Enumerating SNMP Servers with NMAP
7 min readOct 6, 2019
NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be using NMAP scripts against a remote host running the SNMP service.
snmp-info
To return basic information about the SNMP server user the ‘snmp-info’ script against the host.
root@asus:~/unix% nmap -sU -p 161 --script=snmp-info 192.168.0.25Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-26 17:32 MDT
Nmap scan report for mgmt.acme.com (192.168.0.25)
Host is up (0.00042s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 5fd4fd7eafbcbf5c00000000
| snmpEngineBoots: 4
|_ snmpEngineTime: 2d21h31m42sNmap done: 1 IP address (1 host up) scanned in 2.29 seconds
root@asus:~/unix%
snmp-interfaces
To return Network Information about the remote host run the ‘snmp-interfaces’
root@asus:~/unix% nmap -sU -p 161 --script=snmp-interfaces 192.168.0.25Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-26 17:33 MDT
Nmap scan report for mgmt.acme.com (192.168.0.25)
Host is up (0.00053s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-interfaces:
| lo
| IP address: 192.168.0.25 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Status: up
| Traffic stats: 33.45 Mb sent, 33.45 Mb received
| Intel Corporation Wireless 7265
| IP address: 10.228.100.110 Netmask: 255.224.0.0
| MAC address: f8:94:c2:f6:72:64 (Unknown)
| Type: ethernetCsmacd Speed: 0 Kbps
| Status: up
|_ Traffic stats: 1.55 Gb sent, 1.41 Gb receivedNmap done: 1 IP address (1 host up) scanned in 1.49 seconds
root@asus:~/unix%
snmp-netstat
You can also gather active netstat output from a remote host running SNMP with the ‘snmp-netstat’ script.
root@asus:~/unix% nmap -sU -p 161 --script=snmp-netstat 192.168.0.25Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-26 17:33 MDT
Nmap scan report for mgmt.acme.com (192.168.0.25)
Host is up (0.00044s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-netstat:
| TCP 0.0.0.0:389 0.0.0.0:0
| TCP 0.0.0.0:4433 0.0.0.0:0
| TCP 0.0.0.0:58210 0.0.0.0:0
| TCP 10.228.100.110:39722 184.25.204.33:80
| TCP 10.228.100.110:47888 172.217.1.206:443
| TCP 10.228.100.110:48270 172.217.1.206:443
| TCP 10.228.100.110:53402 74.125.201.188:5228
| TCP 10.228.100.110:58136 173.194.162.170:443
| TCP 10.228.100.110:59808 74.125.1.169:443
| TCP 10.228.100.110:59814 74.125.1.169:443
| TCP 192.168.0.25:631 0.0.0.0:0
| TCP 192.168.0.25:3306 0.0.0.0:0
| TCP 192.168.0.25:6667 0.0.0.0:0
| UDP 0.0.0.0:68 *:*
| UDP 0.0.0.0:123 *:*
| UDP 0.0.0.0:161 *:*
| UDP 0.0.0.0:631 *:*
| UDP 0.0.0.0:5353 *:*
| UDP 0.0.0.0:6771 *:*
| UDP 0.0.0.0:35616 *:*
| UDP 0.0.0.0:35686 *:*
| UDP 0.0.0.0:42840 *:*
| UDP 0.0.0.0:58210 *:*
| UDP 0.0.0.0:58338 *:*
| UDP 10.228.100.110:123 *:*
| UDP 10.228.100.110:6771 *:*
| UDP 10.228.100.110:37725 *:*
| UDP 192.168.0.25:123 *:*
| UDP 192.168.0.25:6771 *:*
| UDP 192.168.0.25:55301 *:*
|_ UDP 224.0.0.251:5353 *:*Nmap done: 1 IP address (1 host up) scanned in 1.10 seconds
root@asus:~/unix%
snmp-sysdescr
Reterive the SNMP Server type and Operating system with the ‘snmp-sysdescr’ script.
