161 ) SNMP

  • Scanning

## ------------------| Nmap
sudo nmap -sU --open -p 161 <IP>

## ------------------| onesixtyone
#### Crearte community string file
cat > com << EOF
public
internal
private
manager
EOF
#### Create IP address list
for i in $(seq 1 254); do echo 10.10.10.$ip; done > iplist
#### Run onesixtyone
onesixtyone -c com -i iplist
#### or
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt <IP>
### Download onesixtyone wordlist using following 
wget https://raw.githubusercontent.com/trailofbits/onesixtyone/master/dict.txt
  • Basic enumerations

## ------------------| To read snmpwalk output as human readable
apt-get install snmp-mibs-downloader -y
cat /etc/snmp/snmp.conf
## Comment 👉mibs :👈 this

## ------------------| Basic checks
snmpenum <IP> public linux.txt        # Use this for Linux, then move in to snmpwalk !!
snmpenum <IP> public windows.txt      # Use this for Windows, then move in to snmpwalk !!
snmp-check <IP> -c public
snmpwalk -c public -v1 <IP>
snmpwalk -c public -v2c <IP>
snmpwalk -c internal -v2c <IP> | tee snmpwalk.out
snmpbulkwalk -c public -v2c <IP> | tee snmpbulkwalk.out
snmpbulkwalk -Cr1000 -c public -v2c <IP> | tee snmpbulkwalk.out

## ------------------| Special for Windows    
snmpwalk -c public -v1 <IP> 1.3.6.1.4.1.77.1.2.25        ## Get Users
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.4.2.1.2       ## Get Running Process
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.1.6.0         ## Get System Processes
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.4.2.1.4       ## Get Processes Path
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.2.3.1.4       ## Get Storage Units
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.6.13.1.3         ## Get Open TCP Ports
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.6.3.1.2       ## Get Installed Software

## ------------------| Analyze / Grep
grep -oP '::.*?\.' snmpwalk.out | sort | uniq -c | sort -n
  • Best tools

## ------------------| SNMP-Brute
wget https://raw.githubusercontent.com/SECFORCE/SNMP-Brute/master/snmpbrute.py
python3 snmpbrute.py -t <IP>
python3 snmpbrute.py -a -t <IP>
python3 snmpbrute.py --sploitego -t <IP>
python3 snmpbrute.py -f /usr/share/seclists/Discovery/SNMP/snmp.txt -t <IP>
python3 snmpbrute.py -f /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt -t <IP>

## ------------------| Hydra
hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt -v <IP> snmp
  • Get ipAddressTable

## Get ip address
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.4.34.1.3 
snmpwalk -c public -v2c <IP> 1.3.6.1.2.1.4.34.1.3 

## ------------------| Using Enyx
wget https://raw.githubusercontent.com/trickster0/Enyx/master/enyx.py
cat /etc/snmp/snmp.conf
## Unomment 👉mibs :👈 this
python enyx.py 2c public 10.10.10.20

Last updated