This chapter covers SNMP enumeration techniques, a critical skill for the Recon/Enumeration domain of the PT0-002 exam. SNMP is widely deployed in enterprise networks for monitoring and management, making it a high-value target during penetration tests. Approximately 10-15% of exam questions in the enumeration domain involve SNMP, focusing on identifying misconfigured agents, extracting sensitive data, and exploiting default or weak community strings. Understanding SNMP enumeration is essential for both network reconnaissance and exploitation phases.
Jump to a section
SNMP enumeration is like a library where every book has a unique catalog number (OID). The librarian (SNMP agent) maintains a card catalog (MIB) that maps each number to a book's location and summary. A patron (SNMP manager) can ask the librarian to look up a specific number and get the book's details. If the patron has read access (community string 'public'), they can browse the catalog; if they have write access ('private'), they can move books or change summaries. An attacker who guesses the read community string can request every catalog entry, learning the library's entire collection—including restricted books like staff salaries or network configurations. The librarian responds with the card's text (value) for each queried number. By walking through sequential numbers, the attacker builds a complete inventory of the library's holdings, much like an SNMP walk enumerates system information. The library's layout (OID tree) is standardized: section 1.3.6.1.2.1 is always 'system information' across all libraries, so attackers know exactly where to look first.
What is SNMP and Why Does It Exist?
Simple Network Management Protocol (SNMP) is an application-layer protocol defined in RFC 1157 (SNMPv1), RFC 1901 (SNMPv2c), and RFC 3411 (SNMPv3). It allows network devices such as routers, switches, printers, and servers to expose management information to monitoring systems. SNMP operates using a manager-agent model: the SNMP manager (e.g., SolarWinds, Nagios) polls agents for data, and agents can also send unsolicited traps to the manager. The protocol uses User Datagram Protocol (UDP) ports 161 (queries and responses) and 162 (traps).
How SNMP Works Internally
An SNMP agent stores management data in a hierarchical tree structure called the Management Information Base (MIB). Each node in the tree is identified by an Object Identifier (OID), a string of numbers like 1.3.6.1.2.1.1.1.0 (which represents the system description). The MIB tree is standardized: the top-level nodes are defined by ISO (1), ITU-T (0), and joint-ISO-ITU-T (2). Under 1.3.6.1 (internet), the major branches include:
1.3.6.1.2.1 (mib-2): standard management information (system, interfaces, IP, TCP, UDP, etc.)
1.3.6.1.4.1 (private enterprises): vendor-specific extensions (Cisco: 9, Microsoft: 311, etc.)
1.3.6.1.6 (snmpV2): SNMPv2-specific objects
An SNMP GetRequest packet contains the OID to query. The agent looks up the OID in its MIB and returns a GetResponse with the value. A GetNextRequest returns the next OID in the tree, enabling enumeration. A GetBulkRequest (SNMPv2c and v3) retrieves multiple successive OIDs in one request, significantly speeding up walks.
Key Components, Values, Defaults, and Timers
Community Strings: SNMPv1 and v2c use plaintext community strings for access control. 'public' is the default read-only community; 'private' is the default read-write community. Many devices ship with these defaults unchanged.
SNMPv3: Provides authentication (MD5 or SHA) and encryption (DES or AES). However, many deployments still use v1/v2c due to legacy compatibility.
Default Ports: UDP 161 (queries), UDP 162 (traps).
OID Lengths: OIDs can be up to 128 sub-identifiers, each sub-identifier up to 2^32-1.
MIB Files: Standard MIBs are defined in RFCs (e.g., RFC 1213 for MIB-II). Vendor MIBs are downloadable from their websites.
Retry Timers: Default SNMP timeout is typically 5 seconds with up to 3 retries.
