> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/recon-enumeration/pentesting-snmp.md). # Pentesting SNMP ## Overview * Ports: UDP 161 (queries), UDP 162 (traps) * MIB = Management Information Base — hierarchical database describing the device * OID = Object Identifier — address of a value in the MIB tree * Commands: read, write, trap, traversal * Community strings act like a username/password granting access to managed devices * Factory defaults: read-only = `public`, read-write = `private` ## SNMP Versions | Version | Auth | Encryption | Notes | | ------- | ----------------- | ----------------- | --------------------------------------------- | | SNMPv1 | Community string | None (plain text) | No real security | | SNMPv2c | Community string | None (plain text) | Community-based, still cleartext | | SNMPv3 | Username/password | Pre-shared key | Auth + encryption, replaces community strings | ## Configuration * Config file: `/etc/snmp/snmpd.conf` ``` cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d' ``` ### Dangerous Settings | Setting | Description | | ------------------------------ | ----------------------------------------- | | rwuser noauth | Full OID tree access, no auth needed | | rwcommunity \ \ | Full OID tree access for community string | | rwcommunity6 \ \ | Same for IPv6 | ## Enumeration ### SNMPwalk * Queries MIB values to retrieve info about managed devices * Requires a valid read-only community string at minimum ``` snmpwalk -v2c -c public 10.129.14.128 ``` * SNMPv1 query: ``` snmpwalk -c public -v1 10.129.14.128 ``` * Query a single OID (e.g. sysName `1.3.6.1.2.1.1.5.0`): ``` snmpwalk -v 2c -c public 10.129.14.128 1.3.6.1.2.1.1.5.0 ``` ### OneSixtyOne * Fast SNMP community string brute forcer — exploits the connectionless protocol * Provide a wordlist of community strings and a target IP * Use `-i` to provide a list of target IPs ```bash sudo apt install onesixtyone onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt 10.129.14.128 # With explicit port onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt -p 161 # Then walk with discovered community string snmpwalk -v2c -c ``` * Wordlist location: ``` /usr/share/wordlists/seclists/Discovery/SNMP ``` ### Braa * Mass OID brute force tool ``` sudo apt install braa braa @:.1.3.6.* braa public@10.129.14.128:.1.3.6.* ``` ### Nmap SNMP Scripts ``` ls -l /usr/share/nmap/scripts/snmp* ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://book.ice-wzl.xyz/recon-enumeration/pentesting-snmp.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.