# 161 ) SNMP

* Scanning

```bash
## ------------------| Nmap
sudo nmap -sU --open -p 161 <IP>

## ------------------| onesixtyone
#### Crearte community string file
cat > com << EOF
public
internal
private
manager
EOF
#### Create IP address list
for i in $(seq 1 254); do echo 10.10.10.$ip; done > iplist
#### Run onesixtyone
onesixtyone -c com -i iplist
#### or
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt <IP>
### Download onesixtyone wordlist using following 
wget https://raw.githubusercontent.com/trailofbits/onesixtyone/master/dict.txt
```

* Basic enumerations

```bash
## ------------------| To read snmpwalk output as human readable
apt-get install snmp-mibs-downloader -y
cat /etc/snmp/snmp.conf
## Comment 👉mibs :👈 this

## ------------------| Basic checks
snmpenum <IP> public linux.txt        # Use this for Linux, then move in to snmpwalk !!
snmpenum <IP> public windows.txt      # Use this for Windows, then move in to snmpwalk !!
snmp-check <IP> -c public
snmpwalk -c public -v1 <IP>
snmpwalk -c public -v2c <IP>
snmpwalk -c internal -v2c <IP> | tee snmpwalk.out
snmpbulkwalk -c public -v2c <IP> | tee snmpbulkwalk.out
snmpbulkwalk -Cr1000 -c public -v2c <IP> | tee snmpbulkwalk.out

## ------------------| Special for Windows    
snmpwalk -c public -v1 <IP> 1.3.6.1.4.1.77.1.2.25        ## Get Users
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.4.2.1.2       ## Get Running Process
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.1.6.0         ## Get System Processes
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.4.2.1.4       ## Get Processes Path
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.2.3.1.4       ## Get Storage Units
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.6.13.1.3         ## Get Open TCP Ports
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.6.3.1.2       ## Get Installed Software

## ------------------| Analyze / Grep
grep -oP '::.*?\.' snmpwalk.out | sort | uniq -c | sort -n
```

* Best tools

```bash
## ------------------| SNMP-Brute
wget https://raw.githubusercontent.com/SECFORCE/SNMP-Brute/master/snmpbrute.py
python3 snmpbrute.py -t <IP>
python3 snmpbrute.py -a -t <IP>
python3 snmpbrute.py --sploitego -t <IP>
python3 snmpbrute.py -f /usr/share/seclists/Discovery/SNMP/snmp.txt -t <IP>
python3 snmpbrute.py -f /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt -t <IP>

## ------------------| Hydra
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt -v <IP> snmp
```

* Get `ipAddressTable`

```bash
## Get ip address
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.4.34.1.3 
snmpwalk -c public -v2c <IP> 1.3.6.1.2.1.4.34.1.3 

## ------------------| Using Enyx
wget https://raw.githubusercontent.com/trickster0/Enyx/master/enyx.py
cat /etc/snmp/snmp.conf
## Unomment 👉mibs :👈 this
python enyx.py 2c public 10.10.10.20
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://p0db0t.gitbook.io/pentest/udp/161-snmp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.