SNMP (161 UDP)

Community string brute

Find valid community strings — public/private are defaults

onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt $IP
Example Output
onesixtyone 10.10.10.5 -c community.txt
10.10.10.5 [public] Linux server 5.4.0
10.10.10.5 [private] Linux server 5.4.0
(FOUND: public and private strings)

Full SNMP walk

Dump all SNMP data — Users, processes, software, interfaces

snmpwalk -v2c -c public $IP
Example Output
SNMPv2-MIB::sysDescr.0 = Linux webserver 5.4.0
HOST-RESOURCES::hrSWRunName.1 = apache2
HOST-RESOURCES::hrSWRunName.2 = mysqld
HOST-RESOURCES::hrSWRunParameters.786 = -u admin -p S3cr3tP@ss

Enum users

Windows user accounts — Username list

snmpwalk -v2c -c public $IP 1.3.6.1.4.1.77.1.2.25
Example Output
snmpwalk -v2c -c public 10.10.10.5 1.3.6.1.4.1.77.1.2.25
USER: administrator
USER: john
USER: backup_svc

Enum running processes

Running software — Find vulnerable services

snmpwalk -v2c -c public $IP 1.3.6.1.2.1.25.4.2.1.2
Example Output
snmpwalk -v2c -c public 10.10.10.5 hrSWRunName
apache2
mysqld
tomcat8
sshd
(Tomcat running = check 8080, look for manager)

Enum installed software

Installed packages — Version info for exploits

snmpwalk -v2c -c public $IP 1.3.6.1.2.1.25.6.3.1.2
Example Output
snmpwalk -v2c -c public 10.10.10.5 hrSWInstalledName
apache2 2.4.29
mysql-server 5.7.29
wordpress 5.8
(Version numbers for exploit search)

Enum TCP connections

Open TCP ports (internal view) — May reveal ports not in nmap

snmpwalk -v2c -c public $IP 1.3.6.1.2.1.6.13.1.3
Example Output
snmpwalk -v2c -c public 10.10.10.5 tcpConnLocalPort
22, 80, 3306, 8080, 8443
(Port 8080 and 8443 not in nmap = filtered or internal only)

snmp-check tool

Formatted SNMP enum — Cleaner output than snmpwalk

snmp-check $IP -c public
Example Output
snmp-check 10.10.10.5 -c public
[*] System information:
  Hostname: webserver
  OS: Linux 5.4.0
[*] User accounts:
  admin, www-data, mysql
[*] Processes:
  apache2, mysqld, cron