SNMP (161/UDP)
enumerationports
Summary
SNMP is UDP/161 — easy to miss. The community string "public" is the common default. The gold is in running-process command lines, which often contain cleartext passwords.
Walkthrough
SNMP (UDP 161) is frequently overlooked because UDP isn't in a default TCP scan.
Steps
- Scan UDP —
sudo nmap -sU -p161 <IP>(or top-UDP) to confirm it's open. - Dump it —
snmp-checkfor a readable summary,snmpbulkwalkfor the raw
firehose (tee it to a file).
- Hunt process command lines — the single most valuable thing here.
Programs are often launched with -u user -p password visible in the MIB.
- Extended objects —
nsExtendObjectscan expose custom scripts the admin
wired up.
Common community strings
public, private, community. Brute with onesixtyone + a wordlist if the default fails.
Commands
bash
# Quick structured dump snmp-check <IP>
bash
# Full walk with the default community string snmpwalk -v2c -c public <IP> snmpbulkwalk -v2c -c public <IP> | tee snmp.out
bash
# Extended scripts/processes often leak creds in command lines snmpwalk -v2c -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendObjects
bash
# Useful OIDs if -m all is noisy # 1.3.6.1.2.1.25.4.2.1.2 -> running programs # 1.3.6.1.2.1.25.4.2.1.4 -> process paths # 1.3.6.1.4.1.77.1.2.25 -> user accounts # 1.3.6.1.2.1.6.13.1.3 -> TCP local ports snmpwalk -v2c -c public <IP> 1.3.6.1.2.1.25.4.2.1.2