# SNMP | 161 {% hint style="info" %} **SNMPv1 and SNMPv2c are insecure** due to plaintext community strings, so use strong, non-default strings and restrict access to trusted IPs, especially in production, while **SNMPv3 offers secure authentication and encryption** but is more complex to configure; always limit sensitive data exposure through configs (e.g., /etc/snmp/snmpd.conf on Linux) and firewall rules (UDP 161/162), noting that Windows requires manual SNMP service installation, and Linux logs are in /var/log/snmpd.log {% endhint %} ## 01. Set Up SNMP Service * Windows ```powershell ## ------------------| Install Add-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0" ## Windows 10/11 (Run as Administrator) Install-WindowsFeature -Name SNMP-Service -IncludeAllSubFeature -Verbose ## Windows Server 2016/2019/2022 (Run as Administrator) ## ------------------| Configure SNMP Service ### Configure via Registry reg add "HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities" /v public /t REG_DWORD /d 4 ### Configure via GUI ##### 1. Open Services (services.msc), find "SNMP Service", and set to Automatic ##### 2. Right-click SNMP Service > Properties > Security Tab ##### - Add Community String (e.g., "public", Read-Only) ##### - Set "Accept SNMP packets from these hosts" (e.g., SNMP Manager IP) ### Allow SNMP through Firewall netsh advfirewall firewall add rule name="Allow SNMP" dir=in action=allow protocol=UDP localport=161 Restart-Service -Name SNMP ### Restart SNMP Service Get-Service -Name SNMP ### Verify SNMP Service ``` * Linux ```bash ## ------------------| Install sudo apt install -y snmpd snmp ### Ubuntu/Debian sudo dnf install net-snmp net-snmp-utils -y ### CentOS/RHEL ## ------------------| Configure SNMP Service ## sudo vi /etc/snmp/snmpd.conf rocommunity public # Allow SNMPv2c read-only access agentAddress udp:161 # Listen on all interfaces (or specify IP like udp:127.0.0.1:161) sysLocation ServerRoom # Optional system info sysContact admin@h4rithd.com # Optional system info ## ------------------| Configure SNMP to Listen on All Interfaces sudo sed -i 's/snmpd.options=".*"/snmpd.options="-Lsd -Lf \/dev\/null -u snmp -g snmp -I -smux,mteTrigger,mteTriggerConf -p \/var\/run\/snmpd.pid"/' /etc/default/snmpd ### Ubuntu/Debian sudo sed -i 's/OPTIONS=.*/OPTIONS="-LS0-5d"/' /etc/sysconfig/snmpd ### CentOS/RHEL ## ------------------| Restart and enable SNMP sudo systemctl restart snmpd sudo systemctl enable snmpd ## ------------------| Configure SNMPv3 ### Create SNMPv3 User sudo net-snmp-create-v3-user -ro -A "authPassword" -X "privPassword" -a SHA -x AES snmpuser ### Add to /etc/snmp/snmpd.conf sudo bash -c 'echo "rouser snmpuser authPriv" >> /etc/snmp/snmpd.conf' ### Restart SNMP Service sudo systemctl restart snmpd ### Test SNMPv3 snmpwalk -v3 -u snmpuser -a SHA -A "authPassword" -x AES -X "privPassword" .1.3.6.1.2.1.1.1.0 ``` ## 02. Enumerations * Nmap ```bash ## ------------------| Nmap General sudo nmap -sU --open -p 161 $IP ## Check if SNMP port (UDP 161) is open sudo nmap -sU -p 161 -Pn -n -T4 -v --script=snmp-info --script-args=community=public $IP ## Enumerate general SNMP information sudo nmap -sU -p 161 -Pn -n -T4 -v --script=snmp-interfaces --script-args=community=public $IP ## List network interfaces via SNMP sudo nmap -sU -p 161 -Pn -n -T4 -v --script=snmp-netstat --script-args=community=public $IP ## Retrieve netstat info via SNMP sudo nmap -sU -p 161 -Pn -n -T4 -v --script=snmp-processes --script-args=community=public $IP ## List running processes via SNMP sudo nmap -sU -p 161 -Pn -n -T4 -v --script=snmp-sysdescr --script-args=community=public $IP ## Get system description from SNMP sudo nmap -sU -p 161 -Pn -n -T4 -v --script=snmp-hh3c-logins --script-args=community=public $IP ## Extract Huawei login info via SNMP sudo nmap -sU -p 161 -Pn -n -T4 -v --script=snmp-ios-config --script-args=community=public $IP ## Attempt to download Cisco IOS config via SNMP sudo nmap -sU -p 161 -Pn -n -T4 -v --script="snmp-* and not snmp-brute" --script-args=community=public $IP ## Run all SNMP-related scripts ## ------------------| Special Nmap for Windows sudo nmap -sU -p 161 -Pn -n -T4 -v --script=snmp-win32-services --script-args=community=public $IP ## List Windows services via SNMP sudo nmap -sU -p 161 -Pn -n -T4 -v --script=snmp-win32-shares --script-args=community=public $IP ## List Windows shares via SNMP sudo nmap -sU -p 161 -Pn -n -T4 -v --script=snmp-win32-software --script-args=community=public $IP ## List installed Windows software via SNMP sudo nmap -sU -p 161 -Pn -n -T4 -v --script=snmp-win32-users --script-args=community=public $IP ## List Windows user accounts via SNMP ``` * Community Strings Brute-force ```bash ## ------------------| Common Community Strings public internal private manager backup ## ------------------| Nmap sudo nmap -sU -p 161 -Pn -n -T4 -v --script=snmp-brute --script-args="snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/snmp.txt" $IP sudo nmap -sU -p 161 -Pn -n -T4 -v --script=snmp-brute --script-args="snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt" $IP ## ------------------| Hydra hydra -P /usr/share/seclists/Discovery/SNMP/snmp.txt -v $IP snmp hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt -v $IP snmp ## ------------------| OneSixtyOne onesixtyone -c dict.txt -i iplist.txt onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt $IP onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt $IP #### wget https://raw.githubusercontent.com/trailofbits/onesixtyone/master/dict.txt ## ------------------| SNMP-Brute wget https://raw.githubusercontent.com/SECFORCE/SNMP-Brute/master/snmpbrute.py python3 snmpbrute.py -t $IP python3 snmpbrute.py -a -t $IP python3 snmpbrute.py --sploitego -t $IP python3 snmpbrute.py -f /usr/share/seclists/Discovery/SNMP/snmp.txt -t $IP python3 snmpbrute.py -f /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt -t $IP ``` * Basic Enum ```bash ## ------------------| To read snmpwalk output as human readable apt-get install snmp-mibs-downloader -y cat /etc/snmp/snmp.conf ## Comment 👉mibs :👈 this ### First get the correct commiunity string from onesixtyone ## ------------------| Basic checks snmpenum $IP public linux.txt # Use this for Linux, then move in to snmpwalk !! snmpenum $IP public windows.txt # Use this for Windows, then move in to snmpwalk !! snmp-check $IP -c public snmpwalk -c public -v1 $IP snmpwalk -c public -v2c $IP snmpwalk -c internal -v2c $IP | tee snmpwalk.out snmpbulkwalk -c public -v2c $IP | tee snmpbulkwalk.out snmpbulkwalk -Cr1000 -c public -v2c $IP | tee snmpbulkwalk.out ## ------------------| Analyze / Grep grep -oP '::.*?