root@asus:~/unix% nmap -sU -p 161 --script=snmp-sysdescr 192.168.0.25Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-26 17:34 MDT
Nmap scan report for mgmt.acme.com (192.168.0.25)
Host is up (0.00045s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-sysdescr: Linux asus 4.9.4-galliumos-braswell #1 SMP PREEMPT galliumos2 Thu Feb 23 01:58:04 UTC 2017 x86_64
|_ System uptime: 2d21h33m34.15s (25041415 timeticks)Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds
root@asus:~/unix%
snmp-processes
List all processes on the target machine with the ‘snmp-processes’ script. Be careful this will generate quit a lot of output on the screen so it is better to log it to a file.
root@asus:~/unix% nmap -sU -p 161 --script=snmp-processes 192.168.0.25
Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-26 17:43 MDT
Nmap scan report for mgmt.acme.com (192.168.0.25)
Host is up (0.027s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-processes:
| 1:
| Name: systemd
| Path: /sbin/init
| Params: splash
| 2:
| Name: kthreadd
| 3:
| Name: ksoftirqd/0
...Nmap done: 1 IP address (1 host up) scanned in 4.16 seconds
root@asus:~/unix%
snmp-w32-software
List all software on the remote machine with the ‘snmp-win32-software’. This will also generate a lot of output.
root@asus:~/unix% nmap -sU -p 161 --script=snmp-win32-software 192.168.0.25Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-26 17:43 MDT
Nmap scan report for mgmt.acme.com (192.168.0.25)
Host is up (0.00049s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-win32-software:
| accountsservice-0.6.40-2ubuntu11.3; 0-01-01T00:00:00
| acl-2.2.52-3; 0-01-01T00:00:00
| adduser-3.113+nmu3ubuntu4; 0-01-01T00:00:00
| adwaita-icon-theme-3.18.0-2ubuntu3.1; 0-01-01T00:00:00
| alsa-base-1.0.25+dfsg-0ubuntu5; 0-01-01T00:00:00
| alsa-utils-1.1.0-0ubuntu5; 0-01-01T00:00:00
| anacron-2.3-23; 0-01-01T00:00:00
| apache2-2.4.18-2ubuntu3.10; 0-01-01T00:00:00
| apache2-bin-2.4.18-2ubuntu3.10; 0-01-01T00:00:00
| apache2-data-2.4.18-2ubuntu3.10; 0-01-01T00:00:00
| apache2-utils-2.4.18-2ubuntu3.10; 0-01-01T00:00:00
| app-install-data-15.10; 0-01-01T00:00:00
| apparmor-2.10.95-0ubuntu2.10; 0-01-01T00:00:00
| apt-1.2.29ubuntu0.1; 0-01-01T00:00:00
| apt-utils-1.2.29ubuntu0.1; 0-01-01T00:00:00
| aptdaemon-1.1.1+bzr982-0ubuntu14; 0-01-01T00:00:00
| aptdaemon-data-1.1.1+bzr982-0ubuntu14; 0-01-01T00:00:00
| arc-theme-galliumos-0git20160407.46a232e-galliumos4; 0-01-01T00:00:00
| aspell-0.60.7~20110707-3build1; 0-01-01T00:00:00
| aspell-en-7.1-0-1.1; 0-01-01T00:00:00
| at-spi2-core-2.18.3-4ubuntu1; 0-01-01T00:00:00
| audacity-2.1.2-1; 0-01-01T00:00:00
| audacity-data-2.1.2-1; 0-01-01T00:00:00
| avahi-autoipd-0.6.32~rc+dfsg-1ubuntu2.3; 0-01-01T00:00:00
| avahi-daemon-0.6.32~rc+dfsg-1ubuntu2.3; 0-01-01T00:00:00
| avahi-utils-0.6.32~rc+dfsg-1ubuntu2.3; 0-01-01T00:00:00
...Nmap done: 1 IP address (1 host up) scanned in 26.03 seconds
root@asus:~/unix%
Run All Scripts Against a Host
Finally, to run all SNMP enumeration nmap scripts against a host use the ‘-sC’ option.
root@asus:~/unix% nmap -sU -p 161 -sV -sC 192.168.0.25Starting Nmap 7.01 ( https://nmap.org ) at 2019-04-26 17:21 MDT
Nmap scan report for mgmt.acme.com (192.168.0.25)
Host is up (0.012s latency).