Configuration and Verification Commands
On a Cisco IOS device, SNMPv2c configuration:
snmp-server community public RO
snmp-server community private RW
snmp-server location "Data Center A"
snmp-server contact admin@example.comVerification:
show snmp community
show snmp mib
show running-config | include snmpOn Windows, SNMP is configured via the Services MMC or PowerShell:
Set-Service -Name SNMP -StartupType Automatic
Start-Service SNMP
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities -Name public -Value 4How SNMP Interacts with Related Technologies
SNMP is often used alongside syslog for logging and NetFlow for traffic analysis. SNMP traps can trigger alerts in SIEM systems. Network management platforms like SolarWinds, PRTG, and Zabbix use SNMP to poll devices. In penetration testing, SNMP enumeration often reveals:
System information (hostname, OS version, uptime)
Network interfaces (IP addresses, MAC addresses, bandwidth usage)
Running processes and services
Installed software
User accounts and groups
Routing tables and ARP caches
Device-specific data (Cisco running config, printer job queues)
SNMP Enumeration Techniques
1. Community String Guessing
Tools like onesixtyone or Hydra can brute-force common community strings. Example using onesixtyone:
onesixtyone -c community.txt -i targets.txt2. SNMP Walk
Using snmpwalk (part of Net-SNMP) to enumerate the entire MIB tree:
snmpwalk -v2c -c public 192.168.1.1To enumerate a specific branch:
snmpwalk -v2c -c public 192.168.1.1 1.3.6.1.2.1.13. SNMP Check
The snmp-check Perl script provides a formatted output of common information:
snmp-check 192.168.1.1 -c public4. Extracting Windows User Accounts
Windows stores user accounts under OID 1.3.6.1.4.1.77.1.2.25. Use snmpwalk:
snmpwalk -v2c -c public 192.168.1.100 1.3.6.1.4.1.77.1.2.255. Extracting Running Processes
OID 1.3.6.1.2.1.25.4.2.1.2 (hrSWRunName) lists running processes:
snmpwalk -v2c -c public 192.168.1.100 1.3.6.1.2.1.25.4.2.1.26. Extracting Installed Software
Windows software is under OID 1.3.6.1.2.1.25.6.3.1.2 (hrSWInstalledName):
snmpwalk -v2c -c public 192.168.1.100 1.3.6.1.2.1.25.6.3.1.27. Cisco Configuration Extraction
Cisco routers can expose their running configuration via SNMP if the community string has write access. The OID is 1.3.6.1.4.1.9.9.96.1.1.1.1.2.196 (ciscoConfigCopySourceFileType) but extraction is complex; however, the config can be retrieved via SNMP if the device supports the CISCO-CONFIG-COPY-MIB.
Common Pitfalls in SNMP Enumeration
Version Mismatch: If snmpwalk returns no response, try different SNMP versions (-v1, -v2c, -v3).
Community String Case Sensitivity: Community strings are case-sensitive.
Firewall Blocks: Ensure UDP 161 is open from the testing machine.
MIB Compilation: Some tools require MIB files to translate OIDs to names. Use -m ALL or -M to specify MIB directory.
Large Walk Timeouts: Increase timeout with -t 10 and retries with -r 1.
SNMPv3 Enumeration
SNMPv3 requires authentication and encryption. Tools like snmpwalk support v3:
snmpwalk -v3 -l authPriv -u admin -a SHA -A authpass -x AES -X privpass 192.168.1.1If v3 credentials are compromised, enumeration is similar to v2c. However, v3 is less common in exam scenarios due to its security.
Exam Relevance
For PT0-002, focus on:
Identifying SNMP services during port scanning (UDP 161 open)
Default community strings (public/private)
Using snmpwalk to enumerate system information, users, processes, and software
Interpreting MIB OIDs to find sensitive data
Understanding that SNMP enumeration is a passive reconnaissance technique that can reveal detailed network topology and device configurations.
Discover SNMP Services
Use Nmap to scan for open UDP port 161. Because UDP scanning is slower and less reliable than TCP, use the -sU flag with -p 161. Example: `nmap -sU -p 161 192.168.1.0/24`. For faster results, use `-sV` for version detection. Alternatively, use `onesixtyone` which sends SNMP GetRequest packets to multiple IPs using a list of common community strings. This step identifies live SNMP agents and potential community strings.
Identify Community Strings
Use a community string brute-forcer like onesixtyone or Hydra. For onesixtyone, create a file (communities.txt) with common strings: public, private, cisco, admin, etc. Run: `onesixtyone -c communities.txt -i targets.txt`. The tool sends GetNextRequest for OID 1.3.6.1.2.1.1.1.0 (sysDescr). If a response is received, the community string is valid. This step confirms read (or write) access.
Perform SNMP Walk
With a valid community string, use snmpwalk to enumerate the entire MIB tree: `snmpwalk -v2c -c public 192.168.1.1`. This recursively sends GetNextRequest starting from the root OID (1.3.6.1). The agent returns each OID and its value until no more OIDs exist. The output can be large; redirect to a file. For targeted enumeration, start from specific branches like system (1.3.6.1.2.1.1), interfaces (1.3.6.1.2.1.2), or IP (1.3.6.1.2.1.4).
