Field Manual

SNMP (UDP 161)

4 min read

πŸ›‘οΈ Methodology Checklist

  • Detect SNMP: nmap -sU -p 161 [TARGET]
  • Community string brute-force: onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt [TARGET]
  • SNMPwalk v1: snmpwalk -v 1 -c [COMMUNITY] [TARGET]
  • SNMPwalk v2c: snmpwalk -v 2c -c [COMMUNITY] [TARGET] 1.3.6.1.2.1
  • Running processes: OID 1.3.6.1.2.1.25.4.2.1.2
  • Installed software: OID 1.3.6.1.2.1.25.6.3.1.2
  • Network interfaces/routes: OID 1.3.6.1.2.1.4.20.1.1
  • SNMP set (write community): modify interface or user config if writable

🎯 Operational Context

Think Dumber First: Try community string public first β€” it’s the default on ~60% of unmanaged devices and many Linux/Windows SNMP installs. SNMPwalk with public can reveal running processes (including passwords passed as arguments), installed software, user accounts, and network topology. This is one of the highest-value, lowest-effort wins in network recon.

When you land here: UDP/161 open. onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt [TARGET] to find community strings. Then snmpwalk -v2c -c [COMMUNITY] [TARGET] for full MIB walk. Targeted OIDs for quick wins: processes (1.3.6.1.2.1.25.4.2.1.2), users (1.3.6.1.4.1.77.1.2.25).

⚑ Tactical Cheatsheet

CommandTactical Outcome
sudo nmap -sU -p161 [TARGET_IP]Detect SNMP service
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt [TARGET_IP]Brute-force community strings
for community in public private manager admin backup cisco; do snmpwalk -v 2c -c $community [TARGET_IP] 1.3.6.1.2.1.1.1.0; doneManual community string loop
snmpwalk -v 2c -c public [TARGET_IP]Standard SNMP walk with known string
snmpwalk -v 2c -c public [TARGET_IP] 1.3.6.1 > snmp_full.txtFull tree dump to file
snmpwalk -v 2c -c [STRING] [TARGET_IP] 1.3.6.1.2.1.25.4.2.1.2List running process names
snmpwalk -v 2c -c [STRING] [TARGET_IP] 1.3.6.1.2.1.25.4.2.1.4List running process paths/args (credential leak!)
snmpwalk -v 2c -c [STRING] [TARGET_IP] 1.3.6.1.4.1.8072.1.3.2NET-SNMP-EXTEND β€” custom script outputs

πŸ”¬ Deep Dive & Workflow

Initial Enumeration

  • Nmap UDP scan: sudo nmap -sU -p161 [TARGET_IP]
  • Brute-force community strings: onesixtyone -c snmp.txt [TARGET_IP]
  • If automated tools fail on VPN β†’ manual loop: test public, private, manager, admin, backup, cisco
  • Standard walk: snmpwalk -v 2c -c [STRING] [TARGET_IP]
  • Look for sysContact β€” often contains admin email address
  • Look for sysDescr or sysLocation β€” may contain custom server version string

Attacks

  • Dump running processes and args: OID 1.3.6.1.2.1.25.4.2.1.4 β€” scripts often run with passwords as CLI args
  • Check NET-SNMP-EXTEND OID 1.3.6.1.4.1.8072.1.3.2 β€” admin scripts may output sensitive data
  • Full tree dump: snmpwalk -v 2c -c [STRING] [TARGET_IP] 1.3.6.1 > snmp_full.txt then grep -i "pass\|flag\|key\|secret"
  • If rwcommunity public set β†’ attempt SNMP write operations (potential RCE via SET)
  • Note credentials found in process args β†’ pivot to SSH, IMAP, MySQL

Versions

VersionAuthEncryptionNotes
v1Community stringNoneLegacy, no security
v2cCommunity stringNoneMost common in CTFs β€” bulk transfers
v3Username/PasswordYes (DES/AES)Secure, rarely misconfigured

Community Strings (The β€œPassword”)

  • public β€” default Read-Only
  • private β€” default Read-Write
  • manager β€” common alternative
  • Try backup, cisco, admin for non-default setups

Key OIDs

OIDNameValue
1.3.6.1.2.1.1.1.0sysDescrSystem description/version
1.3.6.1.2.1.1.4.0sysContactAdmin email address
1.3.6.1.2.1.25.4.2.1.2hrSWRunNameRunning process names
1.3.6.1.2.1.25.4.2.1.4hrSWRunPathProcess paths + CLI args
1.3.6.1.4.1.8072.1.3.2nsExtendOutput1NET-SNMP custom script output

Dangerous Config Settings (/etc/snmp/snmpd.conf)

SettingRisk
rwuser noauthCritical β€” full RW access without password
rwcommunity publicCritical β€” anyone can change settings (potential RCE)
view all included .1Exposes entire system OID tree

πŸ› οΈ Troubleshooting & Edge Cases

ProblemCauseFix
onesixtyone returns nothingUDP scan unreliable or firewall droppingConfirm UDP/161 open: nmap -sU -p 161 [TARGET]; try snmpwalk directly: snmpwalk -v1 -c public [TARGET] 1.3.6
snmpwalk hangs after first few OIDsLarge MIB response causing timeoutUse snmpbulkwalk -v2c -c [COMMUNITY] -Cr50 [TARGET] which batches requests more efficiently
OID walk returns β€˜No Such Object available’Wrong OID or unsupported MIBStart at root .1: snmpwalk -v2c -c [COMMUNITY] [TARGET] .1; install additional MIBs: apt install snmp-mibs-downloader
SNMP v3 β€” community string approach failsv3 uses username/auth/priv parametersTry default v3 users: snmpget -v3 -u admin -l noAuthNoPriv [TARGET] sysDescr.0; enumerate with onesixtyone -6 [TARGET]
snmpwalk output garbled or truncatedEncoding issues or oversized responsesAdd -Oqv for cleaner output; pipe to file: snmpwalk -v2c -c [COMMUNITY] [TARGET] > snmp_full.txt

πŸ“ Reporting Trigger

Finding Title: SNMP Default Community String Exposing System Information Impact: Running processes (including credentials in arguments), network interface configuration, routing tables, installed software, and user accounts disclosed without encryption to any network observer. Root Cause: SNMP v1/v2c community string set to default public. No IP-based access control configured. Recommendation: Change SNMP community strings to random 20+ character values. Upgrade to SNMPv3 with authPriv security level. Restrict SNMP access by IP ACL to monitoring systems only. Filter UDP/161 at perimeter firewall. Disable SNMP entirely if not required.

πŸ”— Related Nodes

Graph View

Backlinks