SNMP (161,162,10161,10162)
The Simple Network Management Protocol (SNMP) is a protocol used in TCP/IP networks to collect and manage information about networked devices. SNMP operates in the application layer (layer 7 of the OSI model) and uses UDP port 161 to listen for requests. The SNMP protocol is supported by many types of devices including routers, switches, servers, printers, Network Attached Storage (NAS), firewalls, WLAN controllers and more. In the following sections we will be looking at the main components of SNMP managed networks, how they communicate with each other and something called the Management Information Base (MIB). We will also look at how and why SNMP can cause security issues and, of course, how to enumerate the SNMP protocol.
-
Managed Device A managed device (also referred to as a ‘node’) is a network device with the SNMP service enabled allowing unidirectional (read) or bidirectional (read/write) communication. Managed devices can be any networked device including servers, firewalls and routers.
-
Agent The agent is the software running on the managed device which is responsible for handling the communication. The agent translates device-specific configuration parameters into an SNMP format for the Network Management System.
-
Network Management System (NMS) The Network Management System is the software that is actually managing and monitoring networked devices. An SNMP managed network will always contain at least one NMS.
SNMP has a lot of information about the host and things that you may find interesting are: Network interfaces (IPv4 and IPv6 address), Usernames, Uptime, Server/OS version, and processes running (may contain passwords)....
Initial Enumeration
nmap
nmap --script "snmp* and not snmp-brute" <target>
sudo nmap --script snmp-* -sU -p161 $IP
sudo nmap -sU -p 161 --script snmp-brute $IP --script-args snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt
It is recommended to install the following to see whats does mean each OID gathered from the device:
apt-get install snmp-mibs-downloader
download-mibs
Thanks to extended queries (download-mibs), it is possible to enumerate even more about the system with the following command:
snmpwalk -v X -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull
snmpwalk -v2c -c public <RHOST> .1
snmpwalk -v2c -c public <RHOST> nsExtendObjects
SNMP MIB Trees
- 1.3.6.1.2.1.25.1.6.0 - System Processes
- 1.3.6.1.2.1.25.4.2.1.2 - Running Programs
- 1.3.6.1.2.1.25.4.2.1.4 - Processes Path
- 1.3.6.1.2.1.25.2.3.1.4 - Storage Units
- 1.3.6.1.2.1.25.6.3.1.2 - Software Name
- 1.3.6.1.4.1.77.1.2.25 - User Accounts
- 1.3.6.1.2.1.6.13.1.3 - TCP Local Ports
🔧 System Information
| OID | Description |
|---|---|
1.3.6.1.2.1.1.1.0 |
sysDescr – Device description, OS version |
1.3.6.1.2.1.1.2.0 |
sysObjectID – Vendor/device type |
1.3.6.1.2.1.1.3.0 |
sysUpTime – Time since last reboot |
1.3.6.1.2.1.1.4.0 |
sysContact – Admin contact |
1.3.6.1.2.1.1.5.0 |
sysName – Device hostname |
1.3.6.1.2.1.1.6.0 |
sysLocation – Device location (datacenter, office, etc.) |
🌐 Network Interfaces
| OID | Description |
|---|---|
1.3.6.1.2.1.2.2.1.2 |
ifDescr – Interface names (eth0, wlan0, etc.) |
1.3.6.1.2.1.2.2.1.6 |
ifPhysAddress – MAC addresses |
1.3.6.1.2.1.2.2.1.8 |
ifOperStatus – Interface status (up/down) |
1.3.6.1.2.1.2.2.1.10 |
ifInOctets – Bytes received |
1.3.6.1.2.1.2.2.1.16 |
ifOutOctets – Bytes sent |
🧠 Routing / IP Information
| OID | Description |
|---|---|
1.3.6.1.2.1.4.20.1.1 |
ipAdEntAddr – IP addresses assigned |
1.3.6.1.2.1.4.20.1.2 |
ipAdEntIfIndex – Interface index per IP |
1.3.6.1.2.1.4.21.1.1 |
ipRouteDest – Destination networks |
1.3.6.1.2.1.4.21.1.7 |
ipRouteNextHop – Next hop IPs |
🖥️ Process / Host Resources (UCD-SNMP / NET-SNMP)
| OID | Description |
|---|---|
1.3.6.1.4.1.2021.10.1.3.1 |
laLoad.1 – 1-minute load average |
1.3.6.1.4.1.2021.4.5.0 |
memTotalReal – Total RAM |
1.3.6.1.4.1.2021.4.6.0 |
memAvailReal – Available RAM |
1.3.6.1.4.1.2021.11.9.0 |
ssCpuUser – CPU usage (user) |
1.3.6.1.4.1.2021.11.10.0 |
ssCpuSystem – CPU usage (system) |
🛠️ Other Useful Enterprise OIDs
| Vendor | OID Prefix | Notes |
|---|---|---|
| Cisco | 1.3.6.1.4.1.9 |
Used in many routers/switches |
| Juniper | 1.3.6.1.4.1.2636 |
Juniper devices |
| Windows SNMP | 1.3.6.1.4.1.311 |
Microsoft-specific SNMP |
| HP | 1.3.6.1.4.1.11 |
HP servers/devices |
SNMPWalk
A tool for querying MIB values to retrieve information about managed devices, but requires a valid SNMP read only community string.
