EC-CouncilEthical HackingSecurityIntermediate21 min read

What Is SNMP Enumeration? Security Definition

Also known as: SNMP Enumeration, SNMP walk, SNMP community string, ethical hacking enumeration, CEH scanning and enumeration

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

SNMP Enumeration is a technique used by security professionals and attackers to gather detailed information from network devices like routers, switches, servers, and printers. This information is collected by sending requests to the device's SNMP agent using known community strings. If the community string is weak or default, the device may reveal system data, user lists, software versions, and network topology. Understanding this helps ethical hackers find misconfigurations before malicious actors exploit them.

Must Know for Exams

SNMP Enumeration is a regular topic in the EC-Council Certified Ethical Hacker (CEH) exam, specifically in the Scanning and Enumeration domain. The exam objectives require candidates to understand what SNMP is, how enumeration works, and what tools are used. Candidates may be asked to identify the default community strings, the ports involved, or the correct OID for a specific piece of information.

In the CEH exam, questions often present a scenario where a penetration tester runs an SNMP scan and retrieves a list of usernames or running services. The candidate must identify which protocol and tool were used, or what the attacker is trying to achieve. The exam also tests the difference between SNMPv1, v2c, and v3, especially regarding security features. For example, a question might ask why SNMPv2c is vulnerable to enumeration even though it is newer than v1.

Other related exams, such as CompTIA Security+, also cover SNMP enumeration in the context of reconnaissance. The Security+ exam may ask about the purpose of SNMP and the risks of default community strings. The exam might present a network diagram and ask which device would be the best target for gathering user account information. For the CISSP exam, SNMP enumeration falls under the communication and network security domain, where questions focus on protocol vulnerabilities and countermeasures.

In all these exams, the key points to remember are the default community strings public and private, the UDP ports 161 and 162, the use of snmpwalk and similar tools, and the importance of using SNMPv3 with authentication and encryption. Exam questions will often include distractors like Telnet or SSH enumeration, so candidates must be able to distinguish SNMP-specific characteristics.

Simple Meaning

Imagine you are a post office mail carrier who has a master key that can open every mailbox in a neighborhood. You walk down the street, and at each house, you unlock the mailbox and look inside. Some mailboxes have a small notebook that lists every person living in that house, their phone numbers, and when they receive packages. Other mailboxes have a bigger book that shows the entire street map with all the houses and their security alarm codes. This is essentially what SNMP Enumeration does, but for network devices instead of houses.

SNMP stands for Simple Network Management Protocol, and it is a way for network administrators to check on the health of devices like routers, switches, printers, and servers. Think of SNMP like a library card catalog. Each device has a collection of information organized in a tree-like structure called the Management Information Base (MIB). The MIB contains data such as the device's name, uptime, running software version, network interfaces, and even the list of currently logged-in users.

To access this information, a person or a tool sends an SNMP request with a password-like string called a community string. There are two common community strings: public for read-only access and private for read-write access. Many devices are shipped with these default community strings, and administrators sometimes forget to change them. When an attacker or an ethical hacker sends a request using public or private, and the device responds, they have successfully performed SNMP Enumeration. They now have a treasure map of the network, showing which devices exist, how they are configured, and what vulnerabilities they might have.

In ethical hacking, this is a critical step during the scanning and enumeration phase. The goal is to discover as much about the target network as possible without triggering alarms. SNMP Enumeration provides a wealth of information that can be used to plan further attacks or, in the case of a penetration test, to recommend security fixes.

Full Technical Definition

SNMP Enumeration is a network reconnaissance technique that leverages the Simple Network Management Protocol (SNMP) version 1, 2c, or 3 to query managed devices for operational and configuration data. SNMP is defined by the Internet Engineering Task Force (IETF) in RFCs 1157, 1901, 3410, and others. It operates over UDP port 161 for requests and UDP port 162 for traps (alerts). The protocol uses a manager-agent model where the SNMP manager sends GetRequest, GetNextRequest, and GetBulkRequest PDUs (Protocol Data Units) to an SNMP agent running on a target device.

