Notes

SNMP is that it operates using community strings which means it sends passwords when it sends data. Can be sniffed with wireshark. Versions:

  • SNMPv1 is all cleartext, so it is easy to grab the string
  • SNMPv2 has some inherent weaknesses allowing it to be grabbed 2
  • SNMPv3 is encrypted, but it can be brute forced.

There are 2 kinds of community strings: Public (Read Access) and Private (Write Access).

You can also brute-force the string with nmap or Hydra: nmap --script=snmp-brute $targetIP hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt snmp://$targetIP/

But you need community string first:

onesixtyone

  • onesixtyone -c $(file containing community strings (public, private, manager)) -i $(file containing target ips)
  • Note that there are seclists with common community strings
    • SecLists/Miscellaneous/wordlist-common-snmp-community-strings.txt
    • /usr/share/seclists/Discovery/SNMP/snmp.txt

snmpwalk

  • snmpwalk -c public -v1 -t 10 $targetIP: where public is the community string (could be private or mamanger)
  • snmpwalk -c public -v1 192.168.50.151 $OIDString - for specific info
  • snmpwalk -v $version -c public $IP NET-SNMP-EXTEND-MIB::nsExtendOutputFull
  • snmpwalk -v 2c -c public 192.168.243.156 NET-SNMP-EXTEND-MIB::nsExtendObjects
    • This one seems to return the most, and everything else seemed to miss some information from OSCP Exam C
|OID| Target |
|--|--|
| 1.3.6.1.2.1.25.1.6.0 | System Processes |
| 1.3.6.1.2.1.25.4.2.1.2 | Running Programs |
| 1.3.6.1.2.1.25.4.2.1.4 | Processes Path |
| 1.3.6.1.2.1.25.2.3.1.4 | Storage Units |
| 1.3.6.1.2.1.25.6.3.1.2  | Software Name |
| 1.3.6.1.4.1.77.1.2.25 | User Accounts |
| 1.3.6.1.2.1.6.13.1.3 | TCP Local Ports |
  • snmpwalk -Os -c public -v 1 $IP system
    • to retrieve all
    • try ā€˜v 2cā€™ as well

Useful Nmap Scripts:

snmp-brute snmp-win32-services.nse snmp-win32-shares.nse snmp-win32-software.nse snmp-win32-users.nse

snmpset

You can even overwrite and set some OIDs if things are misconfigured: snmpset -c $communityString -v $version $OID $VALUE

snmpenum

`snmpenum $targetIP ā€‹$communityString $configFile

  • config files are in /usr/share/snmpenum/