SNMP#

SNMP (Simple Network Management Protocol) is the legacy-but-everywhere way to query and configure network gear. It runs on UDP 161 for queries (GET / GETNEXT / GETBULK / SET) and UDP 162 for unsolicited traps and informs. Switches, routers, firewalls, printers, UPSes, IPMI BMCs, and most servers expose SNMP, which makes it both the operator’s monitoring backbone and a standing pentest finding when communities are left at default.

Three versions exist; only one is safe:

Version

Authentication / encryption

v1

Plaintext community string. Deprecated.

v2c

Plaintext community string ("public" read, "private" write by convention). Still common.

v3

Per-user auth (MD5 / SHA) + privacy (DES / AES). Use this.

Request / response#

SNMP is a stateless request/response over UDP. The manager sends a GetRequest carrying one or more OIDs; the agent answers with a GetResponse containing the matching values. A walk is a chain of GetNextRequest calls that increments past the returned OID until the agent reports end-of-MIB.

        sequenceDiagram
    participant M as Manager (snmpwalk)
    participant A as Agent (snmpd on host)
    M->>A: GetRequest .1.3.6.1.2.1.1.1.0
    A-->>M: GetResponse sysDescr.0 = "Linux host 6.8.0"
    M->>A: GetNextRequest .1.3.6.1.2.1.1.1.0
    A-->>M: GetResponse sysObjectID.0 = .1.3.6.1.4.1.8072.3.2.10
    M->>A: GetNextRequest .1.3.6.1.2.1.1.2.0
    A-->>M: GetResponse sysUpTime.0 = 123456
    Note over M,A: SetRequest (v2c write) or Trap (agent -> port 162) follow the same shape
    

The MIB tree#

SNMP organises every readable / writable item into a tree of numeric identifiers (OIDs). Vendors publish MIB files (textual descriptions) so tools can map 1.3.6.1.2.1.1.1.0 to SNMPv2-MIB::sysDescr.0.

The standard prefix everyone hits first:

OID

Meaning

1.3.6.1.2.1.1.1.0

sysDescr, vendor + OS string

1.3.6.1.2.1.1.3.0

sysUpTime

1.3.6.1.2.1.1.5.0

sysName, hostname

1.3.6.1.2.1.1.6.0

sysLocation

1.3.6.1.2.1.2.2

ifTable, interface stats

1.3.6.1.2.1.4.20.1

ipAddrTable, IP addresses

1.3.6.1.2.1.25

HOST-RESOURCES-MIB, processes, disks, software

1.3.6.1.4.1.<vendor>

Vendor-specific extensions (Cisco 9, HP 11, …)

# all the basics in one walk
$ snmpwalk -v2c -c public host system

# interface table
$ snmpwalk -v2c -c public host IF-MIB::ifTable

# full host MIB (running processes, mounted disks, installed software)
$ snmpwalk -v2c -c public host hrSWRunName
$ snmpwalk -v2c -c public host hrSWInstalledName
$ snmpwalk -v2c -c public host hrStorageDescr

Default communities#

Default community strings are still found in the wild on printers, old switches, IoT, and forgotten internal hosts:

Community

Permission (by convention)

public

Read-only

private

Read-write, can change configuration

cisco

Cisco gear

community

Some HP / Brother printers

admin

Various

# operator-style enumeration
$ onesixtyone -c communities.txt -i hosts.txt
$ nmap -sU -p 161 --script snmp-brute,snmp-info,snmp-sysdescr 10.0.0.0/24
$ snmpwalk -v2c -c private host                      # writes possible if it works

SNMPv3#

The only version safe to expose. Three security levels:

Level

Meaning

noAuthNoPriv

Identifier only; no auth or encryption.

authNoPriv

HMAC-MD5 / SHA auth; messages still in clear.

authPriv

Auth + encryption (DES / AES). Always use this.

$ snmpwalk -v3 -l authPriv \
           -u alice -a SHA -A 'authPass' \
           -x AES -X 'privPass' \
           host system

User management on net-snmp requires editing /var/lib/snmp/snmpd.conf while snmpd is stopped, then starting it.

Server (snmpd)#

net-snmp’s snmpd is the default agent on most Linuxes.

Path

Purpose

/etc/snmp/snmpd.conf

Main configuration; ACLs, communities, v3 users, system info, extensions.

/etc/snmp/snmptrapd.conf

Trap receiver config.

/var/lib/snmp/

Persistent state (v3 user keys, etc.).

/var/log/snmpd.log

Daemon log (when configured).

Minimum-viable read-only v3 user, after stopping the daemon:

# in /var/lib/snmp/snmpd.conf
createUser alice SHA "authPass" AES "privPass"

# in /etc/snmp/snmpd.conf
rouser alice authPriv

Then systemctl start snmpd and verify with snmpwalk -v3.

Hardening#

  • Disable v1 / v2c community strings (rocommunity / rwcommunity lines); use v3 rouser / rwuser.

  • Bind snmpd to the management interface only; firewall UDP 161 to monitoring sources (agentaddress udp:10.0.0.5:161).

  • Never enable rwuser / rwcommunity on the public side.

  • Audit existing communities with onesixtyone, nmap --script snmp-brute, plus the community and private defaults.

  • Set sysLocation and sysContact to non-sensitive values; these leak organizational structure.

See also#

  • UDP, the transport SNMP rides on.

  • SNMP, discovering SNMP listeners and walking MIBs.

  • man snmpwalk, man snmpd.conf, man snmptranslate.

  • RFC 3411-3418 (SNMPv3 architecture and protocol).