Simple Network Management Protocol (SNMP) – UDP port 161

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior.

It is possible to obtain the default community name (“public”) of the remote SNMP server. An attacker may use this information to gain more knowledge about the remote host, or to change the configuration of the remote system (if the default community allow such modifications).

  • SNMPv1 send passwords in clear text.
  • SNMPv2 is prone to password hashing attacks.
  • SNMPv1 and SNMPv2 are vulnerable to IP spoofing. None of them should be used.
  • SNMPv3 is vulnerable to brute force and dictionary attacks. This is the current protocol version. To mitigate the vulnerabilities, you should use IPSec transport connections.

SNMP Configuration

cat /etc/snmp/snmpd.conf

Useful OIDs

Windows

DescriptionWindowsUnix
Enumerating users 1.3.6.1.4.1.77.1.2.25 .1.3.6.1.2.1.1.9.1.5
Enumerating running processes 1.3.6.1.2.1.25.4.2.1.2
Open TCP ports 1.3.6.1.2.1.6.13.1.3
Installed software 1.3.6.1.2.1.25.6.3.1.2
Server description with versioniso.3.6.1.2.1.1.1.0

Enumeration & brute-force

Nmap scripts

ls -la /usr/share/nmap/scripts/snmp*

Nmap SNMP sweep

sudo nmap -sU -p 161 x.x.x.1-254 -oG snmp-sweep.txt
cd /usr/share/nmap/scripts

IP=x.x.x.x
WL=/home/kali/Wordlists/snmp/snmp_community_strings.txt
nmap -sU --script snmp-brute $IP

# With list of community strings (v1 & v2)
nmap -sU --script snmp-brute $IP --script-args snmp-brute.communitiesdb=$WL

snmpwalk

*** BEST OPTION ***

To resolve OIDs to their text description

sudo apt install snmp-mibs-downloader
nano /etc/snmp/snmp.conf
# Comment line:
#mibs :
sudo download-mibs

When no OID is specified, returns ALL OIDs

for IP in $(cat ~/config/IPs.txt | grep -v '#'); do echo $IP; snmpwalk -c public -v 2c $IP; done;
for IP in $(cat ~/config/IPs.txt | grep -v '#'); do echo $IP; snmpwalk -c private -v 2c $IP; done;

# Get value for specific OID
OID="iso.3.6.1.2.1.1.1.0"
for IP in $(cat ~/config/IPs.txt | grep -v '#'); do echo $IP; snmpwalk -c public -v 2c $IP $OID; done;
for IP in $(cat ~/config/IPs.txt | grep -v '#'); do echo $IP; snmpwalk -c private -v 2c $IP $OID; done;
#-------------------------------------------------------------------------------
# Query SNMP values
# Example on Windows SNMP port exposed
#-------------------------------------------------------------------------------
IP=x.x.x.x
VERSION=1|2c|3
USER="sysName.0" # For version 3

# Help
snmpwalk -h
# Enumerating the Entire MIB Tree
snmpwalk -c public -v $VERSION $IP
snmpwalk -c public -v 3 -u $USER $IP

# Get value for specific OID
OID="iso.3.6.1.2.1.1.1.0"
snmpwalk -c public -v $VERSION $IP $OID
snmpwalk -c public -v $VERSION -u $USER $IP $OID

snmp-check

v1 / v2

$IP=x.x.x.x

# Query public community string
snmp-check -v 1 $IP
snmp-check -v 2c $IP

# Query private community string
snmp-check -c private -v 1 $IP
snmp-check -c private -v 2c $IP

# Query changing timeout
snmp-check -t 40 -c private -v 1 $IP
snmp-check -t 40 -c private -v 2 $IP

v3

No community strings, validate commands…

$IP=x.x.x.x

# Query public community string
snmp-check -v 3 $IP

# Query private community string
snmp-check -c private -v 3 $IP

# Query changing timeout
snmp-check -t 40 -c private -v 3 $IP

onesixtyone

#-------------------------------------------------------------------------------
# Check for given community strings against an IP list, allowing us to brute force various community strings
#-------------------------------------------------------------------------------
echo public > community
echo private >> community
echo manager >> community
for ip in $(seq 1 254);do echo x.x.x.$ip;done > ips
onesixtyone -c community -i ips
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt $IP

Modify configurations

Using SNMP strings found during enumeration phase:

snmpcmd

snmpcmd -c public -v 2c $IP

Reporting

  • CVSS Score: 4.3
  • Remediation: It is recommended to disable the SNMP service on the remote host if it is not needed, filter incoming UDP packets going to this port, or change the default community string name.
    Community string names should contain a minimum of 20 random characters including lowercase, uppercase, digits, letters and special characters. When possible, it should be read-only.