Reconnaissance Phase

The first step in SNMP penetration testing is to identify and enumerate SNMP services on the target network. This phase involves discovering hosts running SNMP, identifying SNMP versions, and enumerating community strings.

Important Note

Always ensure you have proper authorization before performing any scanning or enumeration activities. Unauthorized scanning may violate laws and regulations.

1. Network Scanning with Nmap

Nmap is a powerful network scanning tool that can be used to discover hosts running SNMP services. The following commands will help you identify SNMP services on your target network.

Basic SNMP Port Scan

Scan for open UDP port 161 (SNMP) on the entire subnet

$ nmap -sU -p 161 192.168.1.0/24

Starting Nmap 7.92 ( https://nmap.org ) Nmap scan report for 192.168.1.10 Host is up (0.0054s latency).  PORT    STATE SERVICE 161/udp open  snmp  Nmap scan report for 192.168.1.15 Host is up (0.0032s latency).  PORT    STATE SERVICE 161/udp open  snmp  Nmap done: 256 IP addresses (2 hosts up) scanned in 15.23 seconds

SNMP Version Detection

Detect SNMP version and basic information

$ nmap -sU -p 161 --script=snmp-info 192.168.1.10

Starting Nmap 7.92 ( https://nmap.org ) Nmap scan report for 192.168.1.10 Host is up (0.0054s latency).  PORT    STATE SERVICE 161/udp open  snmp | snmp-info:  |   Version: 2c |   Context: public |   Enterprise: Net-SNMP |   Contact: admin@example.com |_  Location: Server Room  Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

2. Community String Enumeration

SNMP community strings act as passwords for accessing SNMP information. Default or weak community strings are a common security vulnerability. The following tools can help enumerate community strings.

SNMP Community String Enumeration

Using Onesixtyone

Onesixtyone is a simple SNMP scanner that can quickly test for common community strings.

Brute force common community strings against a target

$ onesixtyone -c /usr/share/wordlists/common-snmp-community-strings.txt 192.168.1.10

Scanning 1 hosts, 122 communities 192.168.1.10 [public] Linux server 3.10.0-1160.el7.x86_64 192.168.1.10 [private] Linux server 3.10.0-1160.el7.x86_64

Using SNMPwalk

Once you've identified valid community strings, you can use SNMPwalk to enumerate information from the SNMP server.

Retrieve all SNMP information using the 'public' community string

$ snmpwalk -v2c -c public 192.168.1.10

SNMPv2-MIB::sysDescr.0 = STRING: Linux server 3.10.0-1160.el7.x86_64 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1453555) 4:02:15.55 SNMPv2-MIB::sysContact.0 = STRING: admin@example.com SNMPv2-MIB::sysName.0 = STRING: server.example.com SNMPv2-MIB::sysLocation.0 = STRING: Server Room SNMPv2-MIB::sysServices.0 = INTEGER: 72 ...

3. Targeted Information Gathering

After discovering SNMP services and valid community strings, you can target specific information that might be useful for further exploitation.

Enumerating System Information

Retrieve system-specific information

$ snmpwalk -v2c -c public 192.168.1.10 system

SNMPv2-MIB::sysDescr.0 = STRING: Linux server 3.10.0-1160.el7.x86_64 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1453555) 4:02:15.55 SNMPv2-MIB::sysContact.0 = STRING: admin@example.com SNMPv2-MIB::sysName.0 = STRING: server.example.com SNMPv2-MIB::sysLocation.0 = STRING: Server Room SNMPv2-MIB::sysServices.0 = INTEGER: 72

Enumerating Running Processes

List running processes on the target system

$ snmpwalk -v2c -c public 192.168.1.10 hrSWRunName

HOST-RESOURCES-MIB::hrSWRunName.1 = STRING: "systemd" HOST-RESOURCES-MIB::hrSWRunName.2 = STRING: "kthreadd" HOST-RESOURCES-MIB::hrSWRunName.3 = STRING: "rcu_gp" HOST-RESOURCES-MIB::hrSWRunName.4 = STRING: "rcu_par_gp" HOST-RESOURCES-MIB::hrSWRunName.5 = STRING: "kworker/0:0" HOST-RESOURCES-MIB::hrSWRunName.6 = STRING: "kworker/0:0H" HOST-RESOURCES-MIB::hrSWRunName.7 = STRING: "kworker/u256:0" HOST-RESOURCES-MIB::hrSWRunName.8 = STRING: "mm_percpu_wq" HOST-RESOURCES-MIB::hrSWRunName.9 = STRING: "ksoftirqd/0" HOST-RESOURCES-MIB::hrSWRunName.10 = STRING: "rcu_sched" ...

