Enumeration Cheatsheets

Enumerating SNMP for Pentesting (UDP Ports 161, 162)

This post contains various commands and methods for performing enumeration the SNMP service. This article will be expanded upon as time goes on.

Using NMAP

Bruteforcing community strings:
sudo nmap -sU -p 161 --script snmp-brute <ipAddr>

Bruteforcing community strings with custom wordlist:
sudo nmap -sU -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <ipAddr>

Enumerate users on remote machine:
sudo nmap -sU -p 161 --script snmp-win32-users <ipAddr>

Enumerate services on remote machine:
sudo nmap -sU -p 161 --script snmp-win32-services <ipAddr>

Run all SNMP-related Nmap Scripts:
sudo nmap -sU -p 161 --script snmp-* <ipAddr> -oG nmap/snmp.txt


Enumerate SNMPv2 with a community string of Public:
snmpwalk -v2c -c public <ipAddr>

To search for installed software:
snmpwalk -v2c -c public <ipAddr> hrSWInstalledName

To search amount of RAM on the host:
snmpwalk -v2c -c public <ipAddr> hrMemorySize

Note: There are additional OIDs that you can provide to enumerate specific information.


To brute-force communities:
onesixtyone -c /usr/share/doc/onesixtyone/dict.txt <ipAddr>


To change an OID to a different value:
snmpwalk -v2c -c public <ipAddr> <OID> <newValue>

To change the sysContact OID:
snmpwalk -v2c -c public <ipAddr> sysContact <newValue>