SNMP 161

Microsoft Windows SNMP parameters 1.3.6.1.2.1.25.1.6.0 System Processes 1.3.6.1.2.1.25.4.2.1.2 Running Programs 1.3.6.1.2.1.25.4.2.1.4 Processes Path 1.3.6.1.2.1.25.2.3.1.4 Storage Units 1.3.6.1.2.1.25.6.3.1.2 Software Name 1.3.6.1.4.1.77.1.2.25 User Accounts 1.3.6.1.2.1.6.13.1.3 TCP Local Ports

#NMAP

sudo nmap -sU --open -p 161 10.11.1.1-254 -oG open-snmp.txt

#Using onesixtyone tool to bruteforce SNMP

The SNMP read-only community string in most cases is called “public”

Echo “public private manager” into a community file

root@kali:echo public > community root@kali:echo private >> community root@kali:echo manager >> community

Using a bash script to create list of an entire subnet (call it ips)

root@kali:~$ for ip in $(seq 1 254); do echo 10.11.1.$ip; done > ips

root@kali:~$ onesixtyone -c community -i ips

#snmpwalk

snmpwalk -c public -v1 -t 10 10.11.1.14


[1] Enumerates user accounts

snmpwalk -c public -v1 10.11.1.14 1.3.6.1.4.1.77.1.2.25

[2] Enumerating running processes

snmpwalk -c public -v1 10.11.1.73 1.3.6.1.2.1.25.4.2.1.2

[3] Parameters for open TCP ports

snmpwalk -c public -v1 10.11.1.14 1.3.6.1.2.1.6.13.1.3

[4]Enumerate installed software

snmpwalk -c public -v1 10.11.1.50 1.3.6.1.2.1.25.6.3.1.2

#snmpcheck

snmpcheck 10.11.1.14 -c public

#snmpenum (not default in kali, need to install)

snmpenum -t 10.11.1.14

Wordlist to bruteforce users /usr/share/legion/wordlists/snmp-default.txt