SNMP

What is SNMP?

Simple Network Management Protocol (SNMP) is a protocol used for network management. Over the years, SNMP has often been misunderstood by network administrators, leading to misconfigurations that can result in significant information leaks.

SNMP is based on UDP, a simple, stateless protocol, and is therefore susceptible to IP spoofing and replay attacks. Additionally, the commonly used SNMP protocols 1, 2, and 2c offer no traffic encryption, meaning that SNMP information and credentials can be easily intercepted over a local network. Traditional SNMP protocols also have weak authentication schemes and are commonly left configured with default public and private community strings.

---

Key Points

Ports

• SNMP: UDP 161

SNMP Versions

• SNMPv1, v2, v2c: No encryption, weak authentication

• SNMPv3: Provides authentication and encryption

  • Older implementations: DES-56 (weak, easily brute-forced)

  • Recent implementations: AES-256

Security Concerns

• Default community strings (public/private)

• No encryption in v1/v2/v2c

• Information leakage through MIB tree

• Can reveal configuration files on enterprise routing hardware

---

SNMP MIB Tree

The SNMP Management Information Base (MIB) is a database containing information usually related to network management. The database is organized like a tree, with branches that represent different organizations or network functions. The leaves of the tree (or final endpoints) correspond to specific variable values that can then be accessed and probed by an external user.

Windows SNMP MIB Values

OID	Description
1.3.6.1.2.1.25.1.6.0	System Processes
1.3.6.1.2.1.25.4.2.1.2	Running Programs
1.3.6.1.2.1.25.4.2.1.4	Processes Path
1.3.6.1.2.1.25.2.3.1.4	Storage Units
1.3.6.1.2.1.25.6.3.1.2	Software Name
1.3.6.1.4.1.77.1.2.25	User Accounts
1.3.6.1.2.1.6.13.1.3	TCP Local Ports

---

SNMP Enumeration

Using Nmap

• Find hosts with SNMP

sudo nmap -sU --open -p 161 192.168.5.1-254 -oG open-snmp.txt

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-14 06:02 EDT 
Nmap scan report for 192.168.5.151 
Host is up (0.10s latency). 

PORT    STATE SERVICE 
161/udp open  snmp 

Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds

Using 'onesixtyone'

Brute force community strings against a list of IP addresses

• Prepare community strings and IP list

echo public > community 
echo private >> community 
echo manager >> community 
for ip in $(seq 1 254); do echo 192.168.5.$ip; done > ips

• Run the scan

onesixtyone -c community -i ips

Scanning 254 hosts, 3 communities 
192.168.50.151 [public] Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT 
COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free)

Using 'snmpwalk'

Query SNMP values using the read-only community string

• Default (Enumerate entire MIB tree)

snmpwalk -c public -v1 -t 10 192.168.5.151

iso.3.6.1.2.1.1.1.0 = STRING: "Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT 
COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free)" 
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.311.1.1.3.1.3 
iso.3.6.1.2.1.1.3.0 = Timeticks: (78235) 0:13:02.35 
iso.3.6.1.2.1.1.4.0 = STRING: "admin@test-domain.com" 
iso.3.6.1.2.1.1.5.0 = STRING: "dc01.test-domain.com" 
iso.3.6.1.2.1.1.6.0 = "" 
iso.3.6.1.2.1.1.7.0 = INTEGER: 79 
iso.3.6.1.2.1.2.1.0 = INTEGER: 24
...

