Onesixtyone
Onesixtyone is a fast SNMP scanner for community string brute force. More efficient than snmpwalk for identifying SNMP services and valid community strings.
Installation
# Debian/Ubuntu
sudo apt install onesixtyone
# Kali Linux (pre-installed)
which onesixtyone
# macOS
brew install onesixtyone
# Build from source
git clone https://github.com/trailofbits/onesixtyone
cd onesixtyone && make && sudo make installBasic Usage
| Command | Description |
|---|---|
onesixtyone target | Scan single IP with default communities |
onesixtyone -i targets.txt | Scan IPs from file |
onesixtyone -c community target | Test specific community string |
onesixtyone --help | Show help |
Single Host Scanning
# Scan single IP with built-in wordlist
onesixtyone 192.168.1.1
# Scan with verbose output
onesixtyone -v 192.168.1.1
# Custom timeout
onesixtyone -t 2 192.168.1.1
# Specific community string
onesixtyone -c public 192.168.1.1
# Multiple community strings
onesixtyone -c public -c private -c community 192.168.1.1
# Test specific port
onesixtyone -p 161 192.168.1.1Batch Scanning
# Scan from file
onesixtyone -i targets.txt
# Scan subnet (CIDR notation)
onesixtyone 192.168.1.0/24
# Scan range
onesixtyone -r 192.168.1.1:192.168.1.254
# Multiple targets
onesixtyone 192.168.1.1 192.168.2.1 192.168.3.1
# Scan large network (may be slow)
onesixtyone 10.0.0.0/8Community String Configuration
Built-in Wordlist
# Uses default wordlist (public, private, manager, cisco, etc.)
onesixtyone target
# Show default strings being tested
onesixtyone -c ''Custom Wordlist
# Use custom community string file
onesixtyone -c /path/to/wordlist.txt target
# Create custom wordlist
cat > snmp_wordlist.txt << EOF
public
private
community
COMMUNITY
internal
external
cisco
Cisco
CISCO
read
write
testing
EOF
# Use it
onesixtyone -i targets.txt -c snmp_wordlist.txtCommon Community Strings
# Test standard strings
onesixtyone -c public target
onesixtyone -c private target
onesixtyone -c community target
onesixtyone -c manager target
onesixtyone -c cisco target
onesixtyone -c testing target
# Test many at once
for community in public private community COMMUNITY internal external testing; do
onesixtyone -c $community target
donePerformance Options
# Socket count (parallel connections)
onesixtyone -s 10 targets.txt
# Timeout per host (seconds)
onesixtyone -t 1 target
# Retries per host
onesixtyone -r 0 target
# Very fast scan
onesixtyone -s 100 -t 1 -r 0 targets.txt
# Slow, thorough scan
onesixtyone -s 1 -t 5 -r 3 targets.txt
# No output until found
onesixtyone -q targetOutput Control
# Verbose output
onesixtyone -v target
# Very verbose
onesixtyone -vv target
# Quiet mode (only found communities)
onesixtyone -q target
# Save results to file
onesixtyone targets.txt | tee snmp_results.txt
# Grep found communities
onesixtyone -i targets.txt | grep "found"Advanced Scanning
# Specify SNMP version
onesixtyone -v 1 target # SNMP v1
onesixtyone -v 2 target # SNMP v2c
# Custom port
onesixtyone -p 161 target
onesixtyone -p 1234 target # Non-standard port
# UDP port specification
onesixtyone -u 161 target
# Repeat scan
onesixtyone -R target
# Parallel scanning (max sockets)
onesixtyone -s 50 -i targets.txtIntegration with Other Tools
Feed to snmpwalk
# Get communities, then enumerate
for community in $(onesixtyone -q target | awk '{print $3}'); do
snmpwalk -v 2c -c $community target
doneFeed to nmap
# Scan with nmap, find SNMP, then onesixtyone
nmap -p 161 192.168.1.0/24 -oG - | grep open | awk '{print $2}' | xargs onesixtyoneMass network scanning
# Scan all networks
for net in 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24; do
onesixtyone $net >> snmp_results.txt
done
# Extract successful hosts
grep "found" snmp_results.txt | awk '{print $1}'Community String Brute Force
# All default communities
onesixtyone target
# Custom list file (one per line)
onesixtyone -c wordlist.txt target
# From stdin
cat wordlist.txt | while read community; do
onesixtyone -c "$community" target
done
# Search for specific pattern
onesixtyone -c wordlist.txt target | grep -i "company"Enterprise SNMP Enumeration
# Test common enterprise strings
for community in public private community internal external monitoring admin; do
echo "Testing: $community"
onesixtyone -c $community 192.168.1.0/24 | grep "found"
done
# Save all results
onesixtyone -c wordlist.txt -i targets.txt > all_results.txt
# Count found communities
grep "found" all_results.txt | wc -l
# Unique communities found
grep "found" all_results.txt | awk '{print $3}' | sort -uPractical Workflows
Network Reconnaissance
# Step 1: Find all SNMP hosts
nmap -p 161 192.168.1.0/24 -oG - | grep open | awk '{print $2}' > snmp_hosts.txt
# Step 2: Brute force communities
onesixtyone -i snmp_hosts.txt > found_communities.txt
# Step 3: Enumerate with valid communities
while read line; do
ip=$(echo $line | awk '{print $1}')
community=$(echo $line | awk '{print $3}')
echo "Enumerating $ip with $community"
snmpwalk -v 2c -c $community $ip 1.3.6.1.2.1.1 > ${ip}_sysinfo.txt
done < found_communities.txtQuick Assessment
# Fast scan of subnet
time onesixtyone -s 50 -t 1 -r 0 192.168.1.0/24
# Shows time taken and resultsTroubleshooting
# No results - check connectivity
ping -c 1 192.168.1.1
# Check if SNMP port is open
nmap -p 161 192.168.1.1
# Increase timeout
onesixtyone -t 5 192.168.1.1
# Try different version
onesixtyone -v 1 target
onesixtyone -v 2 target
# Very verbose for debugging
onesixtyone -vv targetPerformance Tuning
# Balanced scan
onesixtyone -s 20 -t 2 -r 1 targets.txt
# Fast network scan
onesixtyone -s 100 -t 1 -r 0 targets.txt
# Thorough scan (slower)
onesixtyone -s 5 -t 5 -r 3 targets.txt
# Single-threaded safe scan
onesixtyone -s 1 -t 10 targets.txtLast updated: March 2026