SNMP (Simple Network Management Protocol) Pentesting

SNMP is an internet standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. It uses UDP. A default port is 161.

Enumeration

nmap -sU --script snmp-info -p 161 <target-ip>
nmap -sU --script snmp-interfaces -p 161 <target-ip>
nmap -sU --script snmp-processes -p 161 <target-ip>
nmap -sU --script snmp-sysdescr -p 161 <target-ip>
nmap -sU --script snmp* -p 161 <target-ip>

# For SNMP v1
# -c: Community name
snmpwalk -v1 -c public -m ALL <ip>:<port>
# For SNMP v2
snmpwalk -v2c -c public -m ALL <ip>:<port>
# For SNMP v3
# -l: Security level. 'noAuthNoPriv', 'authNoPriv', 'authPriv'.
snmpwalk -v3 -l noAuthNoPriv -c public -m ALL <ip>:<port>

# -c: community
# -p: port
snmp-check <target-ip> -p 161 -c public

Brute Force the Community Names

hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <target-ip> snmp

onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt <target-ip>

Configuration Files

cat /etc/snmp/snmpd.conf