Wiki
Powered by

# SNMP - Port 161/162

By
Adrien

# Concepts

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior.

Key Technical Details:

  • Agents & Managers: An agent runs on the managed device; a manager queries the agent.
  • MIB: Management Information Base, an improperly hierarchal database.
  • Versions: v1 (plaintext), v2c (plaintext, bulk transfer), v3 (encrypted/authenticated).

# Community Strings

# Summary

SNMP (Simple Network Management Protocol) Community Strings function as passwords that authenticate access to the Management Information Base (MIB) of a network device (switches, routers, firewalls). They are used in SNMPv1 and SNMPv2c standards.

Crucial Technical Detail: In versions 1 and 2c, these community strings are transmitted in cleartext across the network. This makes them highly susceptible to packet sniffing attacks. SNMPv3 addresses this by introducing encryption and cryptographic authentication.

# Usage & Types

Community strings define the relationship between the Network Management System (NMS) and the Agent (the device). There are theoretically many potential strings, but they typically fall into two privilege levels:

1. Read-Only (RO)

  • Purpose: Allows the requestor to query variables from the MIB.
  • SNMP Operation: GET, GETNEXT, GETBULK.
  • Common Default: public
  • Security Risk: Attacker can map the network, identify device versions (for easier exploit targeting), enumerate interfaces, and view ARP tables.

2. Read-Write (RW)

  • Purpose: Allows the requestor to not only read but also modify settings on the device.
  • SNMP Operation: SET.
  • Common Default: private
  • Security Risk: Critical. An attacker can change routing tables, shut down interfaces, modify ACLs/VLANs, or even reconfigure the device to copy traffic to an attacker-controlled port (Port Mirroring/SPAN) for eavesdropping.

# Technical Enumeration

To verify or discover community strings, tools like snmpwalk, onesixtyone, or nmap logic are typically used.

# Basic enumeration using public string
snmpwalk -v 2c -c public <Target-IP>

# Enumerate system info specifically (OID 1.3.6.1.2.1.1)
snmpwalk -v 2c -c public <Target-IP> 1.3.6.1.2.1.1

# Generate Community Strings for Brute Froce

PsudoHash Install

Github Source : https://github.com/t3l3machus/psudohash

# Clone the repository
git clone https://github.com/t3l3machus/psudohash.git

# Change directory
cd ./psudohash

# Make the script executable
chmod +x psudohash.py

PsudoHash Usage

Get a comunity string and try to generate possible guess for other community strings

./psudohash.py -w 'community,strings,companyname' --common-paddings-after

# Brute Force

SNMPBrute

Github Source : https://github.com/SECFORCE/SNMP-Brute

python3 snmpbrute.py -t 10.102.16.241 -c 'C0mmun1tY' --cisco

This will check the RO or RW access of the community string, the better is the RW access which will allow configuration modification on the switch.

If this is a Unix machine try with --linux instead of cisco

# Generate Network SVG

Install and execute Natlas - GitHub Link

Usage

Edit the natlas.conf depending of your needs ( SNMP string, IP Range, SNMP version)

Compromise switch one : 10.10.2.26 Grab the config file and get SNMP string

python3 natlas-cli.py get-hosts -r 10.18.255.9 -C infrawritesnmp

Driagram map

python3 natlas-cli.py diagram -r 10.18.255.9 -C infrawritesnmp -o map.svg

© Copyright 2025. All rights reserved.