SNMP - UDP 161, 162

Simple Network Management Protocol

SNMP works according to the client-server principle and is used for management and monitoring of network devices (routers, switches, printer, IoT devices, etc.). SNMP communication occurs mainly over port UDP 161 and 162.

MIB: Contains one or more OIDs. Gives information about queryable objects.

OID: Object identifier. Represents an object within the network.

SNMP Versions

Currently three version of the SNMP protocol exists. SNMPv3 is the most recent version, but SNMPv2 is still in use in most environment.

SNMPv1

No authentication and no encryption supported

SNMPv2

Version v2c involves the use of a community string that can be compared to a password. The community string is transferred in plain text within the network. No encryption is supported in v2 and v2c.

SNMPv3

Offers encrypted communication and authentication. A way more difficult to implement than the previous SNMP versions.

Misconfigurations

SNMP can be misconfigured by administrator. For example, if SNMP requires no authentication, anyone could retrieve the full OID tree and gain information about the internal network. Also, an administrator would want to restrict SNMP queries to only specific origin.

Footprinting SNMP

The tool snmpwalk can be used to query the OIDs and gain information about the internal network. The community string is needed for version 2c.

The tool onesixtyone can be used to brute force the community string. A wordlist of common community string can be found in the SecList repo.

SecLists/common-snmp-community-strings.txt at master · danielmiessler/SecListsGitHub

SNMP Community Strings

Braa

When community string are found, we can use the tool Braa to brute force OIDs.

GitHub - mteg/braa: Ultra-fast SNMPv1/v2 stack. Get/set/walk tens of thousands of hosts at once.GitHub

SNMP v1/v2

Resources

HackTricks. 161,162,10161,10162/udp - Pentesting SNMP. Here.

Heiland, D. SNMP Data Harvesting During Penetration Testing. Here.