With options

• Enumerate Windows users

snmpwalk -c public -v1 192.168.5.151 1.3.6.1.4.1.77.1.2.25

iso.3.6.1.4.1.77.1.2.25.1.1.5.71.117.101.115.116 = STRING: "Guest" 
iso.3.6.1.4.1.77.1.2.25.1.1.6.107.114.98.116.103.116 = STRING: "krbtgt" 
iso.3.6.1.4.1.77.1.2.25.1.1.7.115.116.117.100.101.110.116 = STRING: "student" 
iso.3.6.1.4.1.77.1.2.25.1.1.13.65.100.109.105.110.105.115.116.114.97.116.111.114 = 
STRING: "Administrator"

• Enumerate running processes

snmpwalk -c public -v1 192.168.5.151 1.3.6.1.2.1.25.4.2.1.2

iso.3.6.1.2.1.25.4.2.1.2.1 = STRING: "System Idle Process" 
iso.3.6.1.2.1.25.4.2.1.2.4 = STRING: "System" 
iso.3.6.1.2.1.25.4.2.1.2.88 = STRING: "Registry" 
iso.3.6.1.2.1.25.4.2.1.2.260 = STRING: "smss.exe" 
iso.3.6.1.2.1.25.4.2.1.2.316 = STRING: "svchost.exe" 
iso.3.6.1.2.1.25.4.2.1.2.372 = STRING: "csrss.exe" 
iso.3.6.1.2.1.25.4.2.1.2.472 = STRING: "svchost.exe" 
iso.3.6.1.2.1.25.4.2.1.2.476 = STRING: "wininit.exe" 
iso.3.6.1.2.1.25.4.2.1.2.484 = STRING: "csrss.exe" 
iso.3.6.1.2.1.25.4.2.1.2.540 = STRING: "winlogon.exe" 
iso.3.6.1.2.1.25.4.2.1.2.616 = STRING: "services.exe" 
iso.3.6.1.2.1.25.4.2.1.2.632 = STRING: "lsass.exe" 
iso.3.6.1.2.1.25.4.2.1.2.680 = STRING: "svchost.exe"
...

• Enumerate installed software

snmpwalk -c public -v1 192.168.5.151 1.3.6.1.2.1.25.6.3.1.2

iso.3.6.1.2.1.25.6.3.1.2.1 = STRING: "Microsoft Visual C++ 2019 X64 Minimum Runtime - 
14.27.29016" 
iso.3.6.1.2.1.25.6.3.1.2.2 = STRING: "VMware Tools" 
iso.3.6.1.2.1.25.6.3.1.2.3 = STRING: "Microsoft Visual C++ 2019 X64 Additional Runtime - 14.27.29016" 
iso.3.6.1.2.1.25.6.3.1.2.4 = STRING: "Microsoft Visual C++ 2015-2019 Redistributable 
(x86) - 14.27.290" 
iso.3.6.1.2.1.25.6.3.1.2.5 = STRING: "Microsoft Visual C++ 2015-2019 Redistributable 
(x64) - 14.27.290" 
iso.3.6.1.2.1.25.6.3.1.2.6 = STRING: "Microsoft Visual C++ 2019 X86 Additional Runtime - 14.27.29016" 
iso.3.6.1.2.1.25.6.3.1.2.7 = STRING: "Microsoft Visual C++ 2019 X86 Minimum Runtime - 
14.27.29016"
...

• Enumerate open TCP port

snmpwalk -c public -v1 192.168.5.151 1.3.6.1.2.1.6.13.1.3

iso.3.6.1.2.1.6.13.1.3.0.0.0.0.88.0.0.0.0.0 = INTEGER: 88 
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.135.0.0.0.0.0 = INTEGER: 135 
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.389.0.0.0.0.0 = INTEGER: 389 
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.445.0.0.0.0.0 = INTEGER: 445 
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.464.0.0.0.0.0 = INTEGER: 464 
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.593.0.0.0.0.0 = INTEGER: 593 
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.636.0.0.0.0.0 = INTEGER: 636 
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.3268.0.0.0.0.0 = INTEGER: 3268 
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.3269.0.0.0.0.0 = INTEGER: 3269 
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.5357.0.0.0.0.0 = INTEGER: 5357 
iso.3.6.1.2.1.6.13.1.3.0.0.0.0.5985.0.0.0.0.0 = INTEGER: 5985
...