\.' snmpwalk.out | sort | uniq -c | sort -n ``` * SNMP OIDs (Object Identifiers) ```bash ## ------------------| Common for both OS snmpwalk -c public -v1 $IP -Ovq HOST-RESOURCES-MIB::hrSWRunParameters ## Get running services with args snmpwalk -c public -v1 $IP .1.3.6.1.2.1.1.5.0 ## System Name (Hostname) snmpwalk -c public -v1 $IP .1.3.6.1.2.1.1.1.0 ## System Description (OS, hardware, version) snmpwalk -c public -v1 $IP .1.3.6.1.2.1.25.4.2.1.2 ## Running Processes (Process names) snmpwalk -c public -v1 $IP .1.3.6.1.2.1.25.4.2.1.4 ## Process Paths (Executable paths) snmpwalk -c public -v1 $IP .1.3.6.1.2.1.25.1.6.0 ## System Processes (Running process count) snmpwalk -c public -v1 $IP .1.3.6.1.2.1.25.6.3.1.2 ## Installed Software (Software inventory) snmpwalk -c public -v1 $IP .1.3.6.1.2.1.1.7.0 ## System Services (Running services summary) snmpwalk -c public -v1 $IP .1.3.6.1.2.1.25.4.2.1.5 ## Process Arguments (Command-line arguments) snmpwalk -c public -v1 $IP .1.3.6.1.2.1.25.2.3.1.4 ## Storage Units (Disk/partition details) snmpwalk -c public -v1 $IP .1.3.6.1.2.1.6.13.1.3 ## Open TCP Ports (Active connections) snmpwalk -c public -v1 $IP .1.3.6.1.2.1.2.2.1.2 ## Network Interfaces (Interface names/descriptions) snmpwalk -c public -v1 $IP .1.3.6.1.2.1.2.2.1.6 ## Network Interface MAC Addresses snmpwalk -c public -v1 $IP .1.3.6.1.2.1.4.22.1.2 ## ARP Table (IP-to-MAC mappings) snmpwalk -c public -v1 $IP .1.3.6.1.2.1.25.3.2.1.3 ## Get hardware device names snmpwalk -c public -v1 $IP .1.3.6.1.2.1.1.6.0 ## System Location ## ------------------| Get ipAddressTable snmpwalk -c public -v1 $IP 1.3.6.1.2.1.4.34.1.3 snmpwalk -c public -v2c $IP 1.3.6.1.2.1.4.34.1.3 ### IPV6 snmpwalk -v2c -c public $IP ipAddressIfIndex.ipv6 | cut -d'"' -f2 | grep 'de:ad' | sed -E 's/(.{2}):(.{2})/\1\2/g' ### Using Enyx ## wget https://raw.githubusercontent.com/trickster0/Enyx/master/enyx.py ## cat /etc/snmp/snmp.conf ## Unomment 👉mibs :👈 this python enyx.py 2c public 10.10.10.20 ## ------------------| Special for Windows snmpwalk -c public -v1 $IP .1.3.6.1.4.1.77.1.2.25 ## User Accounts (Local user accounts) snmpwalk -c public -v1 $IP .1.3.6.1.4.1.77.1.2.3.1.1 ## Domain Information (Domain membership details) snmpwalk -c public -v1 $IP .1.3.6.1.4.1.77.1.2.2 ## Windows Groups (Local group accounts) snmpwalk -c public -v1 $IP .1.3.6.1.4.1.77.1.2.27 ## Windows Shares (Shared folders/drives) snmpwalk -c public -v1 $IP .1.3.6.1.4.1.77.1.2.1 ## Windows Services (Detailed service information) snmpwalk -c public -v1 $IP .1.3.6.1.4.1.77.1.2.14 ## Installed Patches (Windows update details) snmpwalk -c public -v1 $IP .1.3.6.1.2.1.25.6.3.1.4 ## Get Windows software install location snmpwalk -c public -v1 $IP .1.3.6.1.2.1.25.6.3.1.5 ## Get Windows software version ## ------------------| Special for Linux snmpwalk -c public -v1 $IP .1.3.6.1.4.1.2021.4.3.0 ## Total RAM (Memory size) snmpwalk -c public -v1 $IP .1.3.6.1.4.1.2021.4.11.0 ## Free RAM (Available memory) snmpwalk -c public -v1 $IP .1.3.6.1.4.1.2021.11.9.0 ## CPU Load (1-minute average) snmpwalk -c public -v1 $IP .1.3.6.1.4.1.2021.10.1.3.1 ## CPU Load (Detailed 1-minute load) snmpwalk -c public -v1 $IP .1.3.6.1.4.1.2021.9.1.2 ## Mounted Filesystems (Mount points) snmpwalk -c public -v1 $IP .1.3.6.1.4.1.2021.9.1.7 ## Disk Usage (Free space per filesystem) snmpwalk -c public -v1 $IP .1.3.6.1.4.1.2021.8.1.101 ## Custom Scripts (If extended via /etc/snmp/snmpd.conf) snmpwalk -c public -v1 $IP 1.3.6.1.2.1.25.3.8.1.2 ## Get mounted filesystem paths snmpwalk -c public -v1 $IP 1.3.6.1.2.1.25.3.2.1.5 ## Get device types snmpwalk -c public -v1 $IP 1.3.6.1.2.1.1.3.0 ## Get system uptime snmpwalk -c public -v1 $IP 1.3.6.1.2.1.25.3.3.1.2 ## Get CPU load ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.h4rithd.com/udp/161-snmp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.