Enumerating Network Interfaces

List network interfaces and their configurations

$ snmpwalk -v2c -c public 192.168.1.10 interfaces

IF-MIB::ifNumber.0 = INTEGER: 3 IF-MIB::ifIndex.1 = INTEGER: 1 IF-MIB::ifIndex.2 = INTEGER: 2 IF-MIB::ifIndex.3 = INTEGER: 3 IF-MIB::ifDescr.1 = STRING: lo IF-MIB::ifDescr.2 = STRING: eth0 IF-MIB::ifDescr.3 = STRING: eth1 IF-MIB::ifType.1 = INTEGER: softwareLoopback(24) IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6) IF-MIB::ifType.3 = INTEGER: ethernetCsmacd(6) IF-MIB::ifMtu.1 = INTEGER: 65536 IF-MIB::ifMtu.2 = INTEGER: 1500 IF-MIB::ifMtu.3 = INTEGER: 1500 IF-MIB::ifSpeed.1 = Gauge32: 10000000 IF-MIB::ifSpeed.2 = Gauge32: 1000000000 IF-MIB::ifSpeed.3 = Gauge32: 1000000000 IF-MIB::ifPhysAddress.1 = STRING:  IF-MIB::ifPhysAddress.2 = STRING: 00:1a:2b:3c:4d:5e IF-MIB::ifPhysAddress.3 = STRING: 00:1a:2b:3c:4d:5f ...

4. Advanced SNMP Enumeration Techniques

Beyond basic enumeration, there are several advanced techniques that can reveal more detailed information about the target system.

Enumerating Installed Software Packages

List all installed software packages on the target system

$ snmpwalk -v2c -c public 192.168.1.10 hrSWInstalledName

HOST-RESOURCES-MIB::hrSWInstalledName.1 = STRING: "Red Hat Enterprise Linux Server release 7.9" HOST-RESOURCES-MIB::hrSWInstalledName.2 = STRING: "Apache HTTP Server 2.4.6" HOST-RESOURCES-MIB::hrSWInstalledName.3 = STRING: "MySQL Server 5.7.33" HOST-RESOURCES-MIB::hrSWInstalledName.4 = STRING: "OpenSSH 7.4p1" HOST-RESOURCES-MIB::hrSWInstalledName.5 = STRING: "PHP 7.2.24" HOST-RESOURCES-MIB::hrSWInstalledName.6 = STRING: "Net-SNMP 5.7.2" HOST-RESOURCES-MIB::hrSWInstalledName.7 = STRING: "Postfix 2.10.1" HOST-RESOURCES-MIB::hrSWInstalledName.8 = STRING: "OpenSSL 1.0.2k"

Identifying installed software versions is crucial for vulnerability assessment, as specific versions may have known vulnerabilities that can be exploited.

Enumerating System Users

Enumerate user accounts on Windows systems

$ snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.4.1.77.1.2.25

iso.3.6.1.4.1.77.1.2.25.1.1.5.71.117.101.115.116 = STRING: "Guest" iso.3.6.1.4.1.77.1.2.25.1.1.13.65.100.109.105.110.105.115.116.114.97.116.111.114 = STRING: "Administrator" iso.3.6.1.4.1.77.1.2.25.1.1.5.74.111.104.110.68 = STRING: "JohnD" iso.3.6.1.4.1.77.1.2.25.1.1.6.83.117.115.97.110.66 = STRING: "SusanB" iso.3.6.1.4.1.77.1.2.25.1.1.7.83.121.115.65.100.109.105.110 = STRING: "SysAdmin"

Enumerate user accounts on Linux systems (if SNMP is configured to expose /etc/passwd)

$ snmpwalk -v2c -c public 192.168.1.10 NET-SNMP-EXTEND-MIB::nsExtendOutputFull.passwd

NET-SNMP-EXTEND-MIB::nsExtendOutputFull."passwd" = STRING: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System:/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin sshd:x:109:65534::/run/sshd:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash mysql:x:111:116:MySQL Server,,,:/nonexistent:/bin/false apache:x:112:117:Apache Web Server,,,:/var/www:/bin/false

User account information can be valuable for password attacks, social engineering, or identifying privileged accounts that might be targeted.