The heart of SNMP enumeration is the Management Information Base (MIB), a hierarchical namespace defined using ASN.1 (Abstract Syntax Notation One). Each piece of information is identified by an Object Identifier (OID), which looks like a series of numbers separated by dots, for example 1.3.6.1.2.1.1.1.0 for the system description. The MIB is organized into branches, with the main branches including system (1.3.6.1.2.1.1), interfaces (1.3.6.1.2.1.2), IP (1.3.6.1.2.1.4), TCP (1.3.6.1.2.1.6), UDP (1.3.6.1.2.1.7), and processes (1.3.6.1.2.1.25).

For enumeration to succeed, the attacker must know or guess the community string. In SNMPv1 and SNMPv2c, community strings are sent in plaintext and act as a simple password. The default read-only community string is public, and the default read-write is private. Many organizations fail to change these defaults, making enumeration trivial. Tools such as snmpwalk, snmpcheck, onesixtyone, and Metasploit modules automate the process by sending multiple OID requests and parsing the returned values.

SNMPv3 introduces authentication and encryption, making enumeration significantly harder. However, devices configured with SNMPv3 may still use weak or default passwords, or the configuration may be misapplied, leaving the data accessible. Once enumeration succeeds, the attacker can extract system information, network interfaces and IP addresses, routing tables, running processes, installed software, usernames, and even DNS server addresses. This data is invaluable for mapping the network and identifying high-value targets such as domain controllers, database servers, or network infrastructure.

In real IT environments, SNMP is used for monitoring tools like Nagios, PRTG, and SolarWinds. These tools rely on SNMP to poll devices at regular intervals. If an attacker compromises the monitoring server or intercepts SNMP traffic, they can gain the same level of access. Ethical hackers performing penetration tests will enumerate SNMP as a standard step to evaluate the risk of information leakage.

Real-Life Example

Think of a large office building with hundreds of rooms. Each room has a glass display case mounted on the wall outside the door. Inside each display case, there is a card that shows the room number, the name of the person who works there, their job title, what computer equipment is inside, and a list of visitors who came in that day. The building management uses a master key that opens every display case so they can quickly check occupancy and maintenance needs.

Now imagine that the building manager leaves a copy of that master key hanging on a hook next to the main entrance, labeled display case key. Anyone who walks into the building can grab the key, open any display case, and read all the information inside. This is exactly what happens when a network device uses the default SNMP community string public. The attacker just needs to send a simple request, and the device willingly opens its information cabinet.

In this analogy, the display case is the MIB, the key is the community string, and the building is the network. The attacker is a stranger who finds the key and starts opening display cases on every floor. They might discover that the CEO's office is room 501 with a high-end server, that the IT closet on floor 3 contains the main router, and that the finance department on floor 2 uses an older operating system. The attacker now has a map of who is important and where the weaknesses are.

This analogy maps directly to SNMP Enumeration. The attacker sends an SNMP walk request to the device. The device responds with a list of OIDs and their values. From this, the attacker learns the system description, uptime, network interfaces, IP addresses, user accounts, and even the routing table. Just like the stranger in the building, the attacker now knows exactly where to go and what to exploit next.

Why This Term Matters

SNMP Enumeration matters because it is one of the simplest and most effective ways for an attacker to gather a comprehensive overview of a target network without sending obvious malicious traffic. In real IT work, network administrators rely on SNMP for legitimate monitoring and management. However, if the community strings are left at default values or if SNMP is exposed to the internet, the same protocol that keeps the network healthy becomes a goldmine for attackers.

For cybersecurity professionals, understanding SNMP Enumeration is essential for hardening networks. A common task during a security audit is to scan all internal IP addresses for SNMP services and test if default community strings are in use. If they are, the report will highlight a high-risk finding. Attackers do the same thing, but with malicious intent. They will enumerate SNMP to discover new subnets, identify the operating systems and software versions of devices, and locate the Network Time Protocol (NTP) servers or DNS servers that could be targeted for man-in-the-middle attacks.

In cloud infrastructure, many virtual instances and managed devices also support SNMP. Although cloud providers often restrict SNMP access by default, misconfigurations can expose SNMP to the internet. A single exposed router with default community strings can leak the entire cloud network architecture. For system administrators, disabling SNMP on devices that do not need it, or changing community strings to complex values and using SNMPv3 with encryption, is a fundamental security practice.

From a compliance perspective, frameworks like PCI DSS require that default passwords and community strings be changed. A failure to do so can lead to non-compliance and potential fines. Therefore, SNMP Enumeration is not just a hacking technique, it is a benchmark for network security hygiene. Every IT professional should know how to test for it and how to fix it.