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-hh3c-logins:
|_ baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 5fd4fd7eafbcbf5c00000000
| snmpEngineBoots: 4
|_ snmpEngineTime: 2d21h20m48s
| snmp-interfaces:
| lo
| IP address: 192.168.0.25 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Traffic stats: 31.58 Mb sent, 31.58 Mb received
| Intel Corporation Wireless 7265
| IP address: 10.228.100.110 Netmask: 255.224.0.0
| MAC address: f8:94:c2:f6:72:64 (Unknown)
| Type: ethernetCsmacd Speed: 0 Kbps
|_ Traffic stats: 1.55 Gb sent, 1.40 Gb received
| snmp-netstat:
| TCP 0.0.0.0:389 0.0.0.0:0
| TCP 0.0.0.0:4433 0.0.0.0:0
| TCP 0.0.0.0:58210 0.0.0.0:0
| TCP 10.228.100.110:34344 172.217.2.14:443
| TCP 10.228.100.110:34346 172.217.2.14:443
| TCP 10.228.100.110:34572 172.217.12.3:443
| TCP 10.228.100.110:36808 172.217.13.163:443
| TCP 10.228.100.110:37260 151.139.128.14:80
| TCP 10.228.100.110:37584 172.217.11.244:443
| TCP 10.228.100.110:39722 184.25.204.33:80
| TCP 10.228.100.110:44244 172.217.1.201:443
| TCP 10.228.100.110:45064 172.217.2.3:443
| TCP 10.228.100.110:45082 172.217.2.3:443
| TCP 10.228.100.110:47888 172.217.1.206:443
| TCP 10.228.100.110:49920 144.76.137.80:443
| TCP 10.228.100.110:50016 72.21.91.29:80
| TCP 10.228.100.110:51460 185.199.111.154:443
| TCP 10.228.100.110:51466 185.199.111.154:443
| TCP 10.228.100.110:51906 172.217.2.10:443
| TCP 10.228.100.110:53402 74.125.201.188:5228
| TCP 10.228.100.110:53712 107.154.108.145:443
| TCP 10.228.100.110:54540 172.217.1.196:443
| TCP 10.228.100.110:58072 173.194.162.170:443
| TCP 10.228.100.110:58250 172.217.2.1:443
| TCP 10.228.100.110:59750 74.125.1.169:443
| TCP 10.228.100.110:60384 172.217.11.225:443
| TCP 192.168.0.25:631 0.0.0.0:0
| TCP 192.168.0.25:3306 0.0.0.0:0
| TCP 192.168.0.25:6667 0.0.0.0:0
| UDP 0.0.0.0:68 *:*
| UDP 0.0.0.0:123 *:*
| UDP 0.0.0.0:161 *:*
| UDP 0.0.0.0:631 *:*
| UDP 0.0.0.0:5353 *:*
| UDP 0.0.0.0:6771 *:*
| UDP 0.0.0.0:35616 *:*
| UDP 0.0.0.0:35686 *:*
| UDP 0.0.0.0:42840 *:*
| UDP 0.0.0.0:58210 *:*
| UDP 0.0.0.0:58338 *:*
| UDP 10.228.100.110:123 *:*
| UDP 10.228.100.110:6771 *:*
| UDP 10.228.100.110:37725 *:*
| UDP 192.168.0.25:123 *:*
| UDP 192.168.0.25:6771 *:*
| UDP 192.168.0.25:55301 *:*
|_ UDP 224.0.0.251:5353 *:*
| snmp-processes:
| 1:
| Name: systemd
| Path: /sbin/init
| Params: splash
| 2:
| Name: kthreadd
| 3:
| Name: ksoftirqd/0
| 5:
| Name: kworker/0:0H
| 7:
| Name: rcu_preempt
| 8:
| Name: rcu_sched
| 9:
|
