SNMP Enumeration

What is SNMP?

SNMP (Simple Network Management Protocol) was designed to help admins manage and monitor network devices. Routers, switches, servers, printers. All remotely queryable.

The problem? It was designed for convenience, not security. And the information it exposes is devastating from a pentester’s perspective.

Why SNMP Is a Goldmine

SNMP can reveal:

  • All local user accounts
  • Every running process
  • All installed software with version numbers
  • Open TCP/UDP ports (including ones only listening locally)
  • Network interfaces and IP configurations
  • System information (OS, uptime, hardware)

All from a single protocol. All with a single “password.”

The Community String

SNMP authentication is a joke. Versions 1, 2, and 2c use a community string as the only form of access control. It’s essentially a plaintext password sent over UDP.

The defaults:

StringAccess
publicRead-only
privateRead-write

Most administrators never change these.

Why It Gets Worse

  • SNMP runs over UDP (stateless, susceptible to spoofing)
  • Versions 1, 2, 2c have no encryption. Community strings are sent in the clear.
  • Even SNMPv3 only recently got proper encryption (AES-256). Older v3 implementations used DES-56, which is easily cracked.

If SNMP is open on a target, it’s often the single highest-value enumeration source. More information than SMB, SMTP, and banner grabbing combined.

The MIB Tree

SNMP data is organized in a Management Information Base (MIB), a hierarchical tree structure. Each piece of data has a unique OID (Object Identifier), a dotted number path.

Think of it like a file system. You query an OID and the agent returns the data at that branch.

Key Windows MIB Values

OIDData
1.3.6.1.2.1.25.1.6.0System Processes
1.3.6.1.2.1.25.4.2.1.2Running Programs
1.3.6.1.2.1.25.4.2.1.4Process Paths
1.3.6.1.2.1.25.2.3.1.4Storage Units
1.3.6.1.2.1.25.6.3.1.2Installed Software
1.3.6.1.4.1.77.1.2.25User Accounts
1.3.6.1.2.1.6.13.1.3TCP Local Ports

Scanning for SNMP

SNMP is UDP, so use -sU:

sudo nmap -sU --open -p 161 10.10.10.0/24 -oG snmp.txt

The --open flag filters the output to only show hosts where port 161 is confirmed open.

Brute-Forcing Community Strings

onesixtyone is a fast SNMP scanner that brute-forces community strings against a list of IPs.

Create your community string wordlist:

echo public > community.txt
echo private >> community.txt
echo manager >> community.txt
echo cisco >> community.txt

Generate your IP list:

for ip in $(seq 1 254); do echo 10.10.10.$ip; done > ips.txt

Run it:

onesixtyone -c community.txt -i ips.txt

Any hits tell you the community string and basic system info immediately.

Querying with snmpwalk

Once you know the community string, snmpwalk lets you query the MIB tree.

Walk the Entire Tree

snmpwalk -c public -v1 -t 10 10.10.10.50
  • -c public sets the community string
  • -v1 specifies SNMP version 1
  • -t 10 increases the timeout to 10 seconds

This dumps everything. It can be a lot of output.

Targeted Queries

Better to query specific OID branches:

Enumerate users:

snmpwalk -c public -v1 10.10.10.50 1.3.6.1.4.1.77.1.2.25

Returns all local user accounts: Administrator, Guest, service accounts.

Enumerate running processes:

snmpwalk -c public -v1 10.10.10.50 1.3.6.1.2.1.25.4.2.1.2

Shows every running process. Look for:

  • Antivirus software (know what you’re up against)
  • Vulnerable services (outdated web servers, databases)
  • Security tools (know what’s monitoring the system)

Enumerate installed software:

snmpwalk -c public -v1 10.10.10.50 1.3.6.1.2.1.25.6.3.1.2

Lists all installed software with version numbers. Cross-reference with running processes to find what version of a running service is installed, then search for CVEs.

Enumerate open TCP ports:

snmpwalk -c public -v1 10.10.10.50 1.3.6.1.2.1.6.13.1.3

This is especially valuable. It reveals ports that are only listening locally, which an external Nmap scan would never see. These internal services are often less hardened.

SNMP port enumeration can reveal services that no other scanning technique finds. A database listening on localhost, a debug interface on a high port, a management API bound to 127.0.0.1.

The Enumeration Chain

The real power of SNMP is combining the data:

  1. Users tell you who to target for credential attacks
  2. Processes tell you what’s running and what to exploit
  3. Software versions tell you which CVEs to look for
  4. Local ports tell you what’s hidden from external scans
  5. All of this informs your next steps

Don’t skip UDP scanning. SNMP on port 161 is consistently one of the most overlooked and most valuable enumeration vectors.

Practice Boxes

  • Pit - SNMP enumeration reveals a hidden web application path
  • Conceal - SNMP and IPsec enumeration for initial access