SNMP Enumeration
Why SNMP Matters
Simple Network Management Protocol (SNMP) is the standard for monitoring and managing network infrastructure. It’s deployed on routers, switches, servers, printers, IoT devices, and nearly every piece of remotely manageable hardware. Beyond passive monitoring, SNMP can also execute configuration changes remotely. The current version is SNMPv3, which brings authentication and encryption but also significantly greater complexity leading many organizations to remain on legacy versions with critical security gaps.
How SNMP Works
SNMP uses UDP port 161 for queries and control commands, and UDP port 162 for traps unsolicited notifications sent from devices to the management station when specific events occur (like interface failures or threshold breaches). This bidirectional communication model makes SNMP powerful but also exposes it to abuse when misconfigured.
For SNMP to function, clients and servers must agree on object addresses. This is handled through the Management Information Base (MIB) and Object Identifiers (OIDs).
MIB & OID Structure
The MIB is a standardized text file in Abstract Syntax Notation One (ASN.1) format that lists all queryable SNMP objects of a device in a hierarchical tree. Each object has:
- An OID (unique numeric address in dot notation)
- A descriptive name
- Access rights
- Data type
MIBs don’t store data, they define where to find information and how to interpret it. Many vendor specific and standard MIBs are available in public registries.
An OID is a numerical path through the namespace tree (e.g., .1.3.6.1.2.1.1.1.0). The longer the chain, the more specific the information. You can look up OIDs at the Object Identifier Registry.
SNMP Versions
| Version | Authentication | Encryption | Complexity |
|---|---|---|---|
| SNMPv1 | Community strings (plaintext) | None | Low |
| SNMPv2c | Community strings (plaintext) | None | Low |
| SNMPv3 | Username/Password | Yes (pre-shared key) | High |
SNMPv1 and v2c rely on plaintext community strings for access control. These strings act as shared passwords and can be easily intercepted on the network. SNMPv3 introduces real authentication and encryption, but the configuration complexity often discourages migration leaving many production environments on legacy versions.
Community Strings
Community strings are shared secrets that determine read or write access to SNMP objects. Common defaults include public (read-only) and private (read-write). Since they’re transmitted in plaintext in v1 and v2c, any network observer can capture and replay them.
Organizations often create custom community strings, but they frequently follow predictable patterns (hostnames, department names, site codes). This makes them vulnerable to brute-force enumeration.
Default Configuration
The SNMP daemon configuration (/etc/snmp/snmpd.conf) defines listening addresses, MIB views, community strings, and access controls:
1
2
3
4
5
sysLocation Sitting on the Dock of the Bay
sysContact Me <me@example.org>
agentaddress 127.0.0.1,[::1]
rocommunity public default -V systemonly
rouser authPrivUser authpriv -V systemonly
Key elements:
- agentaddress: Which IPs/interfaces the daemon listens on
- rocommunity: Read-only community string
- rwcommunity: Read-write community string
- view: Limits which OID subtrees are accessible
Dangerous Settings
Certain SNMP configurations create serious security risks:
| Setting | Risk |
|---|---|
rwuser noauth |
Full OID tree access without authentication |
rwcommunity <string> <IP> |
Read-write access from any source using the community string |
rwcommunity6 <string> <IPv6> |
Same as above, IPv6 variant |
Additional risks arise from:
- Binding to 0.0.0.0 (listening on all interfaces, including public ones)
- Using default community strings like
publicorprivate - No source IP restrictions on community strings
These misconfigurations commonly allow full device enumeration and, in write enabled cases, remote configuration changes.
Footprinting the Service
SNMP enumeration relies on three primary tools:
snmpwalk
Queries the full OID tree or specific branches:
1
snmpwalk -v2c -c public 10.129.14.128
Successful output includes system info, installed packages, network interfaces, running processes, and more. This is the most comprehensive enumeration method when you have a valid community string.
onesixtyone
Brute-forces community strings using wordlists:
1
onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt 10.129.14.128
Effective when default or predictable strings are in use. Combine with custom wordlists based on target naming conventions.
braa
Brute-forces individual OIDs once a community string is known:
1
braa public@10.129.14.128:.1.3.6.*
Faster than snmpwalk for targeted queries and useful for scripting bulk checks.
Enumeration Workflow
- Port scan: Identify UDP 161/162 (use
nmap -sU -p 161,162) - Version detection: Attempt SNMPv1/v2c/v3 probes
- Community string guessing: Start with
public, then try wordlists - OID enumeration: Use snmpwalk to dump accessible data
- Data analysis: Look for usernames, software versions, network topology, credentials
Common findings include installed packages (useful for exploit matching), interface configurations, and sometimes even plaintext credentials in device descriptions.
Common SNMP Commands
| Command | Description |
|---|---|
snmpwalk -v2c -c <community string> <FQDN/IP> |
Querying OIDs using snmpwalk. |
onesixtyone -c community-strings.list <FQDN/IP> |
Bruteforcing community strings of the SNMP service. |
braa <community string>@<FQDN/IP>:.1.* |
Bruteforcing SNMP service OIDs. |
Practical Takeaways
- Version matters: SNMPv1/v2c have no encryption assume community strings are compromised on untrusted networks.
- Community strings are not passwords: They’re shared secrets with no rotation policies in most environments.
- Default strings are common: Many devices ship with
public/privateand never get changed. - OID trees leak extensive data: System info, users, processes, network configs, and installed software.
- Write access is critical:
rwcommunitysettings allow remote device configuration. - Enumeration is noisy: SNMP queries generate logs, but many admins don’t monitor them.
A focused reference for understanding SNMP architecture, recognizing risky configurations, and conducting safe enumeration during security assessments.