← Back to search

SNMP (161/UDP)

enumerationports

Summary

SNMP is UDP/161 — easy to miss. The community string "public" is the common default. The gold is in running-process command lines, which often contain cleartext passwords.

Walkthrough

SNMP (UDP 161) is frequently overlooked because UDP isn't in a default TCP scan.

Steps

  1. Scan UDPsudo nmap -sU -p161 <IP> (or top-UDP) to confirm it's open.
  2. Dump itsnmp-check for a readable summary, snmpbulkwalk for the raw

firehose (tee it to a file).

  1. Hunt process command lines — the single most valuable thing here.

Programs are often launched with -u user -p password visible in the MIB.

  1. Extended objectsnsExtendObjects can expose custom scripts the admin

wired up.

Common community strings

public, private, community. Brute with onesixtyone + a wordlist if the default fails.

Commands

bash

# Quick structured dump
snmp-check <IP>

bash

# Full walk with the default community string
snmpwalk -v2c -c public <IP>
snmpbulkwalk -v2c -c public <IP> | tee snmp.out

bash

# Extended scripts/processes often leak creds in command lines
snmpwalk -v2c -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendObjects

bash

# Useful OIDs if -m all is noisy
# 1.3.6.1.2.1.25.4.2.1.2  -> running programs
# 1.3.6.1.2.1.25.4.2.1.4  -> process paths
# 1.3.6.1.4.1.77.1.2.25   -> user accounts
# 1.3.6.1.2.1.6.13.1.3    -> TCP local ports
snmpwalk -v2c -c public <IP> 1.3.6.1.2.1.25.4.2.1.2