Extract User Accounts (Windows)
On Windows systems, user accounts are stored under the LAN Manager MIB (OID 1.3.6.1.4.1.77.1.2.25). Use snmpwalk with that OID: `snmpwalk -v2c -c public 192.168.1.100 1.3.6.1.4.1.77.1.2.25`. The response lists usernames. This is a common exam objective: enumerating user accounts via SNMP. Similarly, groups can be found under 1.3.6.1.4.1.77.1.2.27.
Extract Running Processes and Software
Running processes are under OID 1.3.6.1.2.1.25.4.2.1.2 (hrSWRunName). Installed software is under OID 1.3.6.1.2.1.25.6.3.1.2 (hrSWInstalledName). Use snmpwalk to retrieve these lists. This information can reveal antivirus software, custom applications, or vulnerable services. For example, snmpwalk -v2c -c public 192.168.1.100 1.3.6.1.2.1.25.4.2.1.2 lists all process names.
In a typical enterprise environment, SNMP is used for centralized monitoring of thousands of devices. For example, a large university might use SolarWinds Orion to monitor 5,000 network switches, routers, and servers. Each device is configured with a read-only community string (often 'public' due to legacy) and points to the SolarWinds server. During a penetration test, the tester scans the campus network for UDP 161 and discovers hundreds of devices responding to 'public'. Using snmpwalk, the tester extracts the entire network topology, including IP addresses, interface descriptions, and even VLAN configurations. This information allows the tester to map the network without any active scanning, bypassing intrusion detection systems.
Another scenario: a healthcare organization uses SNMP to monitor medical devices (MRI machines, infusion pumps) and building management systems (HVAC, power). These devices often have hardcoded community strings from the manufacturer. A tester finds a printer with 'public' access and extracts the SNMP community strings for other devices from the printer's MIB (some printers store community strings in their config). This leads to gaining read-write access to a building management controller, allowing the tester to disable cooling systems—a critical impact.
A common misconfiguration is leaving SNMPv1/v2c enabled on external-facing devices. In a retail company, a tester finds that the public-facing web server also runs SNMP with community 'public'. From that single server, the tester extracts the internal network configuration, including the IP addresses of database servers and domain controllers. This becomes a pivot point for further attacks.
Performance considerations: SNMP walks on large MIBs (e.g., Cisco routers with thousands of routes) can generate significant traffic and take minutes. Tools like snmpbulkwalk (using GetBulkRequest) are more efficient. In production, SNMP is often rate-limited or ACL-restricted to management IPs. Testers must adapt by using multiple community strings and being patient with timeouts.
PT0-002 objective 2.2 (Recon/Enumeration) explicitly includes SNMP enumeration. The exam expects candidates to know:
Default community strings: public (read-only), private (read-write).
Common OIDs: sysDescr (1.3.6.1.2.1.1.1.0), sysName (1.3.6.1.2.1.1.5.0), interfaces (1.3.6.1.2.1.2), IP (1.3.6.1.2.1.4), hrSWRunName (1.3.6.1.2.1.25.4.2.1.2), hrSWInstalledName (1.3.6.1.2.1.25.6.3.1.2), user accounts (1.3.6.1.4.1.77.1.2.25).
Tools: snmpwalk, snmpcheck, onesixtyone, Hydra (for community brute-force), Nmap (for discovery).
SNMP versions: v1, v2c, v3. v1 and v2c use plaintext community strings; v3 supports auth/encryption.
Common Wrong Answers: 1. "SNMP uses TCP port 161" — Wrong. SNMP uses UDP. TCP is used only for SNMP over TCP (rare) or for trap-directed notifications (some implementations). 2. "SNMPv3 is the most commonly targeted because it is more secure" — Wrong. Most exam scenarios involve v1/v2c because they are still widely deployed and have default credentials. 3. "The default read-write community is 'public'" — Wrong. 'public' is read-only; 'private' is read-write. 4. "SNMP enumeration only works on Windows" — Wrong. SNMP is device-agnostic; Linux, Cisco, printers, etc., all support it.
Edge Cases:
Some devices respond to SNMP on non-standard ports (e.g., 1610). Always scan all UDP ports if possible.
SNMPv3 with noAuthNoPriv still uses a username but no password—this can be exploited if username is guessable.
Some MIBs are proprietary; without the MIB file, OIDs appear as numbers, but enumeration still works.
