> For the complete documentation index, see [llms.txt](https://ivalexev.gitbook.io/rednote/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ivalexev.gitbook.io/rednote/utility/service/snmp-161-162.md).

# SNMP (161-162)

<details>

<summary>Protocol Information</summary>

SNMP is a protocol used in TCP/IP networks to collect and manage information about networked devices. The SNMP protocol is supported by many types of devices including routers, switches, servers, printers, Network Attached Storage (NAS), firewalls, WLAN controllers and more.

There are **`3 versions`** si SNMP: \
\- **`SNMPv1`**, does not natively support authentication or even encryption (spoofing, replay attack, sniffing). \
\- **`SNMPv2`** and **`SNMPv2c`**, similar to version 1 in terms of security.\
\- **`SNMPv3`**, introduced username and password authentication and encryption (pre-shared key) by moving from DES-56 to AES-256.

SNMP managed networks have **`3 components`**:\
\- **`Managed Device`** : A managed device (also referred to as a ‘node’) is a network device with the SNMP service enabled allowing unidirectional (read) or bidirectional (read/write) communication. Managed devices can be any networked device including servers, firewalls and routers.\
\- **`Agent`** : The agent is the software running on the managed device which is responsible for handling the communication. The agent translates device-specific configuration parameters into an SNMP format for the Network Management System.\
\- **`Network Management System (NMS)`** : The Network Management System is the software that is actually managing and monitoring networked devices. An SNMP managed network will always contain at least one NMS.

The SNMP protocol uses several **`commands`** which are sent from the NMS to the managed device’s agent and back. These commands can be categorized as read, write, trap and traversal commands.\
\- **`Read`** commands are sent by the NMS to nodes for monitoring purposes.\
\- **`Write`** commands are used to control the nodes in the network.\
\- **`Trap`** commands are used for unsolicited SNMP messages from a device’s agent to the NMS to inform the NMS about certain events such as errors.\
\- **`Traversal`** commands are used to check what information is retained on a managed device and to retrieve it.

The SNMP **`Management Information Base (MIB)`** is a database that contains information about network devices. When the Network Management System (NMS) sends a “get” request to obtain information about a managed device on the network, the agent service returns a structured table with the data. This table is called the Management Information Base (MIB). each node has a unique identifier called an Object Identifier **`(OID)`**. An OID is a sequence of numbers separated by periods that uniquely identifies a node in the MIB tree. For example, an OID might be `1.3.6.1.2.1.1`. Each number in the sequence represents a level in the MIB tree. In addition to indicating the OID, the MIB also provides information about the type, access rights, and a description of the respective object.

The SNMP **`community string`** is like a username or password that allows access to the managed device. There are three different community strings that allow a user to set (1) read-only commands, (2) read and write commands and (3) traps. \
In SNMPv1 and SNMPv2 default community string:\
\- **`‘public’`** read-only  \
\- **`‘private’`** read-write\
In SNMPv3, the community string was replaced by username and password authentication.\
It is good practice for security to replace all community strings with a hard-to-guess value since they can be seen as passwords.

</details>

## Port

<table data-header-hidden><thead><tr><th width="166">Port</th><th>Description</th></tr></thead><tbody><tr><td><mark style="color:green;"><strong>161</strong></mark><strong> UDP</strong></td><td>SNMP, commands</td></tr><tr><td><mark style="color:green;"><strong>162</strong></mark><strong> UDP</strong></td><td>SNMP, traps sent from server to clients when certain events occur.</td></tr></tbody></table>

## Config File

* `/etc/snmp/snmpd.conf` ([LINK](http://www.net-snmp.org/docs/man/snmpd.conf.html))

## Interact

MIB Trees

{% code overflow="wrap" %}

```
1.3.6.1.2.1.25.1.6.0     System Processes
1.3.6.1.2.1.25.4.2.1.2   Running Programs
1.3.6.1.2.1.25.4.2.1.4   Processes Path
1.3.6.1.2.1.25.2.3.1.4   Storage Units
1.3.6.1.2.1.25.6.3.1.2   Software Name
1.3.6.1.4.1.77.1.2.25    User Accounts
1.3.6.1.2.1.6.13.1.3     TCP Local Ports
```

{% endcode %}

<table><thead><tr><th width="160">Tools</th><th>Details</th></tr></thead><tbody><tr><td>snmpbulkwalk </td><td><code>snmpbulkwalk -c &#x3C;COMUNITY_STRING> -v &#x3C;1-2c-3> &#x3C;IP> .</code></td></tr><tr><td><a href="https://net-snmp.sourceforge.io/">snmpwalk</a></td><td><code>snmpwalk -c &#x3C;COMUNITY_STRING> -v &#x3C;1-2c-3> &#x3C;IP> [&#x3C;OID>]</code></td></tr><tr><td><a href="https://www.nothink.org/codes/snmpcheck/index.php">snmp-check</a></td><td><code>snmpwalk -c &#x3C;COMUNITY_STRING> -v &#x3C;1-2c> &#x3C;IP></code></td></tr></tbody></table>

## Attacks

### Brute force Comunity Strings and OID

{% tabs %}
{% tab title="Tools" %}

<table><thead><tr><th width="159">Tools</th><th>Details</th></tr></thead><tbody><tr><td><a href="https://github.com/trailofbits/onesixtyone">onesixtyone</a></td><td>Brute force Comunity String.<br><code>onesixtyone -c &#x3C;WORDLIST> &#x3C;IP></code></td></tr><tr><td><a href="https://github.com/mteg/braa">braa</a></td><td>Brute force OID.<br><code>braa &#x3C;COMUNITY_STRING>@&#x3C;IP>:.1.3.6.*</code></td></tr></tbody></table>
{% endtab %}

{% tab title="Wordlist" %}
`SecLists/Discovery/SNMP/snmp.txt`

`metasploit-framework/data/wordlists/snmp_default_pass.txt`

If we imagine an extended network with more than 100 different servers managed through SNMP, the labels, in that case, will have some pattern. Therefore, we can use different rules to guess them. We can use the crunch tool to create custom word lists.
{% endtab %}
{% endtabs %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ivalexev.gitbook.io/rednote/utility/service/snmp-161-162.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.