP Enumeration
SNMPenum
snmpenum -t $IP
SNMPcheck
snmpcheck -t $IP -c public
Custom SNMP Queries
Storage Information
# Storage units
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.25.2.3.1.3
# Storage sizes
snmpwalk -c public -v1 $IP 1.3.6.1.2.1.25.2.3.1.5
Network Shares (Windows)
snmpwalk -c public -v1 $IP 1.3.6.1.4.1.77.1.2.3.1.1
snmpwalk -c public -v1 $IP 1.3.6.1.4.1.77.1.2.27.1.1
Common SNMP OIDs
System Information
1.3.6.1.2.1.1.1.0 - System Description
1.3.6.1.2.1.1.3.0 - System Uptime
1.3.6.1.2.1.1.4.0 - System Contact
1.3.6.1.2.1.1.5.0 - System Name
1.3.6.1.2.1.1.6.0 - System Location
Windows Specific
1.3.6.1.4.1.77.1.2.25.1.1 - Windows Users
1.3.6.1.2.1.25.4.2.1.2 - Windows Processes
1.3.6.1.2.1.25.6.3.1.2 - Windows Software
1.3.6.1.4.1.77.1.2.3.1.1 - Windows Shares
Network Information
1.3.6.1.2.1.2.2.1.2 - Network Interfaces
1.3.6.1.2.1.4.21.1.1 - Routing Table
1.3.6.1.2.1.4.22.1.2 - ARP Table
1.3.6.1.2.1.6.13.1.3 - TCP Connections
Phase 5: SNMP Attacks
Information Disclosure
Look for sensitive information in SNMP data:
- Usernames and groups
- Network topology
- Running services and processes
- System patches and versions
SNMP Community String Attacks
# Try default strings
for community in public private manager; do
echo "Testing community: $community"
snmpwalk -c $community -v1 $IP 2>/dev/null | head -5
done
SNMP SET Operations
If write community is found:
# Test if SET operations are allowed
snmpset -c private -v1 $IP 1.3.6.1.2.1.1.4.0 s "Pwned"
Automated Tools
snmp-check
perl /usr/share/snmp-check/snmp-check.pl -t $IP -c public
Metasploit Modules
use auxiliary/scanner/snmp/snmp_login
use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/snmp/snmp_enumshares
use auxiliary/scanner/snmp/snmp_enumusers
Next Steps
Once SNMP enumeration is complete:
- Analyze discovered information for attack vectors
- Cross-reference with other services for credential reuse
- Use discovered network topology for lateral movement
- Document sensitive information found