Skip to content
Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity.

Introduction

SNMP (Simple Network Management Protocol) is a protocol used to manage and monitor devices on IP networks. It operates on a manager-agent model, where the manager queries agents on network devices like routers and switches to gather their operational status. SNMP supports versions SNMPv1, SNMPv2, and SNMPv3, with SNMPv3 offering enhanced security through authentication and encryption.

SNMP enumeration & exploitation

Command Description
onesixtyone -c community.txt -i [PATH-TO-IPS] Scans multiple IPs using a list of common SNMP community strings.
snmpwalk -c [COMMUNITY-STRING] -v1 [TARGET-IP] Recursively queries SNMP MIBs to enumerate system details (SNMP v1).
snmp-check [TARGET-IP] Performs detailed enumeration of SNMP services using default or specified strings.
snmpcheck -c [COMMUNITY-STRING] -t [TARGET-IP] Retrieves SNMP device info using targeted community strings.
msf> use auxiliary/scanner/snmp/snmp_enum Metasploit module for enumerating SNMP info such as system, network, and service data.

Nmap SNMP script enumeration

Use the Nmap scripting engine (NSE) to probe SNMP services for data and vulnerabilities:

Nmap Script Description
snmp-brute.nse Brute-forces SNMP community strings.
snmp-info.nse Retrieves general system information.
snmp-interfaces.nse Lists available network interfaces on the device.
snmp-netstat.nse Displays open network connections and stats.
snmp-processes.nse Shows a list of running processes.
snmp-sysdescr.nse Retrieves the system description banner.
Usage nmap [TARGET-IP] -Pn -sU -p 161 --script=[SCRIPT_NAME]

Brute-force SNMP credentials

Use following tools and methods to discover valid community strings:

Command Description
onesixtyone -c /path/to/wordlist.txt [TARGET-IP] Fast SNMP community string brute-forcing tool.
hydra -P /path/to/wordlist.txt [TARGET-IP] snmp Uses Hydra to brute-force SNMP community strings.
nmap -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=/path/to/community.lst [TARGET-IP] Brute-forces SNMP community strings using Nmap and a custom list.