| snmp-sysdescr: Linux asus 4.9.4-galliumos-braswell #1 SMP PREEMPT galliumos2 Thu Feb 23 01:58:04 UTC 2017 x86_64
|_ System uptime: 2d21h20m47.87s (24964787 timeticks)
| snmp-win32-software:
| accountsservice-0.6.40-2ubuntu11.3; 0-01-01T00:00:00
| acl-2.2.52-3; 0-01-01T00:00:00
| adduser-3.113+nmu3ubuntu4; 0-01-01T00:00:00
| adwaita-icon-theme-3.18.0-2ubuntu3.1; 0-01-01T00:00:00
| alsa-base-1.0.25+dfsg-0ubuntu5; 0-01-01T00:00:00
| alsa-utils-1.1.0-0ubuntu5; 0-01-01T00:00:00
| anacron-2.3-23; 0-01-01T00:00:00
| apache2-2.4.18-2ubuntu3.10; 0-01-01T00:00:00
| apache2-bin-2.4.18-2ubuntu3.10; 0-01-01T00:00:00
| apache2-data-2.4.18-2ubuntu3.10; 0-01-01T00:00:00
| apache2-utils-2.4.18-2ubuntu3.10; 0-01-01T00:00:00
| app-install-data-15.10; 0-01-01T00:00:00
| apparmor-2.10.95-0ubuntu2.10; 0-01-01T00:00:00
| apt-1.2.29ubuntu0.1; 0-01-01T00:00:00
| apt-utils-1.2.29ubuntu0.1; 0-01-01T00:00:00
| aptdaemon-1.1.1+bzr982-0ubuntu14; 0-01-01T00:00:00
| aptdaemon-data-1.1.1+bzr982-0ubuntu14; 0-01-01T00:00:00
| arc-theme-galliumos-0git20160407.46a232e-galliumos4; 0-01-01T00:00:00
| aspell-0.60.7~20110707-3build1; 0-01-01T00:00:00
| aspell-en-7.1-0-1.1; 0-01-01T00:00:00
| zenity-3.18.1.1-1ubuntu2; 0-01-01T00:00:00
| zenity-common-3.18.1.1-1ubuntu2; 0-01-01T00:00:00
| zip-3.0-11; 0-01-01T00:00:00
| zlib1g-1:1.2.8.dfsg-2ubuntu4.1; 0-01-01T00:00:00
| zlib1g-dev-1:1.2.8.dfsg-2ubuntu4.1; 0-01-01T00:00:00
|_ zram-config-0.5-galliumos1; 0-01-01T00:00:00
Service Info: Host: asusService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.07 seconds
root@asus:~/unix%
Enumerating SNMP Servers Community Strings
NMAP give you the ability to brute force SNMP community strings to look for valid users on the remote machine. We can do this by using the NMAP Scripting Engine and the ‘snmp-brute’ script.
root@asus:~/src% nmap -sU -p 161 --script snmp-brute 127.0.0.1 --script-args snmp-brute.communitiesdb=/home/sam/comstring.txtStarting Nmap 7.01 ( https://nmap.org ) at 2019-10-05 15:33 MDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0010s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
| public - Valid credentials
| router - Valid credentials
| monitor - Valid credentials
| adm - Valid credentials
|_ secret - Valid credentialsNmap done: 1 IP address (1 host up) scanned in 7.02 seconds
root@asus:~/src%
As you can see we successfully enumerated valid community strings on the remote host.
https://cxyy4rle.blogspot.com/2019/04/enumerating-snmp-servers-with-nmap.html