Pentesting SNMP

SNMP Ports 161, 162 default

• Commands

• Read, write, trap, traversal command

• SNMP community strings

• Community strings are like a username or password that allows access to the managed device.

• There are three different community strings that allow a user to set 1 ready only commands, 2 read write commands and 3 traps.

• SNMPv3 community string is replaced with a user and password authentication.

• SNMPv1/v2 is factory default read only strings set to public and read write string set to private.

Onesixtyone

• Onesixtyone is a fast tool to brute force SNMP community strings and take advantage of the connectionless protocol.

• Onesixtyone requires two arguments: a file that contains the list of community strings to try and the target host ip address.

• You can also provide a list of host IP addresses to be scanned by onesixtyone using the -i option.

onesixtyone #access help menu
onesixtyone -c snmp_community_strings_wordlist_onesixtyone.txt -p 161 192.168.43.161

• Location of wordlists

/usr/share/wordlists/seclists/Discovery/SNMP

SNMPwalk

• Snmpwalk queries MIB values to retrieve information about the managed devices, but as a minimum requires a valid SNMP read only community string.

• Run snmpwalk with the default community string ‘public’ on and SNMPv1 device use the following command:

• You can also request a single object ID value using the following command:

• Nmap SNMP scripts