SNMP Enumeration Techniques

Published on January 18, 2025

Understanding Windows SNMP MIB Values

SNMP (Simple Network Management Protocol) enables network administrators to manage devices such as routers, switches, and servers. A key component of SNMP is the Management Information Base (MIB), a hierarchical database used to monitor and manage network devices.

Key Windows SNMP MIB Values

The following table highlights important MIB values and their corresponding functions in a Windows environment. These values are crucial for obtaining insights into system performance, active processes, and other device metrics:

MIB Value Description
1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports

Discovering Open SNMP Ports with Nmap

To identify devices with SNMP services, use the following Nmap command to scan for open SNMP ports (default is UDP port 161): 

sudo nmap -sU --open -p 161 {target-range} -oG open-snmp.txt

This command outputs a list of hosts with open SNMP ports, which can then be further analyzed for vulnerabilities.

Enumerating SNMP Data with snmpwalk

Once an open SNMP port is discovered, you can use snmpwalk to query specific MIB values and gather detailed information. Below are essential snmpwalk commands:

  • Enumerate Running Processes:
    • snmpwalk -c public -v1 {target-IP} 1.3.6.1.2.1.25.4.2.1.2
  • List User Accounts:
    • snmpwalk -c public -v1 {target-IP} 1.3.6.1.4.1.77.1.2.25
  • Identify Installed Software:
    • snmpwalk -c public -v1 {target-IP} 1.3.6.1.2.1.25.6.3.1.2
  • Enumerate TCP Listening Ports:
    • snmpwalk -c public -v1 {target-IP} 1.3.6.1.2.1.6.13.1.3

Using Onesixtyone for SNMP Enumeration

Onesixtyone is a tool designed to perform brute force attacks on SNMP community strings. To use this tool, you need two files: a list of IP addresses and a file containing potential community strings. Here's an example usage:

  • Create a community strings file:
    • echo public > community
          echo private >> community
          echo manager >> community
  • Create an IP addresses file:
    • for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips
  • Run onesixtyone:
    • onesixtyone -c community -i ips

This will scan the specified IP range and attempt to match community strings. Once valid SNMP services are identified, further enumeration can be performed using snmpwalk or similar tools.

Key Takeaways

  • Efficient Scanning: Use Nmap and Onesixtyone to quickly identify open SNMP ports and community strings.
  • Detailed Enumeration: Leverage snmpwalk to query key MIB values for system insights.
  • Security Awareness: Ensure SNMP configurations are secured to avoid exposing sensitive data.

SNMP enumeration is a powerful technique for gathering network data. Properly understanding its capabilities and ensuring secure configurations can significantly enhance network management and penetration testing efforts.

Linked Articles