Skip to content

161 - Pentesting snmp

SNMP stands for "Simple Network Management Protocol". It is a standard protocol used to monitor and manage network devices, such as routers, switches, and servers. SNMP allows network administrators to monitor the performance and status of network devices, receive notifications of network events and failures, and configure and control network devices remotely.

nmap

sudo nmap -sU --open -p 161 -vv $IP

enumeration

nmap 

sudo nmap -p 161 -sU --script "snmp* and not snmp-brute" $IP | tee nmap.snap

snmpwalk - enumerate entire MIB tree 

sudo snmpwalk -c public -v1 -t 10 $IP | tee snmpwalk1.snmp
sudo snmpwalk -c public -v2c $IP | tee snmpwalk2.snmp
- -c specify the community string - -v specify the SNMP version number - -t increas the timeout period

snmpwalk - enumerate specyfic branch of MIB tree (svUserTable) that is mapped to all the local user account names 

sudo snmpwalk -c public -v1 $IP 1.3.6.1.4.1.77.1.2.25

snmpwalk - enumerate specyfic branch of MIB tree (hrSWRunEntry) that is mapped to running process 

sudo snmpwalk -c public -v1 $IP 1.3.6.1.2.1.25.4.2.1.2

snmpwalk - enumerate specyfic branch of MIB tree (hrSWInstalledName) that is mapped to installed software 

sudo snmpwalk -c public -v1 $IP 1.3.6.1.2.1.25.6.3.1.2

snmpwalk - enumerate specyfic branch of MIB tree (tcpConnLocalPort) that is mapped to currect listening TCP ports 

sudo snmpwalk -c public -v1 $IP 1.3.6.1.2.1.6.13.1.3

snmpbulkwalk 

sudo snmpbulkwalk -c public -v2c $IP . | tee snmpbulkwalk.snap
|->
cat snmpbulkwalk.snap | grep -oP '::.*?\.' | sort -u
cat snmpbulkwalk.snap | grep 'hrSWRunName' | sort -u | awk '{print $4}' | tr -d '"' | sort -u

snmpcheck 

git clone https://gitlab.com/kalilinux/packages/snmpcheck.git /opt/tools/snmpcheck
cd /opt/tools/snmpcheck
sudo gem install snmp
chmod +x /opt/tools/snmpcheck/snmpcheck-1.9.rb

/opt/tools/snmpcheck/snmpcheck-1.9.rb $IP -c <COMMUNITY_STRING> | tee snmpcheck.snap

onesixtyone - find community string 

onesixtyone -c community_strings.txt -i ip.txt

snmp mib

Description OID node name
System Processes 1.3.6.1.2.1.25.1.6.0 hrSystemProcesses
Running Programs 1.3.6.1.2.1.25.4.2.1.2 hrSWRunName
Process Path 1.3.6.1.2.1.25.4.2.1.4 hrSWRunPath
Storage Units 1.3.6.1.2.1.25.2.3.1.4 hrStorageAllocationUnits
Software Name 1.3.6.1.2.1.25.6.3.1.2 hrSWInstalledName
User Accounts 1.3.6.1.2.1.77.1.2.25 -
TCP Local Ports 1.3.6.1.2.1.6.13.1.3 tcpConnLocalPort

bruteforce

hydra 

hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $IP snmp
metasploit 
msf> use auxiliary/scanner/snmp/snmp_login
nmap 
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
onesixtyone 
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>

download and extract SNMP MIBs

sudo apt install -y snmp-mibs-downloader
sudo download-mibs
sudo vi /etc/snmp/snmp.conf # comment the line saying "mibs :" in /etc/snmp/snmp.conf

community strings

payload 1 

echo "public" > community_strings
echo "private" >> community_strings
echo "manager" >> community_strings

payload 2 

/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt