SNMP Enumeration

Overview

Simple Network Management Protocol (SNMP) is a network protocol used for monitoring and managing network devices. SNMP can reveal extensive information about network infrastructure, system configuration, and running processes, making it valuable for both administration and penetration testing.

Key Characteristics:

Port 161: SNMP (UDP) - Queries and commands
Port 162: SNMP Traps (UDP) - Unsolicited notifications
Versions: SNMPv1, SNMPv2c, SNMPv3
Authentication: Community strings (v1/v2c), user-based (v3)
Data Structure: Management Information Base (MIB)

SNMP Communication:

Traditional: Client actively requests information from server
Traps: Server sends data packets to client without explicit request
Addressing: Uses Object Identifiers (OIDs) for unique addressing

MIB (Management Information Base)

MIB is an independent format for storing device information in a standardized tree hierarchy. It contains:

Object Identifier (OID): Unique address for each object
Name: Human-readable identifier
Type: Data type specification
Access Rights: Read/write permissions
Description: Object functionality description

Key MIB Characteristics:

Written in Abstract Syntax Notation One (ASN.1) format
ASCII text-based
Explains where to find information and data types
Does not contain actual data, only structure definitions

OID (Object Identifier)

OIDs represent nodes in a hierarchical namespace using dot notation:

Structure: Sequence of numbers (e.g., 1.3.6.1.2.1.1.1.0)
Hierarchy: Longer chains = more specific information
Universal: Standardized across vendors and systems
Registry: Many OIDs documented in Object Identifier Registry

SNMP Versions

Version

Security

Authentication

Description

SNMPv1

None

Community string

Original version, no encryption, no built-in authentication

SNMPv2c

None

Community string

Improved performance, community-based, no encryption

SNMPv3

Yes

User-based

Username/password authentication, encryption via pre-shared key, high complexity

Detailed Version Analysis:

SNMPv1: First version, still used in small networks, supports information retrieval, device configuration, and traps, but lacks authentication and encryption
SNMPv2c: Extended version with additional functions, community string transmitted in plain text, no built-in encryption
SNMPv3: Significantly increased security with authentication and encryption, but also increased complexity requiring more configuration

Default Configuration

The default SNMP daemon configuration defines basic settings including IP addresses, ports, MIB, OIDs, authentication, and community strings.

Example SNMP Daemon Config (`/etc/snmp/snmpd.conf`)

# View SNMP daemon configuration
cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d'

# Example configuration:
sysLocation    Sitting on the Dock of the Bay
sysContact     Me <me@example.org>
sysServices    72
master  agentx
agentaddress  127.0.0.1,[::1]
view   systemonly  included   .1.3.6.1.2.1.1
view   systemonly  included   .1.3.6.1.2.1.25.1
rocommunity  public default -V systemonly
rocommunity6 public default -V systemonly
rouser authPrivUser authpriv -V systemonly

Key Configuration Parameters:

sysLocation: Physical location description
sysContact: Administrative contact (often contains email)
sysServices: Services provided by the entity
agentaddress: IP addresses and ports for SNMP agent
rocommunity: Read-only community string configuration
rouser: Read-only user configuration for SNMPv3

Dangerous Settings

Some dangerous settings that administrators can configure with SNMP:

Setting

Description

Risk Level

rwuser noauth

Provides access to full OID tree without authentication

Critical

rwcommunity <community> <IPv4>

Provides access to full OID tree regardless of request source

Critical

rwcommunity6 <community> <IPv6>

Same as rwcommunity but for IPv6 addresses

Critical

High-Risk Configuration Examples:

# DANGEROUS: Write access without authentication
rwuser noauth

# DANGEROUS: Write access from any source
rwcommunity public 0.0.0.0/0

# DANGEROUS: IPv6 write access from any source  
rwcommunity6 public ::/0

Community Strings

Community strings act as passwords that determine whether requested information can be viewed or not. They are transmitted in plain text, making them vulnerable to interception.

Key Issues with Community Strings:

Lack of encryption in SNMPv1/v2c
Transmitted over network in plain text
Can be intercepted and read
Many organizations still use default values
Often bound to specific IP addresses but with predictable patterns

Common Default Community Strings

# Read-only community strings
public
private
community
snmp
read
manager
admin
guest

# Read-write community strings
private
write
admin
root

Community String Patterns:

Often named with hostname of the host
Sometimes include symbols to make identification harder
In large networks (100+ servers), labels follow patterns
Can be brute-forced using custom wordlists

Enumeration Techniques

1. Service Detection

# Nmap SNMP detection
nmap -sU -p161 target

# Comprehensive SNMP enumeration
nmap -sU -p161 --script snmp-info,snmp-netstat,snmp-processes target

2. Community String Brute Force

# Using onesixtyone for community string brute forcing
onesixtyone -c /usr/share/wordlists/seclists/Discovery/SNMP/common-snmp-community-strings.txt target

# Custom community string list
onesixtyone -c community_strings.txt target

# Using snmpwalk to test community strings
snmpwalk -v2c -c public target
snmpwalk -v2c -c private target

3. SNMP Walking

# Basic SNMP walk
snmpwalk -v2c -c public target

# Walk specific OID
snmpwalk -v2c -c public target 1.3.6.1.2.1.1

# Save output for analysis
snmpwalk -v2c -c public target | tee snmp_output.txt

4. Specific Information Gathering

# System information
snmpwalk -v2c -c public target 1.3.6.1.2.1.1.1.0

# Network interfaces
snmpwalk -v2c -c public target 1.3.6.1.2.1.2.2.1.2

# Process information
snmpwalk -v2c -c public target 1.3.6.1.2.1.25.1.6.0

# User accounts
snmpwalk -v2c -c public target 1.3.6.1.4.1.77.1.2.25

5. Using Braa for OID Brute Forcing

# Install braa
sudo apt install braa

# Basic braa syntax
braa <community_string>@<IP>:.1.3.6.*

# Example usage
braa public@target:.1.3.6.*

# Braa example output
target:20ms:.1.3.6.1.2.1.1.1.0:Linux htb 5.11.0-34-generic #36~20.04.1-Ubuntu SMP Fri Aug 27 08:06:32 UTC 2021 x86_64
target:20ms:.1.3.6.1.2.1.1.2.0:.1.3.6.1.4.1.8072.3.2.10
target:20ms:.1.3.6.1.2.1.1.3.0:548
target:20ms:.1.3.6.1.2.1.1.4.0:mrb3n@inlanefreight.htb
target:20ms:.1.3.6.1.2.1.1.5.0:htb
target:20ms:.1.3.6.1.2.1.1.6.0:US
target:20ms:.1.3.6.1.2.1.1.7.0:78

6. Detailed SNMP Walking with Real Output

# Complete SNMP walk example
snmpwalk -v2c -c public target

# Example detailed output analysis:
iso.3.6.1.2.1.1.1.0 = STRING: "Linux htb 5.11.0-34-generic #36~20.04.1-Ubuntu SMP Fri Aug 27 08:06:32 UTC 2021 x86_64"
iso.3.6.1.2.1.1.4.0 = STRING: "mrb3n@inlanefreight.htb"
iso.3.6.1.2.1.1.5.0 = STRING: "htb"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"

# Extract Python packages (software enumeration):
iso.3.6.1.2.1.25.6.3.1.2.1232 = STRING: "printer-driver-sag-gdi_0.1-7_all"
iso.3.6.1.2.1.25.6.3.1.2.1233 = STRING: "printer-driver-splix_2.0.0+svn315-7fakesync1build1_amd64"
iso.3.6.1.2.1.25.6.3.1.2.1234 = STRING: "procps_2:3.3.16-1ubuntu2.3_amd64"
iso.3.6.1.2.1.25.6.3.1.2.1235 = STRING: "proftpd-basic_1.3.6c-2_amd64"
iso.3.6.1.2.1.25.6.3.1.2.1236 = STRING: "proftpd-doc_1.3.6c-2_all"
iso.3.6.1.2.1.25.6.3.1.2.1243 = STRING: "python3_3.8.2-0ubuntu2_amd64"
iso.3.6.1.2.1.25.6.3.1.2.1244 = STRING: "python3-acme_1.1.0-1_all"
iso.3.6.1.2.1.25.6.3.1.2.1245 = STRING: "python3-apport_2.20.11-0ubuntu27.21_all"

Important OIDs (Object Identifiers)

System Information OIDs

# System description
1.3.6.1.2.1.1.1.0

# System contact (admin email)
1.3.6.1.2.1.1.4.0

# System name
1.3.6.1.2.1.1.5.0

# System location
1.3.6.1.2.1.1.6.0

# System uptime
1.3.6.1.2.1.1.3.0

Network Information OIDs

# Network interfaces
1.3.6.1.2.1.2.2.1.2

# IP addresses
1.3.6.1.2.1.4.20.1.1

# Routing table
1.3.6.1.2.1.4.21.1.1

# ARP table
1.3.6.1.2.1.4.22.1.2

Process and Service OIDs

# Running processes
1.3.6.1.2.1.25.1.6.0

# Process table
1.3.6.1.2.1.25.4.2.1.2

# Service information
1.3.6.1.2.1.25.1.7.1.2

# Software installed
1.3.6.1.2.1.25.6.3.1.2

Advanced Enumeration

Using Nmap NSE Scripts

# Comprehensive SNMP enumeration
nmap -sU -p161 --script snmp-info,snmp-netstat,snmp-processes,snmp-sysdescr target

# SNMP brute force community strings
nmap -sU -p161 --script snmp-brute target

# SNMP interface information
nmap -sU -p161 --script snmp-interfaces target

# SNMP system information
nmap -sU -p161 --script snmp-system-info target

Custom OID Queries

# Query specific OID
snmpget -v2c -c public target 1.3.6.1.2.1.1.4.0

# Query multiple OIDs
snmpget -v2c -c public target 1.3.6.1.2.1.1.1.0 1.3.6.1.2.1.1.4.0

# Walk specific branch
snmpwalk -v2c -c public target 1.3.6.1.2.1.25.1.7

Information Extraction

System Administrator Contact

# Extract admin email from system contact
snmpwalk -v2c -c public target 1.3.6.1.2.1.1.4.0

# Example output analysis:
# iso.3.6.1.2.1.1.4.0 = STRING: "devadmin <devadmin@inlanefreight.htb>"
# Admin email: devadmin@inlanefreight.htb

Custom Version Information

# Extract custom SNMP version
snmpwalk -v2c -c public target 1.3.6.1.2.1.1.6.0

# Example output:
# iso.3.6.1.2.1.1.6.0 = STRING: "InFreight SNMP v0.91"

Running Processes and Scripts

# Extract custom scripts and processes
snmpwalk -v2c -c public target 1.3.6.1.2.1.25.1.7.1.2

# Look for custom scripts like:
# iso.3.6.1.2.1.25.1.7.1.2.1.2.4.70.76.65.71 = STRING: "/usr/share/flag.sh"

Practical Examples

HTB Academy Style Enumeration

# Step 1: Community string brute force
onesixtyone -c /usr/share/wordlists/seclists/Discovery/SNMP/common-snmp-community-strings.txt target
# Result: Found community string "backup"

# Step 2: SNMP walking with found community string
snmpwalk -v2c -c backup target

# Step 3: Extract admin email
snmpwalk -v2c -c backup target | grep -i "@"
# Result: devadmin@inlanefreight.htb

# Step 4: Extract custom version
snmpwalk -v2c -c backup target | grep -i "version"
# Result: InFreight SNMP v0.91

# Step 5: Look for custom scripts and flags
snmpwalk -v2c -c backup target | grep -i "htb\|flag"
# Result: HTB{...}

HTB Academy Lab Questions Examples

# Question 1: "Enumerate the SNMP service and obtain the email address of the admin"
# Step 1: Find valid community string
onesixtyone -c /usr/share/wordlists/seclists/Discovery/SNMP/common-snmp-community-strings.txt target
# Step 2: Extract admin contact
snmpwalk -v2c -c found_community target 1.3.6.1.2.1.1.4.0
# Look for: iso.3.6.1.2.1.1.4.0 = STRING: "admin <admin@inlanefreight.htb>"
# Answer: admin@inlanefreight.htb

# Question 2: "What is the customized version of the SNMP server?"
# Extract from system location or custom OID
snmpwalk -v2c -c found_community target 1.3.6.1.2.1.1.6.0
# Look for: iso.3.6.1.2.1.1.6.0 = STRING: "InFreight SNMP v0.91"
# Answer: InFreight SNMP v0.91

# Question 3: "Enumerate the custom script that is running on the system"
# Look for custom scripts in process/service OIDs
snmpwalk -v2c -c found_community target 1.3.6.1.2.1.25.1.7.1.2
# Look for custom script paths like:
# iso.3.6.1.2.1.25.1.7.1.2.1.2.4.70.76.65.71 = STRING: "/usr/share/flag.sh"
# Execute or analyze the script output
# Answer: Script output or HTB{...} flag

Real Output Analysis from HTB Academy

# Example misconfigured SNMP server output
snmpwalk -v2c -c public target

# Key information to extract:
# 1. System contact (admin email):
iso.3.6.1.2.1.1.4.0 = STRING: "mrb3n@inlanefreight.htb"

# 2. Installed packages (reconnaissance):
iso.3.6.1.2.1.25.6.3.1.2.1235 = STRING: "proftpd-basic_1.3.6c-2_amd64"

# 3. System information:
iso.3.6.1.2.1.1.1.0 = STRING: "Linux htb 5.11.0-34-generic"

# 4. Network interfaces and configuration details

# This information reveals:
# - Admin contact: mrb3n@inlanefreight.htb
# - ProFTPD installed (potential attack vector)
# - Linux system details
# - Network configuration

Information Parsing

# Parse SNMP output for specific information
snmpwalk -v2c -c public target > snmp_full.txt

# Extract email addresses
grep -i "@" snmp_full.txt

# Extract IP addresses
grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' snmp_full.txt

# Extract file paths
grep -oE '"/[^"]*"' snmp_full.txt

# Extract process information
grep -i "process\|service" snmp_full.txt

Security Assessment

Common Vulnerabilities

Default Community Strings: Using default "public" or "private"
Information Disclosure: Excessive information exposure
Weak Community Strings: Easily guessable strings
SNMPv1/v2c Usage: Unencrypted protocols
Write Access: Unauthorized configuration changes

Community String Testing

# Test common community strings
for community in public private community snmp read manager admin; do
    echo "Testing: $community"
    snmpwalk -v2c -c $community target 1.3.6.1.2.1.1.1.0
done

Enumeration Checklist

Initial Discovery

Port scan for 161/UDP
Service version detection
SNMP version identification
Community string brute force

Information Gathering

System information extraction
Network interface enumeration
Process and service discovery
User account identification

Detailed Analysis

Custom script identification
Configuration file discovery
Credential extraction
Network topology mapping

Security Testing

Write access testing
Information disclosure assessment
Weak community string identification
Encryption status verification

Tools and Techniques

Essential SNMP Tools

# Basic tools
snmpwalk             # SNMP tree walking
snmpget              # Specific OID queries
snmpset              # SNMP value setting (if write access)

# Enumeration tools
onesixtyone          # Community string brute forcing
braa                 # OID brute forcing and fast SNMP scanner
snmp-check           # Comprehensive SNMP enumeration
nmap                 # NSE script-based enumeration

# Analysis tools
snmptranslate        # OID translation
snmpnetstat          # Network statistics via SNMP

Tool Installation and Usage

# Install SNMP tools
sudo apt install snmp snmp-mibs-downloader

# Install onesixtyone
sudo apt install onesixtyone

# Install braa
sudo apt install braa

# Download MIBs
sudo download-mibs

# Tool comparison:
# - snmpwalk: Comprehensive but slower
# - onesixtyone: Fast community string discovery
# - braa: Fast OID enumeration and bulk queries
# - nmap: Integrated with other reconnaissance

Custom Scripts

# SNMP community string tester
#!/bin/bash
target=$1
wordlist=$2

while read community; do
    result=$(snmpwalk -v2c -c $community $target 1.3.6.1.2.1.1.1.0 2>/dev/null)
    if [ $? -eq 0 ]; then
        echo "Found valid community: $community"
    fi
done < $wordlist

# SNMP information extractor
#!/bin/bash
target=$1
community=$2

echo "System Information:"
snmpwalk -v2c -c $community $target 1.3.6.1.2.1.1

echo "Network Interfaces:"
snmpwalk -v2c -c $community $target 1.3.6.1.2.1.2.2.1.2

echo "Process Information:"
snmpwalk -v2c -c $community $target 1.3.6.1.2.1.25.1.6.0

Defensive Measures

Secure SNMP Configuration

# Disable SNMP if not needed
systemctl stop snmpd
systemctl disable snmpd

# Configure SNMPv3 with authentication
# In /etc/snmp/snmpd.conf:
createUser myuser MD5 mypassword DES
rouser myuser

# Disable SNMPv1/v2c
# Remove community string configurations

Best Practices

Use SNMPv3: Implement encryption and authentication
Strong Community Strings: Use complex, unique strings
Access Controls: Limit SNMP access by IP/network
Minimal Exposure: Only expose necessary information
Regular Audits: Monitor SNMP access and configuration

Detection and Monitoring

# Monitor SNMP access
tcpdump -i any port 161

# Check SNMP logs
tail -f /var/log/snmpd.log

# Analyze unusual SNMP queries
grep "snmp" /var/log/syslog

Common Attack Vectors

1. Information Gathering

Network topology discovery
System configuration extraction
User account enumeration
Process and service identification

2. Credential Harvesting

Extract stored passwords
Identify service accounts
Discover configuration files
Find backup credentials

3. Network Reconnaissance

ARP table analysis
Routing table examination
Interface configuration review
Network device identification

PreviousEmail Services (IMAP/POP3)NextIPMI Enumeration

Last updated 5 months ago

hashtagOverview

hashtagMIB (Management Information Base)

hashtagOID (Object Identifier)

hashtagSNMP Versions

hashtagDefault Configuration

hashtagExample SNMP Daemon Config (/etc/snmp/snmpd.conf)

hashtagDangerous Settings

hashtagCommunity Strings

hashtagCommon Default Community Strings

hashtagEnumeration Techniques

hashtag1. Service Detection

hashtag2. Community String Brute Force

hashtag3. SNMP Walking

hashtag4. Specific Information Gathering

hashtag5. Using Braa for OID Brute Forcing

hashtag6. Detailed SNMP Walking with Real Output

hashtagImportant OIDs (Object Identifiers)

hashtagSystem Information OIDs

hashtagNetwork Information OIDs

hashtagProcess and Service OIDs

hashtagAdvanced Enumeration

hashtagUsing Nmap NSE Scripts

hashtagCustom OID Queries

hashtagInformation Extraction

hashtagSystem Administrator Contact

hashtagCustom Version Information

hashtagRunning Processes and Scripts

hashtagPractical Examples

hashtagHTB Academy Style Enumeration

hashtagHTB Academy Lab Questions Examples

hashtagReal Output Analysis from HTB Academy

hashtagInformation Parsing

hashtagSecurity Assessment

hashtagCommon Vulnerabilities

hashtagCommunity String Testing

hashtagEnumeration Checklist

hashtagInitial Discovery

hashtagInformation Gathering

hashtagDetailed Analysis

hashtagSecurity Testing

hashtagTools and Techniques

hashtagEssential SNMP Tools

hashtagTool Installation and Usage

hashtagCustom Scripts

hashtagDefensive Measures

hashtagSecure SNMP Configuration

hashtagBest Practices

hashtagDetection and Monitoring

hashtagCommon Attack Vectors

hashtag1. Information Gathering

hashtag2. Credential Harvesting

hashtag3. Network Reconnaissance

Overview

MIB (Management Information Base)

OID (Object Identifier)

SNMP Versions

Default Configuration

Example SNMP Daemon Config (`/etc/snmp/snmpd.conf`)

Dangerous Settings

Community Strings

Common Default Community Strings

Enumeration Techniques

1. Service Detection

2. Community String Brute Force

3. SNMP Walking

4. Specific Information Gathering

5. Using Braa for OID Brute Forcing

6. Detailed SNMP Walking with Real Output

Important OIDs (Object Identifiers)

System Information OIDs

Network Information OIDs

Process and Service OIDs

Advanced Enumeration

Using Nmap NSE Scripts

Custom OID Queries

Information Extraction

System Administrator Contact

Custom Version Information

Running Processes and Scripts

Practical Examples

HTB Academy Style Enumeration

HTB Academy Lab Questions Examples

Real Output Analysis from HTB Academy

Information Parsing

Security Assessment

Common Vulnerabilities

Community String Testing

Enumeration Checklist

Initial Discovery

Information Gathering

Detailed Analysis

Security Testing

Tools and Techniques

Essential SNMP Tools

Tool Installation and Usage

Custom Scripts

Defensive Measures

Secure SNMP Configuration

Best Practices

Detection and Monitoring

Common Attack Vectors

1. Information Gathering

2. Credential Harvesting

3. Network Reconnaissance