SNMP#
SNMP (Simple Network Management Protocol) is the legacy-but-everywhere
way to query and configure network gear. It runs on UDP 161 for
queries (GET / GETNEXT / GETBULK / SET) and UDP 162
for unsolicited traps and informs. Switches, routers, firewalls,
printers, UPSes, IPMI BMCs, and most servers expose SNMP, which makes
it both the operator’s monitoring backbone and a standing pentest
finding when communities are left at default.
Three versions exist; only one is safe:
Version |
Authentication / encryption |
|---|---|
v1 |
Plaintext community string. Deprecated. |
v2c |
Plaintext community string ( |
v3 |
Per-user auth (MD5 / SHA) + privacy (DES / AES). Use this. |
Request / response#
SNMP is a stateless request/response over UDP. The manager sends a
GetRequest carrying one or more OIDs; the agent answers with a
GetResponse containing the matching values. A walk is a
chain of GetNextRequest calls that increments past the
returned OID until the agent reports end-of-MIB.
sequenceDiagram
participant M as Manager (snmpwalk)
participant A as Agent (snmpd on host)
M->>A: GetRequest .1.3.6.1.2.1.1.1.0
A-->>M: GetResponse sysDescr.0 = "Linux host 6.8.0"
M->>A: GetNextRequest .1.3.6.1.2.1.1.1.0
A-->>M: GetResponse sysObjectID.0 = .1.3.6.1.4.1.8072.3.2.10
M->>A: GetNextRequest .1.3.6.1.2.1.1.2.0
A-->>M: GetResponse sysUpTime.0 = 123456
Note over M,A: SetRequest (v2c write) or Trap (agent -> port 162) follow the same shape
The MIB tree#
SNMP organises every readable / writable item into a tree of numeric
identifiers (OIDs). Vendors publish MIB files (textual
descriptions) so tools can map 1.3.6.1.2.1.1.1.0 to
SNMPv2-MIB::sysDescr.0.
The standard prefix everyone hits first:
OID |
Meaning |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Vendor-specific extensions (Cisco 9, HP 11, …) |
# all the basics in one walk
$ snmpwalk -v2c -c public host system
# interface table
$ snmpwalk -v2c -c public host IF-MIB::ifTable
# full host MIB (running processes, mounted disks, installed software)
$ snmpwalk -v2c -c public host hrSWRunName
$ snmpwalk -v2c -c public host hrSWInstalledName
$ snmpwalk -v2c -c public host hrStorageDescr
Default communities#
Default community strings are still found in the wild on printers, old switches, IoT, and forgotten internal hosts:
Community |
Permission (by convention) |
|---|---|
|
Read-only |
|
Read-write, can change configuration |
|
Cisco gear |
|
Some HP / Brother printers |
|
Various |
# operator-style enumeration
$ onesixtyone -c communities.txt -i hosts.txt
$ nmap -sU -p 161 --script snmp-brute,snmp-info,snmp-sysdescr 10.0.0.0/24
$ snmpwalk -v2c -c private host # writes possible if it works
SNMPv3#
The only version safe to expose. Three security levels:
Level |
Meaning |
|---|---|
|
Identifier only; no auth or encryption. |
|
HMAC-MD5 / SHA auth; messages still in clear. |
|
Auth + encryption (DES / AES). Always use this. |
$ snmpwalk -v3 -l authPriv \
-u alice -a SHA -A 'authPass' \
-x AES -X 'privPass' \
host system
User management on net-snmp requires editing
/var/lib/snmp/snmpd.conf while snmpd is stopped, then starting it.
Server (snmpd)#
net-snmp’s snmpd is the default agent on most Linuxes.
Path |
Purpose |
|---|---|
|
Main configuration; ACLs, communities, v3 users, system info, extensions. |
|
Trap receiver config. |
|
Persistent state (v3 user keys, etc.). |
|
Daemon log (when configured). |
Minimum-viable read-only v3 user, after stopping the daemon:
# in /var/lib/snmp/snmpd.conf
createUser alice SHA "authPass" AES "privPass"
# in /etc/snmp/snmpd.conf
rouser alice authPriv
Then systemctl start snmpd and verify with snmpwalk -v3.
Hardening#
Disable v1 / v2c community strings (
rocommunity/rwcommunitylines); use v3rouser/rwuser.Bind
snmpdto the management interface only; firewall UDP 161 to monitoring sources (agentaddress udp:10.0.0.5:161).Never enable
rwuser/rwcommunityon the public side.Audit existing communities with
onesixtyone,nmap --script snmp-brute, plus thecommunityandprivatedefaults.Set
sysLocationandsysContactto non-sensitive values; these leak organizational structure.