📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Enumeration
  • MIB tree navigation
  • Community strings
  • OID structure
  1. Networking
  2. Ports

161 - SNMP

Previous143 993 - IMAPNext389 - LDAP

Last updated 1 year ago

Enumeration

nmap -sU --open -p 161 <ip addr>
onesixtyone -c <community keyword file> -i <ip list file>
snmpwalk -c <public|private> -v<1|2c|3> -t <timeout> <ip addr>:<port> 
 
snmpwalk -c <comm string> -v1 -t <timeout> <ip addr> .1                         #Full
snmpwalk -c <comm string> -v1 -t <timeout> <ip addr> 1.3.6.1.4.1.77.1.2.25      #Windows users
snmpwalk -c <comm string> -v1 -t <timeout> <ip addr> 1.3.6.1.2.1.25.4.2.1.2     #Windows processes
snmpwalk -c <comm string> -v1 -t <timeout> <ip addr> 1.3.6.1.2.1.6.13.1.3       #Open TCP ports
snmpwalk -c <comm string> -v1 -t <timeout> <ip addr> 1.3.6.1.2.1.25.6.3.1.2     #Installed software

MIB tree navigation

Community strings

  • public Read only functions

  • private Read/Write in general

Permissions are not totally controlled by the community string used, some values may be writable even if the public string is used. The reverse is also true, if you try to write a read-only object a noSuchName or readOnly error is received. In versions 1 and 2/2c if you to use a bad community string the server wont respond.

OID structure

Structure example

1 . 3 . 6 . 1 . 4 . 1 . 1452 . 1 . 2 . 5 . 1 . 3. 21 . 1 . 4 . 7

Here is a breakdown of this address.

  • 1 – this is called the ISO and it establishes that this is an OID. This is why all OIDs start with “1”

  • 3 – this is called ORG and it is used to specify the organization that built the device.

  • 6 – this is the dod or the Department of Defense which is the organization that established the Internet first.

  • 1 – this is the value of the internet to denote that all communications will happen through the Internet.

  • 4 – this value determines that this device is made by a private organization and not a government one.

  • 1 – this value denotes that the device is made by an enterprise or a business entity.

These first six values tend to be the same for all devices and they give you the basic information about them. This sequence of numbers will be the same for all OIDs, except when the device is made by the government.

Moving on to the next set of numbers.

  • 1452 – gives the name of the organization that manufactured this device.

  • 1 – explains the type of device. In this case, it is an alarm clock.

  • 2 – determines that this device is a remote terminal unit.

The rest of the values give specific information about the device.

  • 5 – denotes a discrete alarm point.

  • 1 – specific point in the device

  • 3 – port

  • 21 – address of the port

  • 1 – display for the port

  • 4 – point number

  • 7 – state of the point

http://www.oid-info.com/cgi-bin/display?tree=#focus