# Pentesting SNMP

## Overview

* Ports: UDP 161 (queries), UDP 162 (traps)
* MIB = Management Information Base — hierarchical database describing the device
* OID = Object Identifier — address of a value in the MIB tree
* Commands: read, write, trap, traversal
* Community strings act like a username/password granting access to managed devices
* Factory defaults: read-only = `public`, read-write = `private`

## SNMP Versions

| Version | Auth              | Encryption        | Notes                                         |
| ------- | ----------------- | ----------------- | --------------------------------------------- |
| SNMPv1  | Community string  | None (plain text) | No real security                              |
| SNMPv2c | Community string  | None (plain text) | Community-based, still cleartext              |
| SNMPv3  | Username/password | Pre-shared key    | Auth + encryption, replaces community strings |

## Configuration

* Config file: `/etc/snmp/snmpd.conf`

```
cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d'
```

### Dangerous Settings

| Setting                        | Description                               |
| ------------------------------ | ----------------------------------------- |
| rwuser noauth                  | Full OID tree access, no auth needed      |
| rwcommunity \<string> \<IPv4>  | Full OID tree access for community string |
| rwcommunity6 \<string> \<IPv6> | Same for IPv6                             |

## Enumeration

### SNMPwalk

* Queries MIB values to retrieve info about managed devices
* Requires a valid read-only community string at minimum

```
snmpwalk -v2c -c public 10.129.14.128
```

* SNMPv1 query:

```
snmpwalk -c public -v1 10.129.14.128
```

* Query a single OID (e.g. sysName `1.3.6.1.2.1.1.5.0`):

```
snmpwalk -v 2c -c public 10.129.14.128 1.3.6.1.2.1.1.5.0
```

### OneSixtyOne

* Fast SNMP community string brute forcer — exploits the connectionless protocol
* Provide a wordlist of community strings and a target IP
* Use `-i` to provide a list of target IPs

```bash
sudo apt install onesixtyone
onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt 10.129.14.128

# With explicit port
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt -p 161 <ip>

# Then walk with discovered community string
snmpwalk -v2c -c <community> <ip>
```

* Wordlist location:

```
/usr/share/wordlists/seclists/Discovery/SNMP
```

### Braa

* Mass OID brute force tool

```
sudo apt install braa
braa <community string>@<IP>:.1.3.6.*
braa public@10.129.14.128:.1.3.6.*
```

### Nmap SNMP Scripts

```
ls -l /usr/share/nmap/scripts/snmp*
```