OpenSkillIndex← back to search

Hacktricks-skills snmp-pentest

Pentest SNMP services on network devices. Use this skill whenever the user needs to enumerate SNMP (ports 161/162/10161/10162), discover community strings, extract system information from network devices (routers, switches, printers, IoT), or perform SNMP-based reconnaissance. Trigger for any request involving SNMP enumeration, community string discovery, OID queries, or network device information gathering.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-snmp/pentesting-snmp/SKILL.MD
source content

SNMP Pentesting Skill

A comprehensive skill for pentesting Simple Network Management Protocol (SNMP) services on network devices.

Overview

SNMP is used to monitor network devices like routers, switches, printers, and IoT devices. This skill helps you:

  • Enumerate SNMP services and discover community strings
  • Extract system information from network devices
  • Identify vulnerabilities and potential attack vectors
  • Parse and analyze SNMP data for useful intelligence

Key Concepts

Ports

  • 161/UDP: SNMP agent receives requests
  • 162/UDP: Manager receives traps/notifications
  • 10161/UDP: SNMP with TLS
  • 10162/UDP: SNMP traps with TLS

SNMP Versions

  • SNMPv1/v2c: Community string authentication (plain text)
  • SNMPv3: Encrypted authentication (more secure)

Community Strings

  • public
    : Typically read-only access
  • private
    : Typically read/write access
  • If the server responds, the community string is valid

OIDs (Object Identifiers)

Unique identifiers for SNMP objects. Key OIDs:

  • 1.3.6.1.2.1.1.1.0
    - System description
  • 1.3.6.1.2.1.25.1.6.0
    - System processes
  • 1.3.6.1.2.1.25.4.2.1.2
    - Running programs
  • 1.3.6.1.2.1.25.4.2.1.4
    - Process paths
  • 1.3.6.1.2.1.6.13.1.3
    - TCP local ports

Workflow

Step 1: Initial Reconnaissance

First, check if SNMP is running and what version:

nmap --script "snmp* and not snmp-brute" <target>

Step 2: Enumerate with Known Community String

If you have a community string (try 

public
first):

# Full enumeration
snmpbulkwalk -c <community_string> -v2c <target> .

# Or use snmp-check for formatted output
snmp-check <target> -c <community_string>

Step 3: Brute-Force Community Strings

If no community string is known:

# Using onesixtyone
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt <target>

# Using hydra
hydra -P <password_list> -v <target> snmp

Step 4: Extract Useful Information

Once you have access, look for:

  • System info: OS version, uptime, device type
  • Network interfaces: IPv4/IPv6 addresses
  • Usernames: From system logs
  • Passwords: May appear in failed login attempts
  • Running processes: May contain credentials
  • Email addresses: From system data

Step 5: Advanced Enumeration

For extended information:

# Extended queries (requires snmp-mibs-downloader)
snmpwalk -v2c -c public <target> NET-SNMP-EXTEND-MIB::nsExtendOutputFull

# IPv6 information
snmpwalk -v2c -c public <target> 1.3.6.1.2.1.4.34.1.3

# All OIDs
snmpwalk -v2c -c public <target> .1

Tools Reference

ToolPurposeCommand
snmpwalk
Query SNMP OIDs
snmpwalk -v2c -c <string> <target> <oid>
snmpbulkwalk
Faster enumeration
snmpbulkwalk -v2c -c <string> <target> .
snmp-check
Formatted enumeration
snmp-check <target> -c <string>
onesixtyone
Community string brute-force
onesixtyone -c <wordlist> <target>
braa
Mass SNMP scanner
braa <string>@<target>:<oid>
nmap
SNMP scripts
nmap --script "snmp*" <target>

Common Attack Vectors

1. Weak Community Strings

Default strings like 

public
, 
private
, 
community
are often unchanged.

2. Read/Write Access

With write access, you may be able to:

  • Modify system configurations
  • Execute commands (RCE)
  • Change network settings

3. Information Disclosure

SNMP often reveals:

  • System versions (for exploit research)
  • User accounts
  • Network topology
  • Running services

4. Spoofing

If ACLs restrict SNMP access, spoof allowed IPs to query the service.

Scripts

Use the bundled scripts for common tasks:

  • scripts/enumerate_snmp.sh
    - Full SNMP enumeration
  • scripts/extract_snmp_data.sh
    - Extract useful data from SNMP output
  • scripts/snmp_bruteforce.sh
    - Brute-force community strings

Example Session

# 1. Check if SNMP is running
nmap -sU -p 161,162 192.168.1.100

# 2. Try default community string
snmp-check 192.168.1.100 -c public

# 3. If that fails, brute-force
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt 192.168.1.100

# 4. Extract useful data
snmpbulkwalk -c <found_string> -v2c 192.168.1.100 . > snmp_output.txt
./scripts/extract_snmp_data.sh snmp_output.txt

Safety Notes

  • Always have authorization before testing
  • SNMP v1/v2c traffic is unencrypted
  • Write access can be dangerous - test carefully
  • Some devices may crash with certain OID queries

References