Noirchapeau's Gitbook
Noirchapeau
NoirchapeauEsau
Noirchapeau
NoirchapeauEsau
  • Welcome to NoirChapeau Gitbook
  • Network Mapping and Security Auditing Tool
  • Footprinting - Enumeration and Information Gathering Notes
    • FTP Pentesting Notes
    • SMB Pentesting Notes
    • SSH Pentesting Notes
    • IPMI Pentesting Notes
    • Oracle TNS Pentesting Notes
    • MSSQL Pentesting Notes
    • MySQL Pentesting Notes
    • SNMP Pentesting Notes
    • IMAP/POP3 Pentesting Notes
    • SMTP Pentesting Notes
    • DNS Pentesting Notes
    • NFS Pentesting Notes
  • Web Reconnaissance Notes
  • Vulnerability Assessment Notes
    • Nessus Vulnerability Scanner Notes
    • OpenVAS (GVM) Vulnerability Scanner Notes
  • File Transfer Techniques for Pentesting
    • Advanced File Transfer Techniques
    • File Transfer Detection & Evasion Techniques
  • Shells & Payloads: Shell Overview
    • Shells & Payloads: Payloads Overview
    • Shells & Payloads: Web Shells Overview
    • Shells & Payloads: Detection & Prevention
  • Metasploit
    • Working with Metasploit Modules
    • Targets and Payloads
    • Encoders & Msfvenom: Advanced Exploitation Techniques
    • Database Management in Metasploit
    • Sessions and Jobs
    • Writing and Importing Custom Modules into Metasploit
    • Firewall and IDS/IPS Evasion
  • Password Attacks
    • Remote Password Attacks
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Files & Archives Cracking
    • Password Management
  • Interacting with Common Services
    • Protocol Specific Attacks
Powered by GitBook
On this page
  • Protocol Overview
  • Basic Information
  • SNMP Versions
  • Initial Enumeration
  • Port Scanning
  • Version Detection
  • Community String Testing
  • Basic Enumeration
  • Automated Community Testing
  • Information Gathering
  • System Information
  • Network Information
  • Using Advanced Tools
  • braa
  • snmp-check
  • Common MIB/OID Values
  • Common Vulnerabilities
  • Post Exploitation
  • Information Extraction
  • System Manipulation
  • Common SNMP Response Codes
  • Best Practices for Pentesting
  • Mitigation Recommendations
  1. Footprinting - Enumeration and Information Gathering Notes

SNMP Pentesting Notes

Protocol Overview

Basic Information

  • Port: UDP 161 (queries), UDP 162 (traps)

  • Protocol Type: Network management protocol

  • Purpose: Monitor and manage network devices

  • Security: Varies by version (v1/v2c - weak, v3 - strong)

SNMP Versions

  1. SNMPv1

    • Basic version

    • No encryption

    • Uses community strings

    • Still used in legacy systems

  2. SNMPv2c

    • Enhanced performance

    • Community string based

    • No real security improvements

    • Widely deployed

  3. SNMPv3

    • Strong authentication

    • Data encryption

    • Username/password based

    • Most secure version

Initial Enumeration

Port Scanning

# Basic UDP scan
nmap -sU -p 161,162 -sV <target>

# Aggressive scan with scripts
nmap -sU -p 161,162 -sV -sC -A <target>

# All SNMP scripts
nmap -sU -p 161,162 --script snmp-* <target>

Version Detection

# Using snmpwalk
snmpwalk -v1 -c public <target>
snmpwalk -v2c -c public <target>
snmpwalk -v3 <target>

# Using onesixtyone
onesixtyone <target> public

Community String Testing

Basic Enumeration

# Testing default strings
snmpwalk -v1 -c public <target>
snmpwalk -v1 -c private <target>
snmpwalk -v1 -c manager <target>

# Using onesixtyone with wordlist
onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt <target>

Automated Community Testing

# Using Nmap
nmap -sU -p 161 --script snmp-brute <target>

# Using custom community strings
for string in $(cat community-strings.txt); do
    snmpwalk -v1 -c $string <target>
done

Information Gathering

System Information

# Basic system info
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.1.1.0

# Running processes
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.25.4.2.1.2

# Installed software
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.25.6.3.1.2

Network Information

# Network interfaces
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.2.2.1.2

# IP addresses
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.4.20.1.1

# Routing information
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.4.21.1

Using Advanced Tools

braa

# Query multiple OIDs
braa public@<target>:.1.3.6.*

# Mass scanning
braa public@192.168.1.0/24:.1.3.6.1.2.1.1.1.0

snmp-check

# Basic check
snmp-check <target>

# Verbose output
snmp-check -v <target>

# Specific community string
snmp-check -c custom_string <target>

Common MIB/OID Values

OID
Description

1.3.6.1.2.1.1.1.0

System Description

1.3.6.1.2.1.25.1.6.0

System Processes

1.3.6.1.2.1.25.4.2.1.2

Running Programs

1.3.6.1.2.1.25.4.2.1.4

Processes Path

1.3.6.1.2.1.25.2.3.1.4

Storage Units

1.3.6.1.2.1.25.6.3.1.2

Software Name

1.3.6.1.4.1.77.1.2.25

User Accounts

Common Vulnerabilities

  1. Weak Security:

    • Default community strings

    • SNMPv1/v2c usage

    • Exposed sensitive data

    • Writable OIDs

  2. Configuration Issues:

    • World-readable community strings

    • Excessive exposed information

    • Unrestricted access controls

    • Dangerous settings enabled

  3. Version Specific:

    • SNMPv1 no encryption

    • SNMPv2c cleartext transmission

    • Weak authentication methods

Post Exploitation

Information Extraction

  • Enumerate all accessible OIDs

  • Map network topology

  • Gather system information

  • Collect user accounts

  • Identify installed software

System Manipulation

  • Test write access to OIDs

  • Modify system configurations

  • Change network settings

  • Alter routing tables

Common SNMP Response Codes

Error
Description

noSuchObject

OID doesn't exist

noSuchInstance

No value for OID

endOfMibView

End of MIB tree reached

tooBig

Response too large

genErr

Generic error

Best Practices for Pentesting

  1. Initial Reconnaissance:

    • Identify SNMP version

    • Test default community strings

    • Map accessible OIDs

    • Check write permissions

  2. Deep Enumeration:

    • Gather system details

    • Enumerate users

    • Check network configuration

    • Identify sensitive data

    • Test write capabilities

  3. Documentation:

    • Record community strings

    • Document accessible OIDs

    • Note writable objects

    • Save system information

    • List vulnerabilities

  4. Risk Assessment:

    • Evaluate information exposure

    • Assess configuration weaknesses

    • Consider exploitation potential

    • Recommend security improvements

Mitigation Recommendations

  1. Use SNMPv3 with authentication and encryption

  2. Implement strong community strings

  3. Restrict SNMP access by IP

  4. Limit exposed information

  5. Regular security audits

  6. Monitor SNMP traffic

  7. Update SNMP configurations

  8. Implement access controls

PreviousMySQL Pentesting NotesNextIMAP/POP3 Pentesting Notes