Simple Network Management Protocol (SNMP) is an application-layer protocol that facilitates the exchange of management information between network devices. It enables administrators and monitoring systems to query devices such as routers, switches, firewalls, printers, servers, and even UPS systems for performance data, configurations, and health status.
What is SNMP Used For?
SNMP is used for centralized monitoring and management of devices across a network. It allows a central server (the SNMP Manager) to communicate with multiple devices (SNMP Agents) and perform operations such as:
- Querying device information (CPU load, disk usage, memory)
- Modifying configurations remotely (if permitted)
- Receiving alerts or traps when something changes (e.g., interface goes down)
- Monitoring uptime and hardware statuses
- Polling interface statistics, routing tables, SNMP traps, etc.
SNMP Architecture Overview
- SNMP Manager — The system (usually a server or monitoring tool like Zabbix/Nagios) that queries and receives data from SNMP agents.
- SNMP Agent — Software running on the network device that responds to SNMP requests and sends traps to managers.
- Management Information Base (MIB) — A hierarchical database describing the structure of the data that can be queried using SNMP. MIBs define object identifiers (OIDs).
- Object Identifiers (OIDs) — Numeric values (e.g.,
1.3.6.1.2.1.1.5.0) used to reference specific data points like system name, uptime, interface speed, etc.
Key Operations in SNMP
| Operation | Description |
|---|---|
| GET | Retrieve the value of a variable |
| SET | Modify the value of a variable (requires RW access) |
| GETNEXT | Retrieve the next variable in the MIB hierarchy |
| WALK | Repeated GETNEXTs that traverse an entire MIB subtree |
| TRAP | Asynchronous notification sent by an agent to a manager |
SNMP Versions
- SNMPv1 — The original version. Very simple and insecure. Uses plaintext community strings like public (read-only) and private (read-write).
- SNMPv2c — An enhancement of v1, adds GETBULK and improved error messages, but still uses plaintext community strings. Most commonly found in vulnerable systems.
- SNMPv3 — Adds security via authentication and encryption (username/password, privacy keys, etc.). Properly configured v3 is considered secure, but many devices still run v1/v2c due to legacy compatibility.
Common OIDs to Know
| OID | Description |
|---|---|
1.3.6.1.2.1.1.1.0 |
sysDescr (device description) |
1.3.6.1.2.1.1.3.0 |
sysUpTime |
1.3.6.1.2.1.1.5.0 |
sysName (hostname) |
1.3.6.1.2.1.4.20.1.1 |
IP Address table |
1.3.6.1.2.1.25.6.3.1.2 |
Running software processes |
1.3.6.1.4.1 |
Enterprise-specific OIDs (often custom) |
Practical SNMP Enumeration
Walk the full MIB of a target using the public community string:
1
snmpwalk -v2c -c public 10.10.10.1
Retrieve a single OID — in this case the hostname (sysName):
1
snmpget -v1 -c public 10.10.10.1 1.3.6.1.2.1.1.5.0
Why SNMP Can Be a Vulnerability
SNMP is commonly misconfigured, especially in older or embedded devices (printers, switches, IP cameras, etc.). The biggest risks include:
- Default community strings left in place: public (RO) and private (RW)
- SNMPv1 or v2c in use (no encryption or authentication)
- Access control lists not properly applied (SNMP accessible from any IP)
- SNMP RW access can allow configuration changes or even execution of commands on some systems
Tools
Brute-force community strings using a wordlist:
1
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt 10.10.10.1
Once a valid community string is found, enumerate the full MIB:
1
snmpwalk -v2c -c private 10.10.10.1
Summary
SNMP is a powerful network management protocol, but with great power comes great misconfiguration.
It’s extremely useful for sysadmins but equally valuable to attackers when exposed carelessly. Always audit SNMP usage, disable it when unnecessary, restrict it with ACLs, and migrate to SNMPv3 where possible.