snmpcheck

Overview

snmpcheck is a command-line utility for SNMP (Simple Network Management Protocol) device enumeration and information gathering. Extracts system information, network configuration, running processes, installed software, and user accounts from SNMP-enabled devices for security auditing and network reconnaissance.

Installation

Linux (Debian/Ubuntu)

# Via package manager
sudo apt-get update
sudo apt-get install snmp-mibs-downloader snmp snmpcheck

# Install additional SNMP utilities
sudo apt-get install snmp-mibs-downloader snmp-mibs-ubuntu-s1

# Verify installation
snmpcheck -v

Linux (Fedora/RHEL)

# Install SNMP tools
sudo dnf install net-snmp net-snmp-utils

# Download snmpcheck
wget https://www.nothink.org/codes/snmpcheck/snmpcheck-1.9.sh
chmod +x snmpcheck-1.9.sh
sudo cp snmpcheck-1.9.sh /usr/local/bin/snmpcheck

macOS

# Homebrew
brew install snmp-mibs-downloader
brew install snmp

# Or manual installation
curl -L https://www.nothink.org/codes/snmpcheck/snmpcheck-1.9.sh > snmpcheck
chmod +x snmpcheck
sudo mv snmpcheck /usr/local/bin/

Kali Linux

# Pre-installed in Kali
snmpcheck -v

# If not installed
sudo apt install snmpcheck

From Source

# Download latest
wget https://www.nothink.org/codes/snmpcheck/snmpcheck-1.9.sh
chmod +x snmpcheck-1.9.sh

# Run directly or move to PATH
sudo mv snmpcheck-1.9.sh /usr/local/bin/snmpcheck

SNMP Basics

SNMP Versions

Version	Security	Usage
SNMPv1	Plaintext community strings	Legacy, highly insecure
SNMPv2c	Plaintext community strings	Common, weak security
SNMPv3	Username/password authentication	Modern, recommended

Community Strings

# Default community strings
public    # Default read community
private   # Default write community
community # Common naming

Basic Device Enumeration

Simple SNMP Check

# Basic enumeration with default port
snmpcheck -t 192.168.1.100

# Enumeration with custom port
snmpcheck -t 192.168.1.100:161

# Verbose output
snmpcheck -t 192.168.1.100 -v

# Quiet mode
snmpcheck -t 192.168.1.100 -q

Common Community Strings

# Default community "public"
snmpcheck -t 192.168.1.100 -c public

# Default community "private"
snmpcheck -t 192.168.1.100 -c private

# Custom community string
snmpcheck -t 192.168.1.100 -c mycommunity

# Try multiple strings
for comm in public private community admin; do
  snmpcheck -t 192.168.1.100 -c $comm
done

Advanced Enumeration

SNMP Version Detection

# Try SNMPv1 and SNMPv2c
snmpcheck -t 192.168.1.100 -c public

# Specify SNMPv2c explicitly
snmpcheck -t 192.168.1.100 -c public -v 2c

# Test SNMPv3 with username/password
snmpcheck -t 192.168.1.100 -v 3 -u username -p password

Extended Device Information

# Full device enumeration
snmpcheck -t 192.168.1.100 -c public -v

# Extract system information
snmpcheck -t 192.168.1.100 -c public | grep -i "system\|uptime\|description"

# Get interfaces information
snmpcheck -t 192.168.1.100 -c public | grep -i "interface\|ip\|mac"

# Find installed software
snmpcheck -t 192.168.1.100 -c public | grep -i "software\|application\|installed"

Process and Service Enumeration

# Running processes
snmpcheck -t 192.168.1.100 -c public | grep -i "process"

# Services and daemons
snmpcheck -t 192.168.1.100 -c public | grep -i "service"

# Applications running
snmpcheck -t 192.168.1.100 -c public | grep -i "application"

# User accounts
snmpcheck -t 192.168.1.100 -c public | grep -i "user\|account"

Network Reconnaissance

Device Discovery

# Single device check
snmpcheck -t 192.168.1.100

# Network range scanning
for ip in $(seq 1 254); do
  echo "Scanning 192.168.1.$ip"
  snmpcheck -t 192.168.1.$ip -c public -q
done

# Faster parallel scanning
for ip in $(seq 1 254); do
  snmpcheck -t 192.168.1.$ip -c public -q &
  if [ $((++count % 10)) -eq 0 ]; then
    wait
  fi
done

