SNMP Enumeration

Table of contents

  1. Vulnerability
  2. Prerequisites
  3. Exploit
  4. Useful links
  5. Recommendations

Vulnerability

SNMP (Simple Network Management Protocol) allows to monitor devices, based on the MIB (Management Information Base). You can use this protocol to enumerate useful information on a targeted computer using the corresponding MIB value.

Consider it exists two types of SNMP:

  • SNMPv1/2/2c: uses community string as authentication and sends traffic in plaintext.
  • SNMPv3: uses stronger authentication and encrypts traffic.

Prerequisites

  • Target must have SNMP service running (default port: 161).

Exploit

Before starting, and as recommended on HackTricks book, it is highly recommended to run following commands to have more details about gathered OID.

sudo apt install snmp-mibs-downloader
sudo download-mibs
sudo vi /etc/snmp/snmp.conf # Comment the line "mibs :"

# Check if SNMP port is opened with nmap.
sudo nmap -sU -p161 $target -v

# Brute-force communities using onesixtyone.
onesixtyone -c /usr/share/wordlists/seclists/Discovery/SNMP/snmp-onesixtyone.txt -i $target_file

# Enumerate OID using snmpwalk.c
snmpwalk -c $community -v$version -t 10 $target $mib

# Example: enumerate Windows users (corresponding MIB value).
snmpwalk -c public -v1 192.168.1.42 1.3.6.1.4.1.77.1.2.25

# Prefer using extended MIB!
snmpwalk -c public -v1 $target NET-SNMP-EXTEND-MIB::nsExtendObjects

Following table represents MIB values for Windows SNMP.

MIB Value Description
1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports
  • OID Info to navigate through OIDs in MIB hierarchy.

Recommendations

  • Filter SNMP port when possible.
  • Use SNMPv3 to enforce strong authentication and encryption.