# 161 - SNMP

## Introduction

**Port**: 161,162,10161,10162 (UDP)

The **Simple Network Management Protocol** (SNMP) is an application layer protocol for different devices on a network to exchange management information with one another. It allows devices to communicate even if they are other devices and run different software.

The **Management Information Bases** (MIB) is a collection of information in a data tree structure. Each MIB consists of one or more nodes, having each node a unique **Object Identifier** (OID).

![SNMP MIBS herarchy](https://3683125600-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FAiuSjJMFQ72nHxKtvtIh%2Fuploads%2Fgit-blob-349598aa0de53bb53baf8c52f9700b85f008bf6d%2FSNMP_MIBS_herarchy.png?alt=media)

For example, the code [1.3.6.1.2.1.1.1](http://oid-info.com/get/1.3.6.1.2.1.1.1) will be translated to "iso.identified-organization.dod.internet.mgmt.mib-2.system.sysDescr", where you can find the full name and version identification of the system's hardware type, software operating-system, and networking software.

Furthermore, the SNMP requires an authentication string called "community string" to access or alter its information.

Finally, there are different SNMP versions v1, v2c and v3; that you will need to specify depending on the tool.

## OID Translation

By default, Kali Linux does not translate the OID; hence if you use snmpwalk, you will see only the OIDs with their associated values. To fix this problem, you need to execute the following commands.

```bash
sudo apt install snmp-mibs-downloader -y
sudo cp /etc/snmp/snmp.conf /etc/snmp/snmp.confBkp
echo "" | sudo tee /etc/snmp/snmp.conf
```

## Enumeration

With the following Nmap command, you can enumerate:

* Network interfaces
* SNMPv3 Basic information
* Community string brute-forcing
* Downloads Cisco router IOS configuration
* Netstat information
* Running processes
* System description
* Windows services, shares, installed software and users

```bash
nmap -sU -p 161 --script=snmp-* <TARGET>
```

Once, discovered a valid community string you can enumerate SNMP with **snmapwalk**.

```bash
snmpwalk [-v 1|2c|3] -c <COMMUNITY_STRING> <TARGET> <FILTER>
snmpwalk [-v 1|2c|3] -c <COMMUNITY_STRING> <TARGET> .1 # Enumerate everything
```

## Setting SNMP values

You can modify SNMP values with the tool snmpset. [Here](https://web.archive.org/web/20160605063038/https://www.webnms.com/cagent/help/technology_used/c_snmp_overview.html) you can find a list of data types.

```bash
snmpset [-v 1|2c|3] -c <COMMUNITY_STRING> <TARGET> <OID> <DATA_TYPE> <VALUE>
```

## References

* [What is SNMP?](https://www.site24x7.com/network/what-is-snmp.html)
* [What is SNMP? 2](https://www.manageengine.com/network-monitoring/what-is-snmp.html)
* [Pentesting SNMP](https://book.hacktricks.xyz/pentesting/pentesting-snmp)
* [SNMP pentesting](https://resources.infosecinstitute.com/topic/snmp-pentesting/)
* [SNMP Data types](https://www.webnms.com/cagent/help/technology_used/c_snmp_overview.html)