How It Appears in Exam Questions

SNMP Enumeration appears in certification exams in several distinct question formats. The first type is the direct knowledge question. For example, a question might ask: Which two ports are used by SNMP? The correct answer is UDP 161 for requests and UDP 162 for traps. Another direct question might be: What are the default read-only and read-write community strings for SNMPv1 and SNMPv2c? The answer is public and private.

The second type is the scenario question. A typical scenario describes a penetration tester who runs a network scan and discovers a device responding to SNMP requests. The question might ask: What information can the tester retrieve using the community string public? The answer includes system description, uptime, network interfaces, user accounts, running processes, and routing tables. Another scenario might give a list of retrieved OIDs and ask the candidate to identify which piece of information is most valuable for further attacks, such as the list of usernames.

The third type is the tool identification question. The exam may show a command line output from snmpwalk or similar tool. The candidate must identify what tool was used and what the output reveals. For example, an output showing sysName, sysDescr, and sysUptime indicates that an SNMP walk was performed. The question might ask: Which tool is most likely to produce this output? The answer is snmpwalk.

The fourth type is the configuration and troubleshooting question. A question might describe a network administrator who has enabled SNMP on a router but cannot retrieve data from the monitoring server. The candidate must identify the likely cause, such as a firewall blocking UDP 161, a mismatch in community strings, or an incorrect SNMP version. Another common question asks about securing SNMP: Which version should be implemented to prevent enumeration? The answer is SNMPv3 with authentication and encryption.

Finally, there are comparison questions where the exam asks the candidate to differentiate SNMP enumeration from other enumeration techniques such as NetBIOS enumeration, LDAP enumeration, or DNS enumeration. Candidates must understand that SNMP enumeration specifically targets network devices and uses the MIB hierarchy.

A pattern often seen in the CEH exam is a multi-step question where the candidate is given a log file containing SNMP walk output and must answer two or three sub-questions about the information leaked and the next logical step for the attacker.

Study ec-ceh

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are an ethical hacker hired by a mid-sized company called TechTools Inc. The company wants you to assess their network security. They give you permission to scan their internal network range 192.168.10.0/24. You start with a basic port scan and notice that several devices have UDP port 161 open. These are routers, switches, and a printer.

You decide to test SNMP enumeration on one of the routers. You use a tool called onesixtyone, which sends SNMP requests with common community strings. The tool quickly reports that the router responds to the community string public. You then run snmpwalk on the router using the OID 1.3.6.1.2.1.1, which is the system group. The device returns the system description, showing it is a Cisco router running IOS version 15.0. You also retrieve the system uptime, which is 200 days, meaning the admin has not rebooted it recently.

Encouraged by this, you continue enumerating and request the interfaces table using OID 1.3.6.1.2.1.2. The router responds with all its interface names and IP addresses. You now know that the router has two Ethernet interfaces: one facing the internal network (192.168.10.1) and one facing an external network (10.0.0.1). This gives you a clear picture of the network perimeter.

Next, you query the running processes using OID 1.3.6.1.2.1.25. This reveals that the router is running a telnet server, which is unencrypted. You also find the list of local usernames configured on the router. You now have a potential entry point using those usernames with a brute force attack on telnet. You document all these findings in your report and recommend changing the SNMP community string, disabling telnet in favor of SSH, and applying regular updates to the router's IOS.

Common Mistakes

Believing that SNMP enumeration only works on Windows devices.

SNMP is a cross-platform protocol and works on routers, switches, printers, firewalls, servers, and even IoT devices running Linux, Unix, or Windows. Any device that implements an SNMP agent can be enumerated.

Treat all devices that respond on UDP port 161 as potential targets for SNMP enumeration, regardless of their operating system.

Thinking that SNMP enumeration requires the community string private or administrative privileges.

The read-only community string public is sufficient for retrieving most configuration and user information. You do not need read-write access to enumerate system details, usernames, and network topology.

Always test the public community string first, as it often provides all the data needed for reconnaissance.

Confusing SNMP enumeration with SNMP flooding or Denial of Service attacks.

SNMP enumeration is a passive reconnaissance technique that sends standard query requests and reads responses. It does not flood the device or cause performance issues. SNMP flooding involves sending excessive traps or requests to overwhelm a device.

