SNMP Enumeration Cheatsheet

Default Ports: 161 (UDP — queries), 162 (UDP — traps)

SNMP Versions

Version	Auth	Notes
v1	Community string	Cleartext, oldest
v2c	Community string	Cleartext, most common
v3	Username + auth + encryption	Secure, rarely misconfigured

Detection

nmap -sU -p 161 <ip>
nmap -sU -p 161 -sV <ip>
nmap -sU -p 161 --script snmp-info <ip>

Community String Brute Force

# onesixtyone (fast UDP brute)
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <ip>
onesixtyone -c community.txt -i ips.txt

# Nmap
nmap -sU -p 161 --script snmp-brute <ip>
nmap -sU -p 161 --script snmp-brute \
  --script-args snmp-brute.communitiesdb=communities.txt <ip>

# Metasploit
use auxiliary/scanner/snmp/snmp_login
set RHOSTS <ip>
run

snmpwalk — Walking the MIB Tree

# Full walk (v1/v2c)
snmpwalk -v1 -c public <ip>
snmpwalk -v2c -c public <ip>

# Target specific OIDs
snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.1         # System info
snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.25.4.2    # Running processes
snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.25.6.3    # Installed software
snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.6.13.1.3  # Open TCP ports
snmpwalk -v2c -c public <ip> 1.3.6.1.4.1.77.1.2.25 # Windows user accounts
snmpwalk -v2c -c public <ip> 1.3.6.1.2.1.2.2        # Network interfaces

# SNMPv3
snmpwalk -v3 -u <user> -l AuthPriv \
  -a MD5 -A <authpass> -x DES -X <privpass> <ip>

snmpget — Single OID Query

snmpget -v2c -c public <ip> 1.3.6.1.2.1.1.1.0     # sysDescr
snmpget -v2c -c public <ip> 1.3.6.1.2.1.1.5.0     # sysName (hostname)
snmpget -v2c -c public <ip> 1.3.6.1.2.1.1.6.0     # sysLocation

snmp-check

snmp-check <ip>
snmp-check <ip> -c public
snmp-check <ip> -c public -v 2c

braa — Bulk SNMP

braa public@<ip>:.1.3.6.*
braa [email protected]:.1.3.6.1.2.1.1.1.0

Nmap SNMP Scripts

nmap -sU -p 161 --script snmp-info <ip>
nmap -sU -p 161 --script snmp-sysdescr <ip>
nmap -sU -p 161 --script snmp-interfaces <ip>
nmap -sU -p 161 --script snmp-processes <ip>
nmap -sU -p 161 --script snmp-win32-users <ip>
nmap -sU -p 161 --script snmp-win32-services <ip>
nmap -sU -p 161 --script snmp-win32-software <ip>
nmap -sU -p 161 --script snmp-* <ip>

Key OIDs Reference

OID	Description
1.3.6.1.2.1.1.1.0	System description
1.3.6.1.2.1.1.3.0	System uptime
1.3.6.1.2.1.1.5.0	Hostname
1.3.6.1.2.1.1.6.0	System location
1.3.6.1.2.1.25.1.6.0	Running OS processes
1.3.6.1.2.1.25.4.2.1.2	Process names
1.3.6.1.2.1.25.6.3.1.2	Installed packages
1.3.6.1.4.1.77.1.2.25	Windows user accounts
1.3.6.1.2.1.6.13.1.3	TCP open ports
1.3.6.1.2.1.2.2.1.2	Interface names
1.3.6.1.2.1.2.2.1.11	Interface in-packets

Common Community Strings

public     private     manager
community  snmp        cisco
monitor    0           internal

SNMP Enumeration Cheatsheet#

SNMP Versions#

Detection#

Community String Brute Force#

snmpwalk — Walking the MIB Tree#

snmpget — Single OID Query#

snmp-check#

braa — Bulk SNMP#

Nmap SNMP Scripts#

Key OIDs Reference#

Common Community Strings#

SNMP Enumeration Cheatsheet

SNMP Versions

Detection

Community String Brute Force

snmpwalk — Walking the MIB Tree

snmpget — Single OID Query

snmp-check

braa — Bulk SNMP

Nmap SNMP Scripts

Key OIDs Reference

Common Community Strings