Because SNMP produces such a wealth of information about target devices, it is an excellent tool for reconnaissance and enumeration. An SNMP manager (also known as a network management system, or NMS) is an application that runs continuously on the network. On a regular interval (usually every 5 to 15 minutes), it queries devices for their status. These devices are typically servers, routers, switches, wireless access points, hubs, and other devices capable of running the SNMP service. The SNMP service has an agent that listens for incoming manager queries. The manager must identify itself to the agent by its community string, which is a text identifier that must be the same on both the manager and the device. If the manager uses a different community string, the device will ignore it. The default community string for all SNMP installations is either public or private, but can easily be changed. Most SNMP implementations are in cleartext, though version 3 uses encryption. Usually the NMS does the querying, but an agent can be configured to raise a trap (an alert) if some threshold is met. Traps can be set on any number of counters. Examples include low disk space, high CPU temperature, high CPU or RAM utilization, a congested interface, and security violations.

There are three basic categories of SNMP exploits:

  • To sniff cleartext SNMP communications between managers and agents to obtain the community string or information from the devices. This can include statistics about hardware, interface traffic, services, users, groups, route tables, listening ports, running processes, and much more.
  • To pose as an SNMP manager, providing the correct community string, and enumerate information from SNMP agents.
  • To exploit the implicit trust SNMP managers have with the assets they manage. Most NMSs do not carefully validate the input from their agents. The attacker could passively or actively inject XSS data or other improperly formatted strings from the agent to the NMS. These could result in buffer overflows or arbitrary command injection.

Tools for SNMP Exploitation

Some common tools to exploit SNMP include:

  • auxiliary/scanner/snmp/snmp_enum
  • auxiliary/scanner/snmp/snmp_enumshares
  • auxiliary/scanner/snmp/snmp_enumusers
  • auxiliary/scanner/snmp/snmp_login
  • exploit/multi/http/hp_sys_mgmt_exec
  • exploit/windows/http/h_nnm_snmp
  • snmp-brute.nse
  • snmp-win32-software.nse
  • snmp-win32-services.nse
SNMP enumeration attack

Metasploit has many SNMP-related scanners and exploits. You can search for modules by entering any of the following commands at the msfconsole:

search snmp
search scanner name:snmp
search exploit name:snmp -S great

Note: For more information about SNMP injection-based exploits, see https://information.rapid7.com/managed-to-mangled-snmp-exploits-for-network-management-systems.html