Elimination Strategy: Read the question carefully. If it asks for "best tool to enumerate SNMP information from a Windows system," the answer is snmpwalk (not snmp-check, which is a Perl script that does the same but is less portable). If it asks for "OID to retrieve running processes," look for hrSWRunName (1.3.6.1.2.1.25.4.2.1.2). Remember that user accounts on Windows are under the enterprise branch (1.3.6.1.4.1.77).
SNMP uses UDP ports 161 (queries) and 162 (traps).
Default read-only community string is 'public'; default read-write is 'private'.
snmpwalk is the primary tool for enumerating the entire MIB tree.
Windows user accounts are found under OID 1.3.6.1.4.1.77.1.2.25.
Running processes OID: 1.3.6.1.2.1.25.4.2.1.2 (hrSWRunName).
Installed software OID: 1.3.6.1.2.1.25.6.3.1.2 (hrSWInstalledName).
SNMPv3 can be configured with noAuthNoPriv, which requires only a username (no password).
Always try multiple SNMP versions (v1, v2c, v3) if initial enumeration fails.
These come up on the exam all the time. Here's how to tell them apart.
SNMPv1/v2c
Uses plaintext community strings (public/private) for access control
No encryption or authentication; easily sniffed
Widely deployed in legacy environments
Default community strings are common attack vectors
Tools: snmpwalk, onesixtyone, Hydra
SNMPv3
Uses usernames and authentication (MD5/SHA) and encryption (DES/AES)
Provides confidentiality, integrity, and authentication
Less commonly targeted due to complexity
If misconfigured (noAuthNoPriv), username-only access may be brute-forced
Tools: snmpwalk with -v3 flags, but requires credentials
Mistake
SNMP only works on network devices like routers and switches.
Correct
SNMP is supported on many device types including servers (Windows, Linux), printers, UPS devices, IP cameras, and even medical equipment. Any device that needs monitoring can implement an SNMP agent.
Mistake
SNMPv3 is completely secure and cannot be exploited.
Correct
SNMPv3 can be vulnerable if weak authentication passwords are used or if it is configured with noAuthNoPriv (no authentication, no privacy). Also, the username can be brute-forced if exposed.
Mistake
The default community string 'public' provides read-write access.
Correct
By convention, 'public' is read-only and 'private' is read-write. However, this is not enforced by the protocol; it depends on the device configuration. Always verify with a write operation (e.g., snmpset).
Mistake
SNMP enumeration requires a valid community string for the entire MIB tree.
Correct
Some devices have multiple community strings with different access levels. A read-only community can still enumerate most information; only write operations are blocked.
Mistake
SNMP uses TCP for reliable communication.
Correct
SNMP typically uses UDP for low overhead. RFC 1157 specifies UDP. However, SNMP over TCP (RFC 3430) exists but is rare. Exam questions assume UDP unless stated.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default read-only community string is 'public', and the default read-write community string is 'private'. These are widely documented and unchanged on many devices. Always test these first during enumeration.
Use Nmap with a UDP scan on port 161: `nmap -sU -p 161 <target>`. Alternatively, use onesixtyone which sends SNMP probes to multiple IPs with a list of community strings. Faster than Nmap for large subnets.
sysDescr is OID 1.3.6.1.2.1.1.1.0. It returns a string describing the device (e.g., 'Cisco IOS Software, C2960 Software...'). Use snmpget: `snmpget -v2c -c public <ip> 1.3.6.1.2.1.1.1.0`.
Yes. On Windows, user accounts are under the OID 1.3.6.1.4.1.77.1.2.25 (lanmgr-user-name). Use snmpwalk: `snmpwalk -v2c -c public <ip> 1.3.6.1.4.1.77.1.2.25`.
snmpwalk uses GetNextRequest for each OID sequentially. snmpbulkwalk uses GetBulkRequest (SNMPv2c and v3) to retrieve multiple OIDs in a single request, making it faster for large MIBs. Use `snmpbulkwalk -v2c -c public <ip>`.
Use snmpset to modify a non-critical OID (e.g., sysContact). For example: `snmpset -v2c -c <community> <ip> 1.3.6.1.2.1.1.4.0 s test`. If it succeeds, the community has write access. Be careful: changing values can disrupt operations.
The tool needs MIB files to translate OIDs to human-readable names. Use the `-m ALL` option to load all MIBs, or specify a MIB directory with `-M /path/to/mibs`. If MIBs are missing, you see numeric OIDs but still get values.
You've just covered SNMP Enumeration Techniques — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?