Port 161/162 – SNMP
How to enumerate port 161/162 (SNMP)
SNMP (Simple Network Management Protocol) is an application layer protocol that use the UDP protocol to support and manage routers, hubs and switches other network devices on an IP network. SNMP protocol has been found enabled on a variety of operating systems such as Windows Server, Linux & UNIX servers as well as network devices like routers, switches etc.
You can enumerate the SNMP protocol to obtain users, passwords, groups, system names, devices on the target system.
The protocol has some funny terminology. For example, rather than using the word password the word community is used alternatively. But it is sort of the same thing. A common community-string/password is public. You may have read-only access to the SNMP. Usually just with the community string public.
#Common community strings public private community
MIB (Management information base):
The SNMP protocol saves all the data in the Management Information Base. MIB is a database that is designed as a tree. Various branches contain different information. So one branch can be username data, and another can be processes running. The endpoint is the actual data.
So, if you have read-access to the database you can read every endpoint in the tree. You can use snmpwalk to do that. It walks through the entire database tree and outputs the content.
snmpwalk -c public -v1 192.168.1.101 #community string and which version
nmap -sU -p 161 --script=*snmp* 192.168.1.101
Simple Perl script to enumerate information on Machines that are running SNMP.
snmpenum -t 192.168.1.101
Like to snmpwalk, snmp-check allows you to enumerate the SNMP devices and places the output in a very human readable friendly format. It could be useful for penetration testing or systems monitoring.
snmp-check 192.168.1.101 -c public
onesixtyone (brute force community strings):
onesixtyone takes a different approach to SNMP scanning. It takes advantage of the fact that SNMP is a connectionless protocol and sends all SNMP requests as fast as it can. Then the scanner waits for responses to come back and logs them, in a fashion similar to Nmap ping sweeps.
#obtain communities with bruteforce onesixtyone -c /usr/share/wordlists/dirb/small.txt 192.168.1.101
xprobe2 is a remote active operating system fingerprinting tool.
xprobe2 -v -p udp:161:open 192.168.1.101
SNMP Community Login Scanner (Metasploit):
This module logs in to SNMP devices using common community names.
msf > use auxiliary/scanner/snmp/snmp_login
SNMP Enumeration Module (Metasploit):
This module allows enumeration of any devices with SNMP protocol support. It supports hardware, software, and network information. The default community used is “public”.
msf > use auxiliary/scanner/snmp/snmp_enum