Snmpwalk
Snmpwalk is a command-line application to query SNMP agents and retrieve device information. Used for network reconnaissance and device enumeration.
Installation
# Debian/Ubuntu
sudo apt install snmp snmp-mibs-downloader
# Kali Linux (pre-installed)
which snmpwalk
# CentOS/RHEL
sudo yum install net-snmp-utils
# macOS
brew install net-snmpBasic Commands
| Command | Description |
|---|---|
snmpwalk -v 1 -c public target | SNMP v1 enumeration |
snmpwalk -v 2c -c public target | SNMP v2c enumeration |
snmpwalk -v 3 -u user target | SNMP v3 enumeration |
snmpwalk -h | Show help |
SNMP Versions
# Version 1 (no encryption)
snmpwalk -v 1 -c public 192.168.1.1
# Version 2c (no encryption)
snmpwalk -v 2c -c public 192.168.1.1
# Version 3 (with encryption)
snmpwalk -v 3 -u username -a MD5 -A password target
# Version 3 (with privacy)
snmpwalk -v 3 -u username -a MD5 -A password -x DES -X privpass targetCommon OID Trees
| OID | Description |
|---|---|
1.3.6.1.2.1.1 | System information (sysDescr, sysUpTime, sysContact) |
1.3.6.1.2.1.25.3.2 | Running processes |
1.3.6.1.2.1.25.4.2 | Process names and paths |
1.3.6.1.2.1.6.13.1 | Network connections (TCP) |
1.3.6.1.2.1.7.5.1 | UDP endpoint information |
1.3.6.1.2.1.25.6 | Software installed |
1.3.6.1.2.1.2 | Network interfaces |
1.3.6.1.4.1.77.1.2.25 | Windows users (hrProcessName) |
Full Enumeration
# Complete MIB tree walk
snmpwalk -v 2c -c public 192.168.1.1 1.3.6.1.2.1
# System information
snmpwalk -v 2c -c public target 1.3.6.1.2.1.1
# Process enumeration
snmpwalk -v 2c -c public target 1.3.6.1.2.1.25.4.2.1.2
# Installed software
snmpwalk -v 2c -c public target 1.3.6.1.2.1.25.6.3.1.2
# Network interfaces
snmpwalk -v 2c -c public target 1.3.6.1.2.1.2.2.1
# TCP connections
snmpwalk -v 2c -c public target 1.3.6.1.2.1.6.13.1.3Community String Enumeration
# Default public community
snmpwalk -v 2c -c public target
# Default private community
snmpwalk -v 2c -c private target
# Common community strings
snmpwalk -v 2c -c community target
snmpwalk -v 2c -c COMMUNITY target
snmpwalk -v 2c -c internal target
snmpwalk -v 2c -c external target
snmpwalk -v 2c -c cisco targetWindows-Specific OIDs
# Windows processes
snmpwalk -v 2c -c public target 1.3.6.1.2.1.25.4.2.1.2
# Windows services
snmpwalk -v 2c -c public target 1.3.6.1.4.1.77.1.2.25
# Windows users via HOST-RESOURCES
snmpwalk -v 2c -c public target 1.3.6.1.2.1.25.3.3.1
# Windows disk space
snmpwalk -v 2c -c public target 1.3.6.1.2.1.25.3.2.1Advanced Options
# Numeric output (faster)
snmpwalk -v 2c -c public -On target 1.3.6.1.2.1.1
# No symbolic translation
snmpwalk -v 2c -c public -n target 1.3.6.1.2.1.1
# Timeout specification (ms)
snmpwalk -v 2c -c public -t 10 target 1.3.6.1.2.1.1
# Retries
snmpwalk -v 2c -c public -r 2 target 1.3.6.1.2.1.1
# Verbose output
snmpwalk -v 2c -c public -v target 1.3.6.1.2.1.1
# Show OIDs in numeric format
snmpwalk -v 2c -c public -O n target 1.3.6.1.2.1.1Output Filtering
# Save to file
snmpwalk -v 2c -c public target > snmp_dump.txt
# Grep for specific values
snmpwalk -v 2c -c public target | grep -i windows
# Extract running processes
snmpwalk -v 2c -c public target 1.3.6.1.2.1.25.4.2.1.2 | grep STRING
# Find SQL Server instances
snmpwalk -v 2c -c public target 1.3.6.1.2.1.25.4.2.1.2 | grep -i sql
# List installed applications
snmpwalk -v 2c -c public target 1.3.6.1.2.1.25.6.3.1.2 | grep -i ""SNMP v3 Authentication
# MD5 authentication only
snmpwalk -v 3 -u username -a MD5 -A "password" target 1.3.6.1.2.1.1
# SHA authentication only
snmpwalk -v 3 -u username -a SHA -A "password" target 1.3.6.1.2.1.1
# DES encryption + SHA auth
snmpwalk -v 3 -u username -a SHA -A "authpass" -x DES -X "privpass" target
# AES encryption + SHA auth
snmpwalk -v 3 -u username -a SHA -A "authpass" -x AES -X "privpass" target
# Context name specification
snmpwalk -v 3 -u user -c contextname target 1.3.6.1.2.1.1Community String Brute Force
# Using onesixtyone (faster)
onesixtyone -c wordlist.txt 192.168.1.0/24
# Using nmap SNMP NSE
nmap --script snmp-brute --script-args snmp-brute.