SNMP
aka snmpd
Network management on 161/udp. A guessable community string (public) dumps system inventory, and process listings often expose credentials passed on the command line.
Ports
| Port | Proto | Notes |
|---|---|---|
161 | udp | SNMP queries |
162 | udp | SNMP traps |
Fingerprint
- snmpwalk with public returns data
- onesixtyone sprays common community strings
Key files
| Path | Holds | Sensitive |
|---|---|---|
/etc/snmp/snmpd.conf | community strings and ACLs | sensitive |
Default / weak creds
community strings: public (read), private (write)
Service users
snmp
Exploitation primitives
- snmpwalk dumps hostname, interfaces, routes, installed software and the full process table
- Process args frequently leak passwords (e.g. a command run with --password=...)
- Extend tables / write community can lead to command execution on some setups
Overview
SNMP on 161/udp is a recon goldmine when the community string is guessable. The running-process table is the prize: admins often pass secrets as command-line arguments, which SNMP cheerfully returns.
Enumeration
Spray community strings:
onesixtyone -c communities.txt <TARGET>Walk everything:
snmpwalk -v2c -c public <TARGET>Process args (often leak passwords):
snmpwalk -v2c -c public <TARGET> 1.3.6.1.2.1.25.4.2.1.5Structured summary:
snmp-check <TARGET> -c publicHardening
Use SNMPv3 with auth+priv, change default communities, and restrict source IPs.