Simple Network Management Protocol

A widely used network management tool for monitoring that exposes data in variable form in a hierarchical tree-like structure. These variables can be queried and potentially manipulated.

  • SNMP is a component of IP Suite defined by IETF

    • it includes: An app layer protocol, a database schema and a set of data objects

    • managers: administrative computers that monitor/manage groups of hosts

    • agents: systems that execute and report information through SNMP to managers

Consists of 3 key components:

  1. Managed devices

  2. Agents

  3. NMS: Network Management Station: Software that runs the manager

SNMP can handle configuration tasks and settings remotely, so it's enabled on hardware a lot

  • This includes: routers, switches, servers, IoT devices, etc...

  • Cmds are transmitted over UDP port 161, but enables use of traps on 162

    • Clients can set specific values in devices/change settings with cmds

    • The client requests info from the server

    • Packets are sent from the SNMP server to clients without explicit requests

    SNMP Trap: Sent to a client once a specific event occurs server-side

    • Traps are for security monitoring purposes

  • The first version of the protocol: Still used in many networks

  • Supports retrieval of info from devices, allows for configuration, and provides traps

  • No built-in authentication: Doesn't support encryption

    • Anyone accessing the network can read/modify data: Data is in plain textSNMPv2

# daemon config
cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d'
# Access OID tree without authentication
rwuser noauth 
# Access OID tree irrespective of where requests came from
rwcommunity <comm str> <ipv4> #ipv4
rwcommunity6 <comm str> <ipv6> #ipv6
snmpwalk -v2c -c public # query oid's/info with community string -c
snmpwalk -v2c -c public | grep 'objectName' # look for specific objects
onesixtyone -c /opt/useful/SecLists/Discovery/SNMP/snmp.txt IP # brute-force with wordlist 
braa public@IP:.1.3.6.* # brute-force OID 

#handy OID's to know # system description # win usrs # running procs # int name # open tcp ports # software # storage units # nat table # ip route table # wireless table
# p.moo snmpwalk script: a small script I wrote to iterate IP's through 
# a host.txt file with snmpwalk 


# check hosts file given as first arg
if [ $# -eq 0 ]; then
    echo "Usage: $0 -h <hosts_file> [-o <output_file>]"
    exit 1

while getopts "h:o:" opt; do
    case $opt in
        h) hosts_file="$OPTARG" ;;
        o) output_file="$OPTARG" ;;
        \?) echo "Invalid option: -$OPTARG"; exit 1 ;;
        :) echo "Option -$OPTARG requires an argument."; exit 1 ;;

# check if host file provided
[ -z "$hosts_file" ] && { echo "Error: Hosts file not provided. Use -h <hosts_file>."; exit 1; }

# check if file exists
[ ! -f "$hosts_file" ] && { echo "Error: File '$hosts_file' not found."; exit 1; }

# set output file/use default 

# run snmpwalk
run_snmpwalk() {
    host=$1; oid=$2; title=$3
    echo -e "\n[-] $title\n-----------------------------\n$(snmpwalk -c public -v2c "$host" "$oid")"

# OIDs and corresponding values
declare -A oids=(
    [""]="Windows Users"
    [""]="Running Windows Processes"
    [""]="Open TCP Ports"
    [""]="Installed Software"
    [""]="Storage Units"

# iterate through each address in file and output results
cat "$hosts_file" | while read -r host; do
    echo -e "[+] Testing $host\n-----------------------------"
    for oid in "${!oids[@]}"; do
        run_snmpwalk "$host" "$oid" "${oids[$oid]}"
done > "$output_file"

echo "Results have been saved to $output_file"

Last updated