The Simple Network Management Protocol (SNMP) is used to monitor and manage network devices like routers, switches, and servers. It allows remote configuration and control using the standard protocol. The default port for SNMP is 161 (UDP), and 162 (UDP) is used for SNMP traps (alerts).
Default Port: 161,162(traps)
Banner grabbing
nc -nv -u $IP 161Tip
SNMP requires unique addresses for client-server communication to exchange values and monitor the network.
MIB
The Management Information Base (MIB) is a standardized format for storing device information in a text file. It lists all queryable SNMP objects in a tree hierarchy, which each object having a unique Object Identifier (OID). MIB files, written in ASN.1 format, don’t contain data but define the structure, access rights, and types of information.
OID
An Object Identifier (OID) uniquely identifies a node in a hierarchical tree. The OID sequence, represented by numbers and separated by dots, determines the position of the node, with more specific information at deeper levels.
Versions and Variations
| Version | Features |
|---|---|
SNMPv1 | First version, supports monitoring, configuration, and traps. Lacks authentication and encryption (data in plain text). |
SNMPv2 | Same security as v1, with additional functions. The “c” in v2c stands for “community-based,” meaning the security is based on a shared community string (still in plain text, no encryption). |
SNMPv3 | Improved security with authentication (username/password) and encryption (via pre-shared keys). More complex to configure than v2c. |
Community Strings
Community strings can be seen as passwords that are used to determine whether the requested information can be viewed or not. It is important to note that many organizations are still using SNMPv2, as the transition to SNMPv3 can be very complex, but the services still need to remain active.
Nmap
Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on computer network by sending packets and analyzing the responses.
Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.
# Default NSE
sudo nmap -sCV -sU -p161 $IPSNMPwalk
Retrieve a subtree of management values using SNMP GETNEXT requests
# Query SNMP data using SNMPv2c with the 'public' community string
snmpwalk -v2c -c public $IPOneSixtyOne
onesixtyone is a simple SNMP scanner which sends SNMP requests for the sysDescr value asynchronously with user-adjustable sending times and then logs the responses which gives the description of the software running on the device.
# Brute-force SNMP community strings using a wordlist
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt $IPBraa
Braa is a mass snmp scanner. The intended usage of such a tool is of course making SNMP queries - but unlike snmpget or snmpwalk from net-snmp, it is able to query dozens or hundreds of hosts simultaneously, and in a single process.
# Brute-force individual OIDs for SNMP data
braa public@$IP:.1.3.6.*Config files
# Default configuration
cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d'Dangerous settings
Some settings can be dangerous for the company and its infrastructure.
| Settings | Description |
|---|---|
rwuser noauth | Grants full access to the OID tree without requiring authentication. |
rwcommunity <community string> <IPv4 address> | Allows full access to the OID tree from any IPv4 address, bypassing source restrictions. |
rwcommunity6 <community string> <IPv6 address> | Same as rwcommunity, but for IPv6 addresses, allowing unrestricted access. |