Target.Host.Service.SNMP.txt

`` Scanning

    `` Network discovery

        ~$ nmap -sU -sV -p 161 VAR_TARGET_RANGE
        ~$ onesixtyone -s -o VAR_FILENAME VAR_TARGET_CIDR
        ~$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt VAR_TARGET_HOST
        ~$ hydra -P /usr/share/seclists/Discovery/SNMP/snmp.txt -V VAR_TARGET_HOST snmp

    `` Basic

        ~$ nmap -v -sV -Pn -sU -p 161,162 --script snmp-info,snmp-interfaces,snmp-netstat,snmp-processes,snmp-sysdescr,snmp-win32-services,snmp-win32-shares,snmp-win32-software,snmp-win32-users VAR_TARGET_HOST

    `` Extended

        ~$ python ./snmpbrute.py -t VAR_TARGET_HOST -f /usr/share/seclists/Discovery/SNMP/snmp.txt
        ~$ xprobe2 -v -p udp:161:open VAR_TARGET_HOST
        ~$ snmp-check VAR_TARGET_HOST -c public

    `` FTP Bounce scanning

        ~$ nmap VAR_TARGET_HOST -b VAR_FTP_HOST -Pn -n -g 88 -v -sU -p 161,162 --script snmp-netstat,snmp-processes

    `` Network range

        #!/bin/bash
        for ip in $(cat ip_list.txt); do
            echo $ip;
            for str in $(cat /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings_onesixtyone.txt); do
                if snmpwalk -OsS -v 1 -c $str $ip > $ip.snmpwalk; then
                    break
                fi
            done;
        done

`` Table

    - 1.3.6.1.2.1.25.1.6.0 - System Processes
    - 1.3.6.1.2.1.25.2.3.1.4 - Storage Units
    - 1.3.6.1.2.1.25.4.2.1.2 - Running Programs
    - 1.3.6.1.2.1.25.4.2.1.4 - Processes Path
    - 1.3.6.1.2.1.25.6.3.1.2 - Software Name
    - 1.3.6.1.2.1.6.13.1.3 - TCP Local Ports
    - 1.3.6.1.4.1.77.1.2.25 - User Accounts

`` Community strings

    - /usr/share/wordlists/fasttrack.txt

`` Community string bruteforcing

    ~$ nmap -sU VAR_TARGET_HOST -p 161 --script snmp-brute -Pn --script-args snmp-brute.communitiesdb=/usr/share/wordlists/fasttrack.txt
    ~$ onesixtyone -c /usr/share/wordlists/dirb/small.txt VAR_TARGET_HOST

    ~$ for i in $(cat /usr/share/wordlists/metasploit/unix_users.txt);do snmpwalk -v 1 -c $i VAR_TARGET_HOST;done| grep -v "Timeout"

    ~$ echo public > community-strings.txt
    ~$ echo private >> community-strings.txt
    ~$ echo manager >> community-strings.txt
    ~$ for ip in $(seq 1 254);do echo VAR_TARGET_HOST_BASE.$ip;done > ips
    ~$ onesixtyone -c community-strings.txt -i ips

    ~$ hydra -P password-file.txt -V VAR_TARGET_HOST snmp

`` Community string checks

    ~$ snmp-check VAR_TARGET_HOST -c public
    ~$ snmpget -v 1 -c public VAR_TARGET_HOST
    ~$ snmpwalk -v 1 -c public VAR_TARGET_HOST
    ~$ snmpbulkwalk -v2c -c public -Cn0 -Cr10 VAR_TARGET_HOST

    `` Windows users

        ~$ snmpwalk -c public -v1 VAR_TARGET_HOST 1.3.6.1.4.1.77.1.2.25

    `` Running processes

        ~$ snmpwalk -c public -v1 VAR_TARGET_HOST P 1.3.6.1.2.1.25.4.2.1.2

    `` Open TCP ports

        ~$ snmpwalk -c public -v1 VAR_TARGET_HOST 1.3.6.1.2.1.6.13.1.3

    `` Installed software

        ~$ snmpwalk -c public -v1 VAR_TARGET_HOST 1.3.6.1.2.1.25.6.3.1.2

    `` Shares

        ~$ snmpwalk -c public -v1 VAR_TARGET_HOST 1.3.6.1.4.1.77.1.2.3.1.1

`` Password Bruteforcing

    ~$ hydra -P VAR_WORDLIST -V VAR_TARGET_HOST snmp