PORT 161/udp (SNMP)

To scan for open SNMP ports, we can run nmap, using the -sU option to perform UDP scanning and the --open option to limit the output and display only open ports.

sudo nmap -sU --open -p 161 192.168.50.1-254 -oG open-snmp.txt

Alternatively, we can use a tool such as onesixtyone, which will attempt a brute force attack against a list of IP addresses. First, we must build text files containing community strings and the IP addresses we wish to scan.

onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt <IP>

echo public > community
echo private >> community
echo manager >> community
for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips
onesixtyone -c community -i ips

Once we find SNMP services, we can start querying them for specific MIB data that might be interesting.

We can probe and query SNMP values using a tool such as snmpwalk, provided we know the SNMP read-only community string, which in most cases is "public".

snmpwalk -c public -v1 -t 10 <ip>
snmpwalk -c public -v2c -t 10 <ip>

For example, the following MIB values correspond to specific Microsoft Windows SNMP parameters and contain much more than network-based information:

MIB	Info
1.3.6.1.2.1.25.1.6.0	System Processes
1.3.6.1.2.1.25.4.2.1.2	Running Programs
1.3.6.1.2.1.25.4.2.1.4	Processes Path
1.3.6.1.2.1.25.2.3.1.4	Storage Units
1.3.6.1.2.1.25.6.3.1.2	Software Name
1.3.6.1.4.1.77.1.2.25	User Accounts
1.3.6.1.2.1.6.13.1.3	TCP Local Ports
We can use MIB for directly enumerate information from windows, for example if we want to enumerate the users we have to use this command:

snmpwalk -c public -v1 <ip> 1.3.6.1.4.1.77.1.2.25

Braa

Once we know a community string, we can use it with braa to brute-force the individual OIDs and enumerate the information behind them.

braa <community string>@<IP>:.1.3.6.*