161 SNMP

---

Notes

---

Alternative Ports
161 UDP (default)
161 TCP (rare)
162 (traps)

Service Description
Simple Network Management Protocol (SNMP) is used to monitor and manage devices on IP networks — routers, switches, servers, etc. UDP/161 is used for polling data, while 162 is used for traps (asynchronous alerts). SNMP exposes system information, routing tables, open ports, software versions, and can be abused for enumeration or DoS attacks.

SNMP has three main versions:

• v1/v2c: Use community strings (often “public” / “private”)
• v3: Supports authentication & encryption (authNoPriv, authPriv)

MIBs (Management Information Bases)
Textual databases that define the structure of SNMP data. Each object has an OID (Object Identifier) and represents things like system info, interfaces, routes. MIBs map readable names to numerical OIDs.

---

Attacks

---

SNMP Amplification (DDoS)
SNMP can be abused for reflection attacks if it responds to external requests.

Cleartext Information Leakage
SNMPv1/v2c transmit data and community strings in plaintext. If SNMP is open over WAN, it’s a massive risk.

Bruteforce Community Strings
Default/guessable strings can grant full read (or write!) access to device config.

---

Tools & Exploits

---

Enumeration

---

nmap
Initial go-to for confirming SNMP service and basic enumeration.

# Basic SNMP detection and info gathering
nmap -sU -p 161 --script snmp-info <target-ip>
 
# Attempt to bruteforce community strings
nmap -sU -p 161 --script snmp-brute <target-ip>

snmpwalk
Walks the SNMP MIB tree. Best tool for pulling system info.

# Try default community string on v2c
snmpwalk -v2c -c public <target-ip>
 
# Specific OID (system info)
snmpwalk -v2c -c public <target-ip> 1.3.6.1.2.1.1
 
# SNMPv3 (requires creds)
snmpwalk -v3 -u <user> -l authPriv -a SHA -A pass -x AES -X pass <target-ip>

onesixtyone
Fast scanner for SNMP community strings.

# Fast enum using wordlist of community strings
onesixtyone -c community-strings.txt -i targets.txt

snmp-check
Grabs info like running services, users, processes.

snmp-check <target-ip> -c public

Metasploit Module
Enumerate via SNMP.

use auxiliary/scanner/snmp/snmp_enum

---

Wireshark Analysis Tips

---

Filters

udp.port == 161
snmp

What to look for:

• Community strings in cleartext (v1/v2c)
• MIB values returned (system, interfaces, routing)
• SNMPv3 usage → look for msgAuthenticationParameters, msgPrivacyParameters

---

References

---

• https://book.hacktricks.wiki/network-services-pentesting/snmp-pentesting
• https://wiki.wireshark.org/SNMP
• https://nmap.org/nsedoc/scripts/snmp-info.html
• https://github.com/trailofbits/onesixtyone
• https://www.rapid7.com/db/modules/auxiliary/scanner/snmp/snmp_enum