Enumerating Open TCP/UDP Ports

List all TCP listening ports

$ snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.2.1.6.13.1.3

TCP-MIB::tcpConnLocalPort.0.0.0.0.21.0.0.0.0.0 = INTEGER: 21 TCP-MIB::tcpConnLocalPort.0.0.0.0.22.0.0.0.0.0 = INTEGER: 22 TCP-MIB::tcpConnLocalPort.0.0.0.0.25.0.0.0.0.0 = INTEGER: 25 TCP-MIB::tcpConnLocalPort.0.0.0.0.80.0.0.0.0.0 = INTEGER: 80 TCP-MIB::tcpConnLocalPort.0.0.0.0.111.0.0.0.0.0 = INTEGER: 111 TCP-MIB::tcpConnLocalPort.0.0.0.0.443.0.0.0.0.0 = INTEGER: 443 TCP-MIB::tcpConnLocalPort.0.0.0.0.3306.0.0.0.0.0 = INTEGER: 3306 TCP-MIB::tcpConnLocalPort.127.0.0.1.8005.0.0.0.0.0 = INTEGER: 8005

List all UDP listening ports

$ snmpwalk -v2c -c public 192.168.1.10 1.3.6.1.2.1.7.5.1.2

UDP-MIB::udpLocalPort.0.0.0.0.53 = INTEGER: 53 UDP-MIB::udpLocalPort.0.0.0.0.67 = INTEGER: 67 UDP-MIB::udpLocalPort.0.0.0.0.68 = INTEGER: 68 UDP-MIB::udpLocalPort.0.0.0.0.111 = INTEGER: 111 UDP-MIB::udpLocalPort.0.0.0.0.123 = INTEGER: 123 UDP-MIB::udpLocalPort.0.0.0.0.161 = INTEGER: 161 UDP-MIB::udpLocalPort.0.0.0.0.514 = INTEGER: 514 UDP-MIB::udpLocalPort.0.0.0.0.5353 = INTEGER: 5353

Identifying open ports through SNMP can reveal services that might not be directly accessible from your scanning position, such as services behind a firewall that allows SNMP traffic but blocks direct port scanning.

Enumerating Mounted File Systems

List all mounted file systems and storage devices

$ snmpwalk -v2c -c public 192.168.1.10 hrStorageDescr

HOST-RESOURCES-MIB::hrStorageDescr.1 = STRING: "Physical memory" HOST-RESOURCES-MIB::hrStorageDescr.2 = STRING: "Swap space" HOST-RESOURCES-MIB::hrStorageDescr.3 = STRING: "/" HOST-RESOURCES-MIB::hrStorageDescr.4 = STRING: "/boot" HOST-RESOURCES-MIB::hrStorageDescr.5 = STRING: "/home" HOST-RESOURCES-MIB::hrStorageDescr.6 = STRING: "/var" HOST-RESOURCES-MIB::hrStorageDescr.7 = STRING: "/tmp" HOST-RESOURCES-MIB::hrStorageDescr.8 = STRING: "/backup" HOST-RESOURCES-MIB::hrStorageDescr.9 = STRING: "/mnt/nfs/fileserver"

Get the size of each storage device

$ snmpwalk -v2c -c public 192.168.1.10 hrStorageSize

HOST-RESOURCES-MIB::hrStorageSize.1 = INTEGER: 16777216 HOST-RESOURCES-MIB::hrStorageSize.2 = INTEGER: 8388608 HOST-RESOURCES-MIB::hrStorageSize.3 = INTEGER: 20971520 HOST-RESOURCES-MIB::hrStorageSize.4 = INTEGER: 1048576 HOST-RESOURCES-MIB::hrStorageSize.5 = INTEGER: 104857600 HOST-RESOURCES-MIB::hrStorageSize.6 = INTEGER: 20971520 HOST-RESOURCES-MIB::hrStorageSize.7 = INTEGER: 5242880 HOST-RESOURCES-MIB::hrStorageSize.8 = INTEGER: 104857600 HOST-RESOURCES-MIB::hrStorageSize.9 = INTEGER: 209715200

Information about mounted file systems can reveal network shares, backup locations, or other sensitive storage areas that might contain valuable data.