Interface and Network Configuration

# Interfaces and IP configuration
snmpcheck -t 192.168.1.1 -c public | grep -A 5 "Interface"

# Network routes
snmpcheck -t 192.168.1.1 -c public | grep -i "route"

# ARP entries
snmpcheck -t 192.168.1.1 -c public | grep -i "arp"

# Network traffic statistics
snmpcheck -t 192.168.1.1 -c public | grep -i "traffic\|octets\|packets"

Device Identification

# Determine device type
snmpcheck -t 192.168.1.1 -c public | grep -i "system\|description\|platform"

# Firmware/OS version
snmpcheck -t 192.168.1.1 -c public | grep -i "version\|uptime\|build"

# Vendor identification
snmpcheck -t 192.168.1.1 -c public | grep -i "vendor\|manufacturer\|model"

# Serial number retrieval
snmpcheck -t 192.168.1.1 -c public | grep -i "serial"

SNMPv3 Enumeration

SNMPv3 Discovery

# SNMPv3 with credentials
snmpcheck -t 192.168.1.100 -v 3 -u admin -p password

# SNMPv3 with custom port
snmpcheck -t 192.168.1.100:161 -v 3 -u admin -p password

# SNMPv3 with authentication and privacy
snmpcheck -t 192.168.1.100 -v 3 -u admin -p password -l authPriv

User Authentication Methods

# MD5 authentication
snmpcheck -t 192.168.1.100 -v 3 -u admin -p password -A MD5

# SHA authentication
snmpcheck -t 192.168.1.100 -v 3 -u admin -p password -A SHA

# DES encryption
snmpcheck -t 192.168.1.100 -v 3 -u admin -p password -x DES

# AES encryption
snmpcheck -t 192.168.1.100 -v 3 -u admin -p password -x AES

Data Extraction and Analysis

Saving Results

# Save to text file
snmpcheck -t 192.168.1.100 -c public > device_scan.txt

# Log with timestamp
snmpcheck -t 192.168.1.100 -c public | tee scan_$(date +%Y%m%d_%H%M%S).txt

# Append to existing file
snmpcheck -t 192.168.1.100 -c public >> scan_results.txt

# Structured output
snmpcheck -t 192.168.1.100 -c public | grep "Description\|Uptime\|Contact"

Information Extraction

# System description
snmpcheck -t 192.168.1.100 -c public | grep -i "description"

# System uptime
snmpcheck -t 192.168.1.100 -c public | grep -i "uptime"

# Contact information
snmpcheck -t 192.168.1.100 -c public | grep -i "contact\|location"

# SNMP configuration
snmpcheck -t 192.168.1.100 -c public | grep -i "snmp"

Vulnerability Detection

# Detect public community string
snmpcheck -t 192.168.1.100 -c public -q && echo "VULNERABLE: public string accepted"

# Detect private community string
snmpcheck -t 192.168.1.100 -c private -q && echo "VULNERABLE: private string accepted"

# Check for write access (SNMPv1/v2c)
snmpset -v 2c -c private -m ALL 192.168.1.100 sysContact.0 s "test"

# Enumerate users (SNMPv3)
snmpcheck -t 192.168.1.100 -v 3 | grep -i "user\|username"

Automation and Scripting

Batch Device Enumeration

#!/bin/bash
# Scan multiple devices from list

DEVICES="192.168.1.1
192.168.1.254
10.0.0.1"

COMMUNITIES="public private community"

for device in $DEVICES; do
  echo "Scanning $device"
  for comm in $COMMUNITIES; do
    snmpcheck -t $device -c $comm -q > device_${device}_${comm}.txt 2>/dev/null
    if [ $? -eq 0 ]; then
      echo "SUCCESS: $device with community $comm"
    fi
  done
done

Network Assessment Script

#!/bin/bash
# Complete network SNMP assessment

NETWORK="192.168.1.0/24"
OUTPUT_DIR="snmp_assessment_$(date +%Y%m%d)"
mkdir -p $OUTPUT_DIR

for ip in $(nmap -sn $NETWORK | grep "Nmap scan" | awk '{print $5}'); do
  echo "Assessing $ip"
  
  # Try default communities
  for comm in public private community; do
    snmpcheck -t $ip -c $comm -v > \
      $OUTPUT_DIR/${ip}_${comm}.txt 2>/dev/null
    
    if [ -s $OUTPUT_DIR/${ip}_${comm}.txt ]; then
      echo "FOUND: $ip responds to community: $comm"
    fi
  done
done