Remember that enumeration is about gathering information, not disrupting service. If your goal is to crash the device, that is a different attack vector.

Assuming that all SNMP versions are equally vulnerable to enumeration.

SNMPv1 and SNMPv2c transmit community strings in plaintext and have no encryption or authentication. SNMPv3 supports user-based authentication and encryption, making enumeration much harder unless the credentials are weak.

When securing a network, standardize on SNMPv3 with strong authentication and encryption. If legacy devices only support v1 or v2c, restrict SNMP access to specific management IP addresses.

Thinking that changing the community string from public to something else fully protects the device.

A custom community string is better than a default one, but it is still sent in plaintext in SNMPv1 and v2c. An attacker on the same network can sniff the traffic and discover the new community string.

Use SNMPv3 or, if SNMPv2c is required, combine a strong community string with IP-based access control lists and network segmentation to limit exposure.

Exam Trap — Don't Get Fooled

A question presents a scenario where the penetration tester uses snmpwalk and retrieves the system description, but the question asks what tool was used. The answer choices include nmap, netstat, snmpwalk, and whois. Many candidates choose nmap because it is a well-known scanning tool.

Remember that snmpwalk is the dedicated tool for retrieving all MIB values from an SNMP device. nmap can detect that port 161 is open, but it does not perform a full SNMP walk on its own (unless using a script, but the question will specify). Look for the specific terms SNMP and walk in the question.

Commonly Confused With

SNMP EnumerationvsNetBIOS Enumeration

NetBIOS enumeration targets Windows systems using NetBIOS over TCP/IP (UDP 137-138, TCP 139) to retrieve hostnames, shares, and logged-in users. SNMP enumeration targets any device with an SNMP agent and retrieves a broader set of operational and configuration data, not limited to Windows.

If you want to find shared folders on a Windows server, you use NetBIOS enumeration. If you want to find the OS version and router interfaces of a Cisco switch, you use SNMP enumeration.

SNMP EnumerationvsLDAP Enumeration

LDAP enumeration queries the Lightweight Directory Access Protocol to retrieve directory information from Active Directory or OpenLDAP. SNMP enumeration does not query directory services, it queries the MIB of network devices for hardware and software configuration.

To discover all user accounts and groups in a corporate directory, you use LDAP enumeration. To discover the uptime and IP addresses of a printer, you use SNMP enumeration.

SNMP EnumerationvsDNS Enumeration

DNS enumeration retrieves DNS records (A, MX, CNAME, TXT) to map domain names to IP addresses and identify mail servers. SNMP enumeration focuses on internal device configuration rather than domain name resolution.

To find which servers handle email for a company, you perform DNS enumeration. To find the routing table on a company's internal router, you perform SNMP enumeration.

Step-by-Step Breakdown

1

Port Scanning

The first step is to identify live devices on the network that have UDP port 161 open. Tools like nmap with the -sU flag or a simple UDP scan can reveal which hosts are running an SNMP agent. This step is critical because without an open port, enumeration is not possible.

2

Community String Discovery

Once a host with port 161 is found, the next step is to attempt connections using common or default community strings. Tools like onesixtyone will send SNMP GetRequest messages with a list of known strings such as public, private, and manager. If the device responds, the attacker has found a valid community string.

3

Selecting the OID Base

The attacker decides which branch of the MIB to query first. The most common starting point is the system group at OID 1.3.6.1.2.1.1, which provides basic device information. Other useful branches include interfaces (1.3.6.1.2.1.2) and IP (1.3.6.1.2.1.4).

4

Performing the SNMP Walk

Using a tool like snmpwalk, the attacker sends a series of GetNextRequest PDUs starting from the chosen OID. The tool walks through the MIB tree, retrieving all values and their corresponding OIDs. The output is a text list of OID-value pairs that can be saved for analysis.

5

Analyzing the Retrieved Data

The attacker reviews the collected data to identify useful information. This includes the system description (model and OS version), uptime (age of the device), network interfaces and IP addresses, routing tables, running processes, and user accounts. The data is used to build a profile of the target network.

6

Documenting and Reporting

In an ethical hacking engagement, the findings are documented in a formal report. The report lists the vulnerable devices, the community strings that were accepted, the information that was leaked, and recommendations for remediation. This step ensures the client understands the risk and how to fix it.