5. SNMP Version 3 Enumeration

SNMP version 3 provides enhanced security features including authentication and encryption. However, it can still be enumerated if proper credentials are obtained or if it's misconfigured.

Detecting SNMPv3 Capabilities

Detect if the target supports SNMPv3

$ nmap -sU -p 161 --script=snmp-info 192.168.1.10

Starting Nmap 7.92 ( https://nmap.org ) Nmap scan report for 192.168.1.10 Host is up (0.0054s latency).  PORT    STATE SERVICE 161/udp open  snmp | snmp-info:  |   Version: 3 |   Context:  |   Security Model: USM |_  Security Level: authPriv  Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

Enumerating SNMPv3 Users

Enumerate SNMPv3 information with valid credentials

$ snmp-check -v3 -u admin -l authPriv -a SHA -A 'authpassword' -x AES -X 'privpassword' 192.168.1.10

snmp-check v1.9 - SNMP enumerator Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)  [+] Try to connect to 192.168.1.10:161 using SNMPv3 and 'admin' user [+] Connected to 192.168.1.10:161  [*] System information:  Host IP address               : 192.168.1.10 Hostname                      : server.example.com Description                   : Linux server 3.10.0-1160.el7.x86_64 Contact                       : admin@example.com Location                      : Server Room Uptime                        : 4:02:15.55  [*] Network information:  IP forwarding enabled         : no Default TTL                   : 64 TCP segments received         : 1452355 TCP segments sent             : 1369455 TCP segments retrans          : 2455 Input datagrams               : 2569854 Delivered datagrams           : 2567399 Output datagrams              : 2486955  [*] Network interfaces:  Interface                     : lo Interface index               : 1 IP address                    : 127.0.0.1 Netmask                       : 255.0.0.0 MAC address                   :  Type                          : softwareLoopback Speed                         : 10 Mbps MTU                           : 65536 In octets                     : 1825654 Out octets                    : 1825654  Interface                     : eth0 Interface index               : 2 IP address                    : 192.168.1.10 Netmask                       : 255.255.255.0 MAC address                   : 00:1a:2b:3c:4d:5e Type                          : ethernet-csmacd Speed                         : 1000 Mbps MTU                           : 1500 In octets                     : 256984521 Out octets                    : 189654785  Interface                     : eth1 Interface index               : 3 IP address                    : 10.0.0.10 Netmask                       : 255.255.0.0 MAC address                   : 00:1a:2b:3c:4d:5f Type                          : ethernet-csmacd Speed                         : 1000 Mbps MTU                           : 1500 In octets                     : 125698745 Out octets                    : 98745632

Brute-Forcing SNMPv3 Credentials

Simple bash script to brute-force SNMPv3 usernames with a known password

$ for user in $(cat users.txt); do echo -n "$user: "; snmpwalk -v3 -u "$user" -l authNoPriv -a MD5 -A "password" 192.168.1.10 system 2>&1 | grep -v "Timeout"; done

admin: SNMPv2-MIB::sysDescr.0 = STRING: Linux server 3.10.0-1160.el7.x86_64 admin: SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 admin: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1453555) 4:02:15.55 admin: SNMPv2-MIB::sysContact.0 = STRING: admin@example.com admin: SNMPv2-MIB::sysName.0 = STRING: server.example.com admin: SNMPv2-MIB::sysLocation.0 = STRING: Server Room admin: SNMPv2-MIB::sysServices.0 = INTEGER: 72 operator:  monitor:  backup:  user:  guest:

SNMPv3 uses a username/password authentication system instead of community strings. If weak credentials are used, they can be brute-forced using tools like Hydra, Metasploit, or custom scripts.

6. Documenting Findings

Proper documentation of reconnaissance findings is crucial for the next phases of penetration testing. Document the following information:

IP addresses of hosts running SNMP services
SNMP versions in use (v1, v2c, v3)
Valid community strings or SNMPv3 credentials discovered
System information (OS, hostname, contact details)
Running services and processes
Network configuration details
User accounts and privileges
Mounted file systems and storage information
Installed software and versions
Any other sensitive information discovered

This information will be valuable for the vulnerability analysis phase, where you'll identify specific vulnerabilities that can be exploited.

Vulnerability Analysis