SNMP Pentesting Notes

Protocol Overview

Basic Information

  • Port: UDP 161 (queries), UDP 162 (traps)

  • Protocol Type: Network management protocol

  • Purpose: Monitor and manage network devices

  • Security: Varies by version (v1/v2c - weak, v3 - strong)

SNMP Versions

  1. SNMPv1

    • Basic version

    • No encryption

    • Uses community strings

    • Still used in legacy systems

  2. SNMPv2c

    • Enhanced performance

    • Community string based

    • No real security improvements

    • Widely deployed

  3. SNMPv3

    • Strong authentication

    • Data encryption

    • Username/password based

    • Most secure version

Initial Enumeration

Port Scanning

Version Detection

Community String Testing

Basic Enumeration

Automated Community Testing

Information Gathering

System Information

Network Information

Using Advanced Tools

braa

snmp-check

Common MIB/OID Values

OID
Description

1.3.6.1.2.1.1.1.0

System Description

1.3.6.1.2.1.25.1.6.0

System Processes

1.3.6.1.2.1.25.4.2.1.2

Running Programs

1.3.6.1.2.1.25.4.2.1.4

Processes Path

1.3.6.1.2.1.25.2.3.1.4

Storage Units

1.3.6.1.2.1.25.6.3.1.2

Software Name

1.3.6.1.4.1.77.1.2.25

User Accounts

Common Vulnerabilities

  1. Weak Security:

    • Default community strings

    • SNMPv1/v2c usage

    • Exposed sensitive data

    • Writable OIDs

  2. Configuration Issues:

    • World-readable community strings

    • Excessive exposed information

    • Unrestricted access controls

    • Dangerous settings enabled

  3. Version Specific:

    • SNMPv1 no encryption

    • SNMPv2c cleartext transmission

    • Weak authentication methods

Post Exploitation

Information Extraction

  • Enumerate all accessible OIDs

  • Map network topology

  • Gather system information

  • Collect user accounts

  • Identify installed software

System Manipulation

  • Test write access to OIDs

  • Modify system configurations

  • Change network settings

  • Alter routing tables

Common SNMP Response Codes

Error
Description

noSuchObject

OID doesn't exist

noSuchInstance

No value for OID

endOfMibView

End of MIB tree reached

tooBig

Response too large

genErr

Generic error

Best Practices for Pentesting

  1. Initial Reconnaissance:

    • Identify SNMP version

    • Test default community strings

    • Map accessible OIDs

    • Check write permissions

  2. Deep Enumeration:

    • Gather system details

    • Enumerate users

    • Check network configuration

    • Identify sensitive data

    • Test write capabilities

  3. Documentation:

    • Record community strings

    • Document accessible OIDs

    • Note writable objects

    • Save system information

    • List vulnerabilities

  4. Risk Assessment:

    • Evaluate information exposure

    • Assess configuration weaknesses

    • Consider exploitation potential

    • Recommend security improvements

Mitigation Recommendations

  1. Use SNMPv3 with authentication and encryption

  2. Implement strong community strings

  3. Restrict SNMP access by IP

  4. Limit exposed information

  5. Regular security audits

  6. Monitor SNMP traffic

  7. Update SNMP configurations

  8. Implement access controls

PreviousMySQL Pentesting NotesNextIMAP/POP3 Pentesting Notes