Practical Mini-Lesson

SNMP enumeration is a core skill for any ethical hacker or network security professional. To practice it effectively, you need a lab environment with devices that run SNMP. If you do not have physical routers and switches, you can use virtual machines or simulation tools like GNS3, EVE-NG, or even Docker containers that run SNMP simulators. The goal is to become comfortable with the tools and understand what each piece of retrieved data means in a real network.

Start by installing tools like snmpwalk, snmpcheck, and onesixtyone on a Linux machine. Many of these come pre-installed with Kali Linux. Run a simple snmpwalk against a test device. Use the command snmpwalk -v 2c -c public 192.168.1.1. If the device responds, you will see a list of OIDs and values. Pay attention to the system description, as it reveals the exact model and firmware. This information is crucial for finding known vulnerabilities.

Next, explore the MIB tree manually. You can use the OID 1.3.6.1.2.1.25.4.2.1.2 to list running processes. On a server, this can show you every process currently executing, including database services, web servers, and remote access tools. If you find a process like sshd or httpd running, you know there are potential services to attack. Also check the user accounts under the host resources group. Some devices list all local user accounts, which gives you a head start for password attacks.

What can go wrong? In a real environment, you might encounter SNMPv3 devices that require authentication. To enumerate those, you need to attempt to guess or crack the usernames and authentication passwords. Tools like hydra and patator can be used for this, but they are much slower. Also, some administrators configure IP-based ACLs that only allow the monitoring server to query SNMP. In that case, if you are not on the allowed IP range, the device will drop your requests. You can try to spoof the source IP if you are on the same subnet, but that is more complex.

Connecting this to broader IT concepts: SNMP enumeration is part of the reconnaissance phase in the cyber kill chain. It feeds into later stages like exploitation and lateral movement. In a penetration test, the information gathered here is used to create a detailed network map and to identify high-value targets. For defenders, the lesson is clear: disable SNMP on devices that do not need it, change default community strings, use SNMPv3, and restrict access by IP address. Regular scanning for open SNMP ports should be part of a vulnerability management program.

Memory Tip

Remember the three Ps of SNMP enumeration: Port 161, Public community string, and Process list. If you find a device with these, you can quickly enumerate a wealth of information.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

What is the difference between SNMP walk and SNMP get?

An SNMP get retrieves a single specific OID value, while an SNMP walk retrieves all OIDs and their values under a specified branch. Walk is more useful for enumeration because it gives a complete picture of the device's MIB.

Can SNMP enumeration be detected by an Intrusion Detection System?

Yes, but usually only if the requests are excessive or come from an unusual source. Normal SNMP polling from a few IPs is often whitelisted. Detection depends on whether the administrator has configured rules to flag unknown SNMP queries.

What is the most common mistake that makes SNMP enumeration possible?

Leaving the default community string public on devices. This is the single most common misconfiguration that allows easy enumeration.

Does SNMP enumeration work over the internet?

It can, if a device with SNMP enabled is exposed to the internet. However, most organizations block UDP 161 at the firewall. SNMP enumeration is more common on internal networks.

What tools are commonly used for SNMP enumeration?

Common tools include snmpwalk, snmpcheck, onesixtyone, and Metasploit's snmp_enum module. In Kali Linux, these are readily available.

Is SNMP enumeration considered an active or passive technique?

It is considered an active reconnaissance technique because the attacker sends packets to the target device. However, it is less aggressive than a port scan because it uses standard protocol requests.

How can I protect my network from SNMP enumeration?

Change default community strings, disable SNMP on devices that do not need it, use SNMPv3 with authentication and encryption, and restrict SNMP access to specific management IP addresses using firewalls or ACLs.

Summary

SNMP Enumeration is the process of extracting detailed configuration and operational data from network devices by querying their SNMP agent using default or weak community strings. It is a fundamental technique in the scanning and enumeration phase of ethical hacking, as it can reveal system information, network topology, user accounts, running processes, and device vulnerabilities. For certification exams like the CEH, Security+, and CISSP, understanding how SNMP works, the default community strings, the associated ports, and the tools used for enumeration is essential.

The single most important takeaway is that leaving the default community string public on any device is a critical security flaw. In real-world IT work, SNMP enumeration serves as a benchmark for network security hygiene, and every administrator should regularly test for and remediate SNMP exposures. By mastering this concept, you not only prepare for exam questions but also develop a practical skill that directly improves network security.