Search For Tutorial

Tuesday, 20 June 2017

How To Use snmpwalk For SNMP enumeration

Posted by Vijay Jangra
We have learnt many information gathering concepts in our last posts like DNS Enumeration, Netcraft, Recon-ng, Email Harvesting etc. Let’s continue it with SNMP enumeration.

But first, here is a small and quick introduction to SNMP Protocol.

snmpwalk snmp enumeration pentest tool

What is SNMP ?
SNMP stand for Simple Network Management Protocol. As its name suggests it is a network management protocol used by network managers to manage and retrieve information of devices on network. So, you can also call it a Network Management System. Mostly Devices that supports SNMP are cable modems, routers etc.
Three versions of SNMP that has been developed are SNMPv1, SNMPv2c and SNMPv3.

SNMP Working
It retrieves management data in the form of its own managed systems organized in MIB(Management Information Base) variables and its values. Every specific variable describes specific system status and configuration.
Yup, SNMP uses MIB variables to retrieve information. Every status and configuration of system that SNMP manage has its MIB Variable Value.


Moreover, SNMP Network Management System usually consists of three key components.
  • Managed Device
  •  Agent
  •  NMS (Network Management Station) software which resides on managers.
Managed Device: - Managed device is a computer or node on network, having SNMP interface implemented that allows access to its system specific information either in format of read only or in some cases its read and write, so called Bidirectional or Unidirectional respectively. In other words, it is device on network which managers used to manage using SNMP Interface.
Agent: - An agent is management software that resides in a managed device.
NMS :- So called Network Management Station, is a software used by managers to monitor and control Managed Device using SNMP.

SNMP Community
SNMP uses some community strings while management process. Default is public or private. Now in some cases, these default community strings or these SNMP protocol versions are vulnerable.

SNMP uses some community strings while management process. Default is public or private. Now in some cases, these default community strings or these SNMP protocol versions are vulnerable.
Here is the list of some Windows MIB variable values and their corresponding system status or configuration.

1.3.6.1.2.1.25.1.6.0
System Processes
1.3.6.1.2.1.25.4.2.1.2
Running Programs
1.3.6.1.4.1.77.1.2.25
User Accounts
1.3.6.1.2.1.25.2.3.1.4
Storage Units
1.3.6.1.2.1.6.13.1.3
TCP Ports

NMap Port Scanning Tutorial

SNMP Agent service receives requests on UDP port 161. So we will use Nmap to know whether SNMP port 161 is open or not along with its version. Use below command for this task.

nmap –v –sU –sV –p161  192.168.12.50

In above command, I used -sU and –sV for UDP port scan and version detection respectively. It will scan only for port 161. 

snmp port and version scan using nmap

Look, In above image we discovered that port 161 is open and it is using first version of SNMP.
Now let’s move to our enumeration process.

SNMP Walk
SNMPwalk is very cool and handy tool for SNMP enumeration and information gathering. It is free and available in Kali Linux.

Boot in Kali Linux, open terminal and use this command to use snmpwalk.

snmp  –c public  –v1 192.168.12.50

-c is used to specify community. Default is public.
-v1 is used to specify first version.


Now use MIB values to enumerate specific system status and configuration.
I am going to gather user accounts available on my target system.

snmp  –c public  –v1  192.168.12.50 1.3.6.1.4.1.77.1.2.25

In the end of command I used MIB value from above table to get list of available users in target system. Here is the output of command.

snmpwalk user account enumeration

Now to move step further, all you have to do is use below command syntax.

snmp  -c public  -version target_ip mib_value

In above command, replace version with your target’s SNMP version, target_ip with your targeted system’s ip address and replace mib_value with mib value corresponding to specific system status or configuration


If you have any suggestions related to topic then comment and Share this post with your friends.


0 comments:

Post a Comment