# Generate summary report
echo "=== SNMP Devices Found ===" > $OUTPUT_DIR/REPORT.txt
find $OUTPUT_DIR -name "*.txt" -type f ! -name "REPORT.txt" | \
  while read file; do
    if [ -s "$file" ]; then
      echo "File: $file" >> $OUTPUT_DIR/REPORT.txt
    fi
  done

Continuous Monitoring

#!/bin/bash
# Monitor device for changes

TARGET="192.168.1.100"
COMMUNITY="public"
BASELINE_FILE="baseline_${TARGET}.txt"

# Create baseline
if [ ! -f $BASELINE_FILE ]; then
  snmpcheck -t $TARGET -c $COMMUNITY > $BASELINE_FILE
  echo "Baseline created: $BASELINE_FILE"
fi

# Compare current state
snmpcheck -t $TARGET -c $COMMUNITY > current_state.txt
diff $BASELINE_FILE current_state.txt > changes.diff

if [ -s changes.diff ]; then
  echo "Changes detected:"
  cat changes.diff
else
  echo "No changes detected"
fi

Common Device Targeting

Routers and Switches

# Cisco devices
snmpcheck -t 192.168.1.1 -c public | grep -i "cisco"

# Juniper devices
snmpcheck -t 192.168.1.1 -c public | grep -i "juniper"

# Interface enumeration
snmpcheck -t 192.168.1.1 -c public | grep -i "interface" | head -20

# VLAN information
snmpcheck -t 192.168.1.1 -c public | grep -i "vlan"

Servers and Workstations

# Windows server SNMP
snmpcheck -t 192.168.1.50 -c public | grep -i "windows"

# Linux/Unix systems
snmpcheck -t 192.168.1.60 -c public | grep -i "linux"

# Installed services
snmpcheck -t 192.168.1.50 -c public | grep -i "service\|software"

# Running processes
snmpcheck -t 192.168.1.50 -c public | grep -i "process"

Printers and IoT Devices

# Network printer enumeration
snmpcheck -t 192.168.1.200 -c public

# IoT device discovery
for ip in $(seq 1 254); do
  snmpcheck -t 192.168.1.$ip -c public -q &
done

# Toner levels and status
snmpcheck -t 192.168.1.200 -c public | grep -i "toner\|status"

# Device serial numbers
snmpcheck -t 192.168.1.200 -c public | grep -i "serial"

Troubleshooting

No Response from Device

# Verify connectivity
ping 192.168.1.100

# Check port accessibility
nc -zv 192.168.1.100 161

# Verify SNMP is running
nmap -sU -p 161 192.168.1.100

# Try different community string
snmpcheck -t 192.168.1.100 -c custom_community

Permission Denied

# Check system permissions
sudo snmpcheck -t 192.168.1.100 -c public

# Verify SNMP installation
which snmpcheck
snmpcheck -v

Slow Responses

# Reduce timeout
snmpcheck -t 192.168.1.100 -c public -q

# Try single port
snmpcheck -t 192.168.1.100:161 -c public

# Parallel processing
for ip in $(seq 1 254); do
  snmpcheck -t 192.168.1.$ip -c public -q &
done

Related Tools

• nmap: Network discovery with SNMP scripts (nmap -sU -p 161 -sV)
• Wireshark: SNMP packet capture and analysis
• net-snmp: SNMP command-line utilities (snmpget, snmpset)
• SNMP Exporter: Prometheus monitoring of SNMP devices
• Zabbix: Network monitoring with SNMP integration

Best Practices

1. Authorization: Only audit SNMP on authorized devices
2. Community Strings: Change default public/private strings
3. Access Control: Restrict SNMP to trusted networks
4. SNMPv3: Use SNMPv3 for authentication and encryption
5. Monitoring: Log and monitor SNMP queries
6. Filtering: Block SNMP at network edge if not needed

Security Considerations

• SNMP v1/v2c sends credentials in plaintext
• Enumerate discovered information for sensitive data exposure
• SNMP write access (private community) allows configuration changes
• Monitor unauthorized SNMP queries in network logs
• Implement network segmentation to limit SNMP exposure

References

• snmpcheck Documentation: https://www.nothink.org/codes/snmpcheck/
• RFC 1155: SNMPv1 Structure of Management Information
• RFC 3411-3418: SNMPv3 Protocol Standards
• OWASP SNMP Security: https://cheatsheetseries.owasp.org/
• Net-SNMP Documentation: http://www.net-snmp.org/