snmpwalk -c public -v1 $ip
Query an SNMP enabled device with 3 different community strings
for community in public private manager; do snmpwalk -c $community -v1 $ip; done
Using -c (for community string) and 2c (the most commonly used version of SNMP)
snmpwalk -c public -v2c <target-ip>
Try different versions, v1 may expose basic info, v2c may show extended info (routing tables & interfaces) and v3 may be configured but it's likely to need creds.
snmpwalk -v1 -c public 192.168.1.1
snmpwalk -v2c -c public 192.168.1.1
snmpwalk -v3 -u user -l authPriv -a SHA -A pass -x AES -X pass 192.168.1.1
SNMPBulkWalk
snmpbulkwalk uses GetBulkRequest (introduced in SNMPv2c): it retrieves multiple OIDs in one request, which drastically reduces the number of packets exchanged.
sudo snmpbulkwalk -c public -v2c $IP .
sudo snmpbulkwalk -c public -v2c $IP NET-SNMP-EXTEND-MIB::nsExtendOutputFull
SNMPCheck
SNMPWalk but prettier output
snmpcheck -t 192.168.1.X -c public
Community String Bruteforcing
Onesixtyone is a very fast tool to brute force SNMP community strings and take advantage of the connectionless protocol. Onesixtyone sends an SNMP request and (by default) waits 10 milliseconds for a response. If the community string sent by onesixtyone to the SNMP enabled device is invalid, then the request is dropped. However, if a valid community string is passed to an SNMP enabled device, the device responds with the information requested (the ‘system.sysDescr.0’ value).
onesixtyone -c dict.txt <ip>
Wordlists
/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt
/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt
NSE Script
ls -l /usr/share/nmap/scripts/snmp*
SNMPv3 Enum
wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb; ./snmpv3enum.rb
SNMP RCE
https://hacktricks.boitatech.com.br/pentesting/pentesting-snmp/snmp-rce
Massive SNMP
Braa is a mass SNMP scanner. The intended usage of such a tool is, of course, making SNMP queries – but unlike snmpwalk from net-snmp, it is able to query dozens or hundreds of hosts simultaneously, and in a single process. Thus, it consumes very few system resources and does the scanning VERY fast.
Braa implements its OWN snmp stack, so it does NOT need any SNMP libraries like net-snmp.
braa ignite123@192.168.1.125:.1.3.6.*
This can extract a lot MB of information that you cannot process manually.
So, lets look for the most interesting information (from https://blog.rapid7.com/2016/05/05/snmp-data-harvesting-during-penetration-testing/):
SNMP commands
The SNMP protocol uses several commands which are sent from the NMS to the managed device’s agent and back. These commands can be categorized as read, write, trap and traversal commands.
- Read commands are sent by the NMS to nodes for monitoring purposes.
- Write commands are used to control the nodes in the network.
- The trap commands are used for unsolicited SNMP messages from a device’s agent to the NMS to inform the NMS about certain events such as errors.
- Traversal commands are used to check what information is retained on a managed device and to retrieve it.
**SNMP Management Information Base (MIB) **
- The SNMP Management Information Base (MIB) is a database that contains information about the network device. When the Network Management System (NMS) sends a ‘get’ request for information about a managed device on the network, the agent service returns a structured table with data. This table is what is called the Management Information Base (MIB). MIB values are indexed using a series of numbers with dots. For example, MIB value 1.3.6.1.2.1.1.1 refers to the system description (sysDescr) and value 1.3.6.1.2.1.1.6 refers to the system location (sysLocation).
SNMP Community strings
- The SNMP community string is like a username or password that allows access to the managed device. There are three different community strings that allow a user to set (1) read-only commands, (2) read and write commands and (3) traps. Most SNMPv1 and SNMPv2 devices ship from the factory with a default read-only community string set to ‘public’ and the read-write string set to ‘private’. As these default values are well-known and easy to guess, it is good security practice to replace all community strings with a value that is hard to guess. It is good practice to threat community strings as passwords. In SNMPv3, the community string was replaced by username and password authentication.
Further Links
https://hacktricks.boitatech.com.br/pentesting/pentesting-snmp
https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp