SNMP Enumeration Tools (snmpwalk / snmp-check)
📝 Overview
What it is: A collection of command-line tools used to query the Simple Network Management Protocol (SNMP) on UDP port 161. By guessing the correct community string (usually “public” or “private”), a pentester can extract a massive amount of internal data from routers, switches, Windows servers, and Linux hosts. Target Phase: Enumeration Operating System: Linux (Pre-installed on Kali/Parrot)
⚙️ Core Capabilities
- Network Mapping: Extracts routing tables, ARP caches, and active TCP/UDP listening ports from the target.
- System Profiling: Pulls exactly what OS version is running, system uptime, and hardware details.
- User Enumeration: Extremely dangerous on older Windows machines; it can pull the full list of local user accounts and running processes.
- Brute-Forcing: Tools like
onesixtyoneare specifically built to brute-force the community string rapidly against a massive list of IPs.
💻 Common Commands
| Command | Description |
|---|---|
onesixtyone -c dict.txt [Target_IP] | A lightning-fast scanner that brute-forces the community string using a dictionary list. |
snmp-check [Target_IP] -c public | An automated script that pulls all the data from the target and formats it into a highly readable, organized report. |
snmpwalk -v2c -c public [Target_IP] | The classic manual tool. It “walks” the entire MIB tree, dumping every single piece of data the target has onto your terminal. |
snmpwalk -v2c -c public [Target_IP] [OID] | Targets a very specific piece of data instead of dumping everything (e.g., querying specifically for running processes). |
⚠️ Notes & Limitations
- The UDP Trap: Because SNMP uses UDP, standard TCP port scans (like
nmap -sS) will completely miss it. You must specifically run a UDP scan (nmap -sU -p 161) to even see if the door is open. - Version 3: SNMPv3 introduced actual username authentication and strong encryption. If the target is properly configured with v3, these tools will not work without the correct credentials.
- Stealth: Running a full
snmpwalkis loud and generates a lot of traffic. However, because SNMP is a standard management protocol, it often blends in with normal background network noise better than a vulnerability scanner like Nessus.
🔗 Links & Resources
🏷️ Tags
SNMP #Enumeration #UDP161 #snmpwalk #snmpcheck #ActiveRecon