Pentesting SNMP

SNMP Ports 161, 162 default

  • Commands

  • Read, write, trap, traversal command

  • SNMP community strings

  • Community strings are like a username or password that allows access to the managed device.

  • There are three different community strings that allow a user to set 1 ready only commands, 2 read write commands and 3 traps.

  • SNMPv3 community string is replaced with a user and password authentication.

  • SNMPv1/v2 is factory default read only strings set to public and read write string set to private.

Onesixtyone

  • Onesixtyone is a fast tool to brute force SNMP community strings and take advantage of the connectionless protocol.

  • Onesixtyone requires two arguments: a file that contains the list of community strings to try and the target host ip address.

  • You can also provide a list of host IP addresses to be scanned by onesixtyone using the -i option.

onesixtyone #access help menu
onesixtyone -c snmp_community_strings_wordlist_onesixtyone.txt -p 161 192.168.43.161

  • Location of wordlists

/usr/share/wordlists/seclists/Discovery/SNMP

SNMPwalk

  • Snmpwalk queries MIB values to retrieve information about the managed devices, but as a minimum requires a valid SNMP read only community string.

  • Run snmpwalk with the default community string ‘public’ on and SNMPv1 device use the following command:

snmpwalk -c public -v1 [target host]

  • You can also request a single object ID value using the following command:

snmpwalk -c public -v1 [target host] [OID]

  • Nmap SNMP scripts

ls -l /usr/share/nmap/scripts/snmp*
PreviousScanningNextPentesting NFS

Last updated