SNMP 161

These Object Identifiers (OIDs) provide access to specific system information via SNMP:

System Processes:

1.3.6.1.2.1.25.1.6.0

Running Programs:

1.3.6.1.2.1.25.4.2.1.2

Processes Path:

1.3.6.1.2.1.25.4.2.1.4

Storage Units:

1.3.6.1.2.1.25.2.3.1.4

Software Name:

1.3.6.1.2.1.25.6.3.1.2

User Accounts:

1.3.6.1.4.1.77.1.2.25

TCP Local Ports:

1.3.6.1.2.1.6.13.1.3

Scan for open SNMP ports on a range of IPs:

sudo nmap -sU --open -p 161 10.11.1.1-254 -oG open-snmp.txt

This will scan for open SNMP (UDP port 161) across the IP range 10.11.1.1-254 and output the results to the open-snmp.txt file.

Create a community string file with common values:

echo public > community
echo private >> community
echo manager >> community

The above command adds common SNMP community strings (public, private, manager) into a file called community.

Create a list of IPs to scan:

for ip in $(seq 1 254); do echo 10.11.1.$ip; done > ips

Run onesixtyone to brute-force SNMP on the created IP list:

onesixtyone -c community -i ips

User accounts:

snmpwalk -c public -v1 10.11.1.14 1.3.6.1.4.1.77.1.2.25

Running processes:

snmpwalk -c public -v1 10.11.1.73 1.3.6.1.2.1.25.4.2.1.2

Open TCP ports:

snmpwalk -c public -v1 10.11.1.14 1.3.6.1.2.1.6.13.1.3

Installed software:

snmpwalk -c public -v1 10.11.1.50 1.3.6.1.2.1.25.6.3.1.2

SNMPCheck (to enumerate SNMP details):

snmpcheck 10.11.1.14 -c public

SNMPEnum (may require installation):

snmpenum -t 10.11.1.14

Brute-force SNMP Users:

If you're using a wordlist for brute-forcing SNMP users:

snmpenum -t 10.11.1.14 -w /usr/share/legion/wordlists/snmp-default.txt

Last updated 1 year ago