Leave a Comment / Exploit-Services, Uncategorized / By

Sniffing Secrets with SNMP:

The Simple Network Management Protocol (SNMP) was never designed with security in mind. It was meant to monitor and manage network devices—printers, switches, routers, servers—not to keep secrets. But guess what? It often does store secrets… and sometimes, hands them to you like candy.

In this post, we’ll cover SNMP from scanning to post-exploitation—everything a pentester needs.

1. What is SNMP?

SNMP (Simple Network Management Protocol) is used for collecting and organizing information about managed devices on IP networks. It can also be used to change device settings remotely.

🔑 Key Details:

  • Default Ports:
    • UDP 161 (queries and set commands)
    • UDP 162 (traps)
  • Versions:
    • SNMPv1/v2c: Use plaintext “community strings” as authentication
    • SNMPv3: Supports encryption and authentication (rarely seen in vulnerable setups)
  • Common Community Strings:
    • public (read-only)
    • private (read-write)

2. Scanning for SNMP

Nmap

nmap -sU -p 161 --script=snmp-info <target>

You can also scan TCP port 161, but most SNMP services run on UDP.

Detailed Script Scan

nmap -sU -p 161 --script=snmp*,vuln <target>
  • snmp-info: Gathers basic system info.
  • snmp-interfaces: Lists network interfaces.
  • snmp-processes: Dumps running processes.
  • snmp-win32-services: Lists Windows services.
  • snmp-win32-shares: Enumerates Windows shares.

3. SNMP Enumeration

If SNMP is running and public is valid, you’re in for a treat.

Using snmpwalk

snmpwalk -v2c -c public <target>

Look for juicy OIDs:

  • System Info: .1.3.6.1.2.1.1
  • Processes: .1.3.6.1.2.1.25.4.2.1.2
  • User Accounts: .1.3.6.1.4.1.77.1.2.25
  • Running Software: .1.3.6.1.2.1.25.6.3.1.2
  • Open TCP Ports: .1.3.6.1.2.1.6.13.1.3
  • Installed Software: .1.3.6.1.2.1.25.6.3.1.2
  • Routing Table: .1.3.6.1.2.1.4.21.1

Using onesixtyone

Brute-force community strings at scale. 

 onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt 10.2.31.25

Next: Dump Windows Users via SNMP

snmpwalk -v2c -c "community_string" "ip_addr" 1.3.6.1.4.1.77.1.2.25
# This will list Windows local user accounts

Optional: Dump Running Processes or Shares

snmpwalk -v2c -c "community_string" "ip_addr" 1.3.6.1.2.1.25.4.2.1.2
# Running processes (can reveal logged-in users or services)

snmpwalk -v2c -c  "community_string" "ip_addr" 1.3.6.1.2.1.25.6.3.1.2
# Installed software

snmpwalk -v2c -c "community_string" "ip_addr"
# Dump *everything* (greppable)

After Finding a Username

Try to enumerate shares again:

smbclient -L //10.2.31.25 -U <username>

Try blank password or bruteforce if needed.

4. Exploiting SNMP

While SNMP doesn’t usually execute code, it leaks everything you need to plan code execution.

Dumping Credentials

Some devices leak plaintext user info:

snmpwalk -v2c -c public <target> .1.3.6.1.4.1.77.1.2.25

Windows user accounts often show up here.

Dumping Network Info

  • Interfaces, IPs, MACs, routes
  • Sometimes VPN or VLAN configs

This helps map the internal network during a black-box engagement.

Writable SNMP (Rare)

If you find SNMP with write access (e.g., using the private community string), you can:

  • Change device configs
  • Set reboot flags
  • Possibly upload a config with embedded commands

Examples:

snmpset -v1 -c private <target> <OID> type value

You need the right OID and write permissions. Not common, but lethal.

Chaining with TFTP

Some routers and switches allow you to trigger TFTP uploads/downloads via SNMP set requests. Combine that with a malicious config file or firmware image = pwned device.

5. Post-Exploitation via SNMP

Lateral Movement

  • Use SNMP-leaked credentials on SMB, RDP, or SSH.
  • Leaked interface configs and hostnames help with internal mapping.

Pivoting

  • SNMP may reveal hidden subnets or internal interfaces.
  • Combined with open ports, you might pivot using tunneling tools.

Recon for Vulnerabilities

  • Software versions (OS, apps) gathered from SNMP give you the ammo to feed into:
searchsploit <software>

Clean Up

  • Don’t modify SNMP settings unless allowed
  • If you did set values, revert them back or report clearly in your findings

TryHackMe Rooms to Practice SNMP Attacks

  • Network Services – Has a section on SNMP
  • Poster – Includes SNMP enumeration to find creds
  • Blue – Windows-based target with SNMP + other services

Final Thoughts

SNMP might be “simple,” but it’s a gold mine for information gathering. If you catch UDP 161 open, always test it. A single public community string can unravel the internal network, hand you credentials, or even help you map an entire subnet—without touching a login screen.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top