Ir al contenido
1337skills 1337skills - Hojas de Trucos

Onesixtyone

Onesixtyone is a fast SNMP scanner for community string brute force. More efficient than snmpwalk for identifying SNMP services and valid community strings.

Installation

# Debian/Ubuntu
sudo apt install onesixtyone

# Kali Linux (pre-installed)
which onesixtyone

# macOS
brew install onesixtyone

# Build from source
git clone https://github.com/trailofbits/onesixtyone
cd onesixtyone && make && sudo make install

Basic Usage

CommandDescription
onesixtyone targetScan single IP with default communities
onesixtyone -i targets.txtScan IPs from file
onesixtyone -c community targetTest specific community string
onesixtyone --helpShow help

Single Host Scanning

# Scan single IP with built-in wordlist
onesixtyone 192.168.1.1

# Scan with verbose output
onesixtyone -v 192.168.1.1

# Custom timeout
onesixtyone -t 2 192.168.1.1

# Specific community string
onesixtyone -c public 192.168.1.1

# Multiple community strings
onesixtyone -c public -c private -c community 192.168.1.1

# Test specific port
onesixtyone -p 161 192.168.1.1

Batch Scanning

# Scan from file
onesixtyone -i targets.txt

# Scan subnet (CIDR notation)
onesixtyone 192.168.1.0/24

# Scan range
onesixtyone -r 192.168.1.1:192.168.1.254

# Multiple targets
onesixtyone 192.168.1.1 192.168.2.1 192.168.3.1

# Scan large network (may be slow)
onesixtyone 10.0.0.0/8

Community String Configuration

Built-in Wordlist

# Uses default wordlist (public, private, manager, cisco, etc.)
onesixtyone target

# Show default strings being tested
onesixtyone -c ''

Custom Wordlist

# Use custom community string file
onesixtyone -c /path/to/wordlist.txt target

# Create custom wordlist
cat > snmp_wordlist.txt << EOF
public
private
community
COMMUNITY
internal
external
cisco
Cisco
CISCO
read
write
testing
EOF

# Use it
onesixtyone -i targets.txt -c snmp_wordlist.txt

Common Community Strings

# Test standard strings
onesixtyone -c public target
onesixtyone -c private target
onesixtyone -c community target
onesixtyone -c manager target
onesixtyone -c cisco target
onesixtyone -c testing target

# Test many at once
for community in public private community COMMUNITY internal external testing; do
  onesixtyone -c $community target
done

Performance Options

# Socket count (parallel connections)
onesixtyone -s 10 targets.txt

# Timeout per host (seconds)
onesixtyone -t 1 target

# Retries per host
onesixtyone -r 0 target

# Very fast scan
onesixtyone -s 100 -t 1 -r 0 targets.txt

# Slow, thorough scan
onesixtyone -s 1 -t 5 -r 3 targets.txt

# No output until found
onesixtyone -q target

Output Control

# Verbose output
onesixtyone -v target

# Very verbose
onesixtyone -vv target

# Quiet mode (only found communities)
onesixtyone -q target

# Save results to file
onesixtyone targets.txt | tee snmp_results.txt

# Grep found communities
onesixtyone -i targets.txt | grep "found"

Advanced Scanning

# Specify SNMP version
onesixtyone -v 1 target      # SNMP v1
onesixtyone -v 2 target      # SNMP v2c

# Custom port
onesixtyone -p 161 target
onesixtyone -p 1234 target   # Non-standard port

# UDP port specification
onesixtyone -u 161 target

# Repeat scan
onesixtyone -R target

# Parallel scanning (max sockets)
onesixtyone -s 50 -i targets.txt

Integration with Other Tools

Feed to snmpwalk

# Get communities, then enumerate
for community in $(onesixtyone -q target | awk '{print $3}'); do
  snmpwalk -v 2c -c $community target
done

Feed to nmap

# Scan with nmap, find SNMP, then onesixtyone
nmap -p 161 192.168.1.0/24 -oG - | grep open | awk '{print $2}' | xargs onesixtyone

Mass network scanning

# Scan all networks
for net in 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24; do
  onesixtyone $net >> snmp_results.txt
done

# Extract successful hosts
grep "found" snmp_results.txt | awk '{print $1}'

Community String Brute Force

# All default communities
onesixtyone target

# Custom list file (one per line)
onesixtyone -c wordlist.txt target

# From stdin
cat wordlist.txt | while read community; do
  onesixtyone -c "$community" target
done

# Search for specific pattern
onesixtyone -c wordlist.txt target | grep -i "company"

Enterprise SNMP Enumeration

# Test common enterprise strings
for community in public private community internal external monitoring admin; do
  echo "Testing: $community"
  onesixtyone -c $community 192.168.1.0/24 | grep "found"
done

# Save all results
onesixtyone -c wordlist.txt -i targets.txt > all_results.txt

# Count found communities
grep "found" all_results.txt | wc -l

# Unique communities found
grep "found" all_results.txt | awk '{print $3}' | sort -u

Practical Workflows

Network Reconnaissance

# Step 1: Find all SNMP hosts
nmap -p 161 192.168.1.0/24 -oG - | grep open | awk '{print $2}' > snmp_hosts.txt

# Step 2: Brute force communities
onesixtyone -i snmp_hosts.txt > found_communities.txt

# Step 3: Enumerate with valid communities
while read line; do
  ip=$(echo $line | awk '{print $1}')
  community=$(echo $line | awk '{print $3}')
  echo "Enumerating $ip with $community"
  snmpwalk -v 2c -c $community $ip 1.3.6.1.2.1.1 > ${ip}_sysinfo.txt
done < found_communities.txt

Quick Assessment

# Fast scan of subnet
time onesixtyone -s 50 -t 1 -r 0 192.168.1.0/24

# Shows time taken and results

Troubleshooting

# No results - check connectivity
ping -c 1 192.168.1.1

# Check if SNMP port is open
nmap -p 161 192.168.1.1

# Increase timeout
onesixtyone -t 5 192.168.1.1

# Try different version
onesixtyone -v 1 target
onesixtyone -v 2 target

# Very verbose for debugging
onesixtyone -vv target

Performance Tuning

# Balanced scan
onesixtyone -s 20 -t 2 -r 1 targets.txt

# Fast network scan
onesixtyone -s 100 -t 1 -r 0 targets.txt

# Thorough scan (slower)
onesixtyone -s 5 -t 5 -r 3 targets.txt

# Single-threaded safe scan
onesixtyone -s 1 -t 10 targets.txt

Last updated: March 2026