SNMP Pentesting Notes

Protocol Overview

Basic Information

• Port: UDP 161 (queries), UDP 162 (traps)

• Protocol Type: Network management protocol

• Purpose: Monitor and manage network devices

• Security: Varies by version (v1/v2c - weak, v3 - strong)

SNMP Versions

1. SNMPv1

   • Basic version

   • No encryption

   • Uses community strings

   • Still used in legacy systems

2. SNMPv2c

   • Enhanced performance

   • Community string based

   • No real security improvements

   • Widely deployed

3. SNMPv3

   • Strong authentication

   • Data encryption

   • Username/password based

   • Most secure version

Initial Enumeration

Port Scanning

# Basic UDP scan
nmap -sU -p 161,162 -sV <target>

# Aggressive scan with scripts
nmap -sU -p 161,162 -sV -sC -A <target>

# All SNMP scripts
nmap -sU -p 161,162 --script snmp-* <target>

Version Detection

# Using snmpwalk
snmpwalk -v1 -c public <target>
snmpwalk -v2c -c public <target>
snmpwalk -v3 <target>

# Using onesixtyone
onesixtyone <target> public

Community String Testing

Basic Enumeration

# Testing default strings
snmpwalk -v1 -c public <target>
snmpwalk -v1 -c private <target>
snmpwalk -v1 -c manager <target>

# Using onesixtyone with wordlist
onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt <target>

Automated Community Testing

# Using Nmap
nmap -sU -p 161 --script snmp-brute <target>

# Using custom community strings
for string in $(cat community-strings.txt); do
    snmpwalk -v1 -c $string <target>
done

Information Gathering

System Information

# Basic system info
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.1.1.0

# Running processes
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.25.4.2.1.2

# Installed software
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.25.6.3.1.2

Network Information

# Network interfaces
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.2.2.1.2

# IP addresses
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.4.20.1.1

# Routing information
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.4.21.1

Using Advanced Tools

braa

# Query multiple OIDs
braa public@<target>:.1.3.6.*

# Mass scanning
braa [email protected]/24:.1.3.6.1.2.1.1.1.0

snmp-check

# Basic check
snmp-check <target>

# Verbose output
snmp-check -v <target>

# Specific community string
snmp-check -c custom_string <target>

Common MIB/OID Values

Common Vulnerabilities

1. Weak Security:

   • Default community strings

   • SNMPv1/v2c usage

   • Exposed sensitive data

   • Writable OIDs

2. Configuration Issues:

   • World-readable community strings

   • Excessive exposed information

   • Unrestricted access controls

   • Dangerous settings enabled

3. Version Specific:

   • SNMPv1 no encryption

   • SNMPv2c cleartext transmission

   • Weak authentication methods

Post Exploitation

Information Extraction

• Enumerate all accessible OIDs

• Map network topology

• Gather system information

• Collect user accounts

• Identify installed software

System Manipulation

• Test write access to OIDs

• Modify system configurations

• Change network settings

• Alter routing tables

Common SNMP Response Codes

Best Practices for Pentesting

1. Initial Reconnaissance:

   • Identify SNMP version

   • Test default community strings

   • Map accessible OIDs

   • Check write permissions

2. Deep Enumeration:

   • Gather system details

   • Enumerate users

   • Check network configuration

   • Identify sensitive data

   • Test write capabilities

3. Documentation:

   • Record community strings

   • Document accessible OIDs

   • Note writable objects

   • Save system information

   • List vulnerabilities

4. Risk Assessment:

   • Evaluate information exposure

   • Assess configuration weaknesses

   • Consider exploitation potential

   • Recommend security improvements

Mitigation Recommendations

1. Use SNMPv3 with authentication and encryption

2. Implement strong community strings

3. Restrict SNMP access by IP

4. Limit exposed information

5. Regular security audits

6. Monitor SNMP traffic

7. Update SNMP configurations

8. Implement access controls