# SNMP Introduction - simple network mgmt protocol (SNMP) was created to monitor network devices - UDP 161 used to transmit control commands to agents - UDP 162 enables trap comms - MIB (mgmt info base) is an independent format for storing device info - each MIB contains at least one OID (object identifier): unique address, name, other metadata | Version | Description | | ------- | --------------------------------------------------------------------- | | SNMPv1 | no built-in authenticaiton; no encryption | | SNMPv2 | community string used for security is transmitted in plaintext | | SNMPv3 | authentication and encryption supported; more config options than v2c | - community strings: essentially passwords used to determine whether requested info can be viewed ## Footprinting SNMP ```bash sudo nmap -sC -sV -p161,162 <ip_addr>] snmpwalk -v2c -c public <ip_addr> | tee snmp.txt head -50 snmp.txt | less #view first 50 lines of output with paging sudo apt install onesixtyone onesixtyone -c /xxx/seclists/Discovery/SNMP/snmp.txt <ip_addr> #leverages wordlists to identify community strings sudo apt install braa braa <community_string>@<ip_addr>:.1.3.6.* braa public@<ip_addr>:.1.3.6.* ``` ## SNMP Config ```bash cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d' #view snmp config without comments and blank lines ``` ### Dangerous Settings | Setting | Description | | ------------------------------------------ | ------------------------------------------------------------- | | rwuser noauth | provides acess to full OID tree without authentication | | rwcommunity <community_string> <IPv4_addr> | provides access to full OID tree regardless of request origin | | rwcommunity <community_string> <IPv6_addr> | provides access to full OID tree regardless of request origin |