# SNMP Pentesting Notes

## Protocol Overview

### Basic Information

* **Port**: UDP 161 (queries), UDP 162 (traps)
* **Protocol Type**: Network management protocol
* **Purpose**: Monitor and manage network devices
* **Security**: Varies by version (v1/v2c - weak, v3 - strong)

### SNMP Versions

1. **SNMPv1**
   * Basic version
   * No encryption
   * Uses community strings
   * Still used in legacy systems
2. **SNMPv2c**
   * Enhanced performance
   * Community string based
   * No real security improvements
   * Widely deployed
3. **SNMPv3**
   * Strong authentication
   * Data encryption
   * Username/password based
   * Most secure version

## Initial Enumeration

### Port Scanning

```bash
# Basic UDP scan
nmap -sU -p 161,162 -sV <target>

# Aggressive scan with scripts
nmap -sU -p 161,162 -sV -sC -A <target>

# All SNMP scripts
nmap -sU -p 161,162 --script snmp-* <target>
```

### Version Detection

```bash
# Using snmpwalk
snmpwalk -v1 -c public <target>
snmpwalk -v2c -c public <target>
snmpwalk -v3 <target>

# Using onesixtyone
onesixtyone <target> public
```

## Community String Testing

### Basic Enumeration

```bash
# Testing default strings
snmpwalk -v1 -c public <target>
snmpwalk -v1 -c private <target>
snmpwalk -v1 -c manager <target>

# Using onesixtyone with wordlist
onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt <target>
```

### Automated Community Testing

```bash
# Using Nmap
nmap -sU -p 161 --script snmp-brute <target>

# Using custom community strings
for string in $(cat community-strings.txt); do
    snmpwalk -v1 -c $string <target>
done
```

## Information Gathering

### System Information

```bash
# Basic system info
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.1.1.0

# Running processes
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.25.4.2.1.2

# Installed software
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.25.6.3.1.2
```

### Network Information

```bash
# Network interfaces
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.2.2.1.2

# IP addresses
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.4.20.1.1

# Routing information
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.4.21.1
```

## Using Advanced Tools

### braa

```bash
# Query multiple OIDs
braa public@<target>:.1.3.6.*

# Mass scanning
braa public@192.168.1.0/24:.1.3.6.1.2.1.1.1.0
```

### snmp-check

```bash
# Basic check
snmp-check <target>

# Verbose output
snmp-check -v <target>

# Specific community string
snmp-check -c custom_string <target>
```

## Common MIB/OID Values

| OID                    | Description        |
| ---------------------- | ------------------ |
| 1.3.6.1.2.1.1.1.0      | System Description |
| 1.3.6.1.2.1.25.1.6.0   | System Processes   |
| 1.3.6.1.2.1.25.4.2.1.2 | Running Programs   |
| 1.3.6.1.2.1.25.4.2.1.4 | Processes Path     |
| 1.3.6.1.2.1.25.2.3.1.4 | Storage Units      |
| 1.3.6.1.2.1.25.6.3.1.2 | Software Name      |
| 1.3.6.1.4.1.77.1.2.25  | User Accounts      |

## Common Vulnerabilities

1. **Weak Security**:
   * Default community strings
   * SNMPv1/v2c usage
   * Exposed sensitive data
   * Writable OIDs
2. **Configuration Issues**:
   * World-readable community strings
   * Excessive exposed information
   * Unrestricted access controls
   * Dangerous settings enabled
3. **Version Specific**:
   * SNMPv1 no encryption
   * SNMPv2c cleartext transmission
   * Weak authentication methods

## Post Exploitation

### Information Extraction

* Enumerate all accessible OIDs
* Map network topology
* Gather system information
* Collect user accounts
* Identify installed software

### System Manipulation

* Test write access to OIDs
* Modify system configurations
* Change network settings
* Alter routing tables

## Common SNMP Response Codes

| Error          | Description             |
| -------------- | ----------------------- |
| noSuchObject   | OID doesn't exist       |
| noSuchInstance | No value for OID        |
| endOfMibView   | End of MIB tree reached |
| tooBig         | Response too large      |
| genErr         | Generic error           |

## Best Practices for Pentesting

1. **Initial Reconnaissance**:
   * Identify SNMP version
   * Test default community strings
   * Map accessible OIDs
   * Check write permissions
2. **Deep Enumeration**:
   * Gather system details
   * Enumerate users
   * Check network configuration
   * Identify sensitive data
   * Test write capabilities
3. **Documentation**:
   * Record community strings
   * Document accessible OIDs
   * Note writable objects
   * Save system information
   * List vulnerabilities
4. **Risk Assessment**:
   * Evaluate information exposure
   * Assess configuration weaknesses
   * Consider exploitation potential
   * Recommend security improvements

## Mitigation Recommendations

1. Use SNMPv3 with authentication and encryption
2. Implement strong community strings
3. Restrict SNMP access by IP
4. Limit exposed information
5. Regular security audits
6. Monitor SNMP traffic
7. Update SNMP configurations
8. Implement access controls


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://edu.noirchapeau.com/footprinting-enumeration-and-information-gathering-notes/snmp-pentesting-notes.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.