# SNMP Summary: Polling: Network monitor connects to device on port 161 UDP. So the monitor will ask a NAS for information on an OID and the device responds. Notifying: The device sends out info about its own OIDs towards port 162 UDP. These messages towards 162 are called \[traps/notifications/informs]. Used for network management. Basic commands (read(monitor), write(config), trap(collection), traversal ops(get supported variables)) Tends to be overly verbose. Often misconfigured, leads to information leakage. UDP based, stateless protocol that is vulnerable to IP spoofing and replay attacks. Versions 1, 2, 2c offer no traffic encryption and are the easiest to hack. The don't utilize a user pass combo rather just a single community string to auth in. SNMP info can also be easily intercepted. 3c will require user and password and offers encryption but can still fall to brute forcing attacks. Always check for weak auth schemes and normally has default public and private community strings. SNMP Verbs: \ Get, GetNext, Set, Trap Community Strings: **Private:** write access \ **Public:** read access \ **OID:** These are numerical ID for sensor data on things like fans, heat, drive cap, etc. These are laid out in a tree structure where they can be vague or granular \ **MIB:** This are human friendly names for OIDs There are default MIBs and OIDs for systems where you can ask almost any system something like \[sysuptime.0] and get info from it. These are built in and can find list with google \["OID for synology nas"] and look at the product manuals. SNMP management information base (mib) is a network settings database organized as a tree. If we can access the MIB and know how to read and interpret the info, we can then know each and every device on the network. If we can crack the password on SNMP, we may be able to control each networked device. ### ---Common attacks--- (Before you try any hack on SNMP, make certain you try these default passwords first.) \ **Default Community:** using default community strings \ **Sniffing Community Strings:** (works with v1-v2//clear text coms) \ **Brute forcing strings:** (will trigger IDS systems as they see many login attempts with different strings) \ **Flooding:** a DOS attack where we spoof an snmp agent then flood the SNMP trap manager with traps varying in sizes from 50b to 32kb until the management trap is unable to function ### **Tools:** snmpwalk - uses getnext to enumerate the network tree. We provide an OID and it will walk everything under that OID. Otherwise it will try to walk as much tree as it can see. We want to install "snmp-mibs-downloader" then in the file /etc/snmp/snmp.conf we will add and OIDs that we find to the 4th line of the file and this will help us enumerate better. //walk through snmp mib tree for an IP \ //We must be authenticated to use this tool... usually its “public” or “private” \ `#snmpwalk -c public -v 1 ` //-c community string (normally public) and then the version being used in this case v1 but also try -v 2c \ `# snmpwalk -c public 192.168.38.200 -v 2c` \ //we can also use the keys from the \[cat mib-values] \ `#snmpwalk -c public -v 1 -t 10 1.3.6.1.4.1.77.1.2.25` //enumerating users ![](/files/-McqkoDiEWb4aFSSfSMD) snmpset: \ `#snmpwalk -v 2c -c public 192.168.102.149 system.syscontact.0` //this gave us the system contact of “String: ” `#snmpset -v 2c -c public 192.168.102.149 system.syscontact.0 s new@els.com` //we now set a new user to the contact Nmap Scripts: \ Scan for SNMP ports on network \ `# nmap -sU --open -p 161 10.11.1.1-254 -oG mega-snmp.txt` Brute list in: /usr/share/nmap/nselib/data/snmpcommunities.lst \ // there is a seclist for this at: /usr/share/seclists/Misc/wordlist-common-snmp-community-strings.txt \\ * snmp-brute //add our strings here or specify a new list --script-args snmp-brute.communitiesdb=\ * snmp-info * snmp-interfaces * snmp-netstat * snmp-processes * snmp-sysdescr * snmp-win32-services * snmp-win32-users * ..more at: ls -l /usr/share/nmap/scripts | grep -i snmp Use a script \ `#nmap -sU -p 161 10.11.1.1 --script=` \ `cat mib-values` //MS snmp params \ This will give us stuff like: * system processes * running programs * process path * storage units * user accounts * tcp local ports ### SNMP Brute Force `echo public > community`\ `echo private >> community` \ `echo manager >> community` \ `for ip in $(seq 1 254);do echo 10.11.1.$ip;done > ips` \ `onesixtyone -c community -i ip`s Brute Force community strings and IPs \ `#onesixtyone [options] ` \ `#onesixtyone -c dict.txt 192.168.1.119` \ Will use the default wordlist /usr/share/doc/onesixtyone/dict.txt to try to crack the community string (Authenticated) Enumeration of OIDs: //auth with the community string \ `#perl snmpenum.pl ` \ //the config file can be the following: //(part of snmpenum)can download if we need to. If you have trouble with the files running then use dos2unix \*.txt to format them \~/tools/snmp/cisco.txt \ \~/tools/snmp/linux.txt \ \~/tools/snmp/windows.txt \ //these lists contains several OIDs to check \ `#snmp-check 192.168.1.2 -c public` ### MIB Lookup {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.hackbook.io/initial-access/services/snmp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.