0) What is SNMP?
SNMP is a UDP-based protocol (default port 161) used by network devices and servers for monitoring and management. SNMPv1/v2c rely on community strings (often default/insecure like public/private) and provide read/write ops via OIDs. SNMPv3 adds authentication and privacy but is sometimes misconfigured. In a red-team competition, SNMP is high-value: it can reveal network topology, ARP/Routing tables, interface information, running config snippets, and even plaintext credentials or keys embedded in MIB-backed config objects.
1) Recon Phase (playbook & OPSEC)
- Discovery (low-noise first): masscan/nmap UDP 161 with rate limiting - Banner & quick probes: nmap -sU -p161 --script=snmp-info- Prioritize targets that are routers, switches, firewalls, printers, Windows servers with management agents - OPSEC: use conservative timeouts and low packet rates in CTF to avoid noisy detections - Note whether device replies to SNMPv1/2c (fast wins) or only SNMPv3 (harder)
Time-box your discovery in the first 10–20 minutes of the engagement: find machines that respond to community strings quickly — that’s usually the fastest escalation path in a competition.
2) Enumeration Phase (what to pull)
# Test common community strings (read-only) snmpwalk -v2c -c public1 # If public works, enumerate common OIDs: snmpwalk -v2c -c public 1.3.6.1.2.1 # system, interfaces, ip, tcp, udp snmpwalk -v2c -c public 1.3.6.1.2.1.4 # ipRouteTable / ARP info snmpwalk -v2c -c public 1.3.6.1.2.1.6 # TCP table snmpwalk -v2c -c public 1.3.6.1.2.1.2 # interfaces # Enumerate device-specific MIB OIDs (Cisco, Juniper, HP) for configs and creds snmpwalk -v2c -c public 1.3.6.1.4.1 # enterprise OIDs # Brute-forcing community strings (targeted, rate-limited) onesixtyone -c community-list.txt # or use nmap --script snmp-brute
Look for: ARP tables, routing tables, interface IPs, hostnames, list of running processes, startup-config fragments, sysContact/sysLocation, and any exposed text blobs (sometimes configs contain plaintext creds).
3) Exploitation / Red Team Moves
- Harvested artifacts:
- ARP / ipRouteTable => internal host IPs to pivot to
- ifAdmin/ifOper names => identify virtual interfaces, VLANs
- sysDescr/sysName => OS/device types for targeted exploits
- text/config OIDs => possible plaintext credentials or keys
- If SNMP write is allowed (SNMP SET) — high impact:
# very dangerous: use only in authorized CTFs
snmpset -v2c -c private i
- Pivot: use discovered internal IPs to reach admin panels (HTTP/SSH/RDP)
- Lateral gain: try credentials discovered in configs against SSH/HTTP
- Stealth: export minimal useful data, avoid repeated wide scans after initial enumeration
In red-team competitions, a single successful SNMP read can give a map of internal IPs and device creds — treat it as a force-multiplier for lateral movement.
SNMP Info — What to Look For (red-team checklist)
- SNMPv1/v2c read allowed with common community strings (
public,private) - Writeable community (SET) — immediate high severity (e.g.,
private) - Enterprise-specific OIDs exposing configs or credentials
- ipNetToMedia/ipRouteTable entries revealing internal subnets and hosts
- sysContact/sysLocation hinting at admin accounts or physical placement
- Device type strings (sysDescr) that point to known vendor MIBs and exploits
Tools Required (red-team kit)
sudo apt install nmap snmp snmp-mibs-downloader snmpd snmpwalk snmpget snmpset
# pentest tools
sudo apt install onesixtyone
# or build from source: https://github.com/trailofbits/onesixtyone
# Useful extras:
# - snmp-check (enumeration script)
# - nmap with --script=snmp-* (snmp-info, snmp-brute, snmp-netstat, snmp-interfaces)
# - Metasploit auxiliary/scanner/snmp/snmp_login
Quick copy-paste command cheatsheet
# discover SNMP responders (low-noise) nmap -sU -p161 --script=snmp-info --script-args 'timeout=500ms'# quick read with common community snmpwalk -v2c -c public 1 # pull interface list & addresses snmpwalk -v2c -c public 1.3.6.1.2.1.2 # ARP / routing tables snmpwalk -v2c -c public 1.3.6.1.2.1.4 # enterprise MIBs (may reveal configs) snmpwalk -v2c -c public 1.3.6.1.4.1 # brute community strings with rate-limit / onesixtyone onesixtyone -c communities.txt # nmap brute script (alternative) nmap -sU -p161 --script snmp-brute --script-args snmp-brute.communitiesdb=communities.txt # test SNMPv3 discovery (note: SNMPv3 requires different handling) nmap -sU -p161 --script snmp-info --script-args snmp.user= ,snmp.pass=
Red-team competition tips
- Prioritize quick wins: a single successful
snmpwalkwithpubliccan immediately reveal pivot points. - Be noisy-aware: brute-forcing communities or aggressive SNMP SETs will often trigger blue-team alerts — use timing and narrow scope.
- Search for enterprise OIDs after initial discovery — vendor MIBs commonly contain config fragments and credentials.
- If you find write access, coordinate with teammates (or follow rules of engagement) — modifying device configs can break the target environment.
- Log everything you pull (timestamps, OIDs, raw values) for scoring and reporting; SNMP artifacts are high-value evidence in CTF reports.
Citations
- RFC 3411 — SNMP Architecture (informational)
- Nmap NSE — snmp-info/snmp-brute
- PySNMP / pysnmp docs (useful for scripted pulls)
Ethics & Rules: This guidance is written from a red-team competition perspective — only perform these actions within the competition environment or on targets you are explicitly authorized to test. SNMP SET/write operations can be destructive; treat them as last-resort, score-hungry actions and follow the exercise rules of engagement.