This post contains various commands and methods for performing enumeration the SNMP service. This article will be expanded upon as time goes on.

What is SNMP?

SNMP operates using UDP, which is a basic and stateless protocol, making it vulnerable to IP spoofing and replay attacks. Furthermore, widely adopted SNMP versions, such as 1, 2, and 2c, do not encrypt data, allowing for the easy interception of SNMP data and credentials over local networks. Additionally, conventional SNMP protocols often employ feeble authentication methods and are frequently set up with default public and private community strings, further compromising their security.

What are MIBs?

The SNMP Management Information Base (MIB) is essentially a database that typically holds data pertinent to network management. This database is structured in a tree-like format, where each branch symbolizes various organizations or network functionalities. The end points of these branches, akin to the leaves on a tree, are associated with distinct variable values. These values can be retrieved and examined by an external entity.

Using NMAP

Find hosts with SNMP running and output them to a file:
sudo nmap -sU --open -p 161 <targetRange> -oG open-snmp.txt

Bruteforcing community strings:
sudo nmap -sU -p 161 --script snmp-brute <ipAddr>

Bruteforcing community strings with custom wordlist:
sudo nmap -sU -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <ipAddr>

Enumerate users on remote machine:
sudo nmap -sU -p 161 --script snmp-win32-users <ipAddr>

Enumerate services on remote machine:
sudo nmap -sU -p 161 --script snmp-win32-services <ipAddr>

Run all SNMP-related Nmap Scripts:
sudo nmap -sU -p 161 --script snmp-* <ipAddr> -oG nmap/snmp.txt

Using SNMPWALK

Once you find SNMP services, and their associated community string, you can query them for specific data that might be interesting by enumerating the MIBs. This tool will automate walking through the MIB tree.

Enumerate SNMPv1 with a community string of “public” AND limit timeouts to 10 seconds:
snmpwalk -c public -v1 -t 10 <ipAddr>

Enumerate SNMPv1 with a community string of “public” AND automatically translate any hexadecimal string into ASCII that was otherwise not decoded
snmpwalk -c public -v1 -Oa <ipAddr>

Enumerate SNMPv2 with a community string of “public”:
snmpwalk -v2c -c public <ipAddr>

Enumerate SNMPv2 with a community string of “public”AND search for installed software:
snmpwalk -v2c -c public <ipAddr> hrSWInstalledName

Enumerate SNMPv2 with a community string of “public”AND search amount of RAM on the host:
snmpwalk -v2c -c public <ipAddr> hrMemorySize

Querying Specific MIBs

Once you have the MIB tree for the target host, you can query specific MIBs directly to return specific data.

Enumerates Local Windows Users on a system using SNMPv1 with a community string of “public”.
snmpwalk -c public -v1 <ipAddr> 1.3.6.1.4.1.77.1.2.25

Enumerates Currently Running Processes on a Windows system using SNMPv1 with a community string of “public”.
snmpwalk -c public -v1 <ipAddr> 1.3.6.1.2.1.25.4.2.1.2

Enumerates Installed Software on a Windows system using SNMPv1 with a community string of “public”.
snmpwalk -c public -v1 <ipAddr> 1.3.6.1.2.1.25.6.3.1.2

Enumerates current TCP Listening Ports on a Windows system using SNMPv1 with a community string of “public”.
snmpwalk -c public -v1 <ipAddr> 1.3.6.1.2.1.6.13.1.3

Using ONESIXTYONE

First, build a text file that contains a list of community-strings. For example, some common ones are:

public
private
manager
management

To brute-force communities against a single IP using built-in wordlist:
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt <ipAddr>

To brute-force against a list of IPs:
onesixtyone -c <wordList> -i <targetFile>

Using SNMPSET

To change an OID to a different value:
snmpwalk -v2c -c public <ipAddr> <OID> <newValue>

To change the sysContact OID:
snmpwalk -v2c -c public <ipAddr> sysContact <newValue>

Sample Enumeration Workflow

You may first start by trying to enumerate all of the SNMP servers within your subnet. Using Nmap for this may be the best/fastest option.
sudo nmap -sU --open -p 161 <ipRange> -oG open-snmp.txt

With this, parse the open-snmp.txt to get a list of only the IPs. Clean that up and save it as a file “snmp.hosts”. Pass that over to a tool like onesixtyone to try and brute-force a valid community string.
onesixtyone -i snmp.hosts

With any luck, you’ll find a valid SNMP community string for a specific host, and you can enumerate it further with snmpwalk. If you do research, you can find a specific MIB to query to extract specific information.
snmpwalk -c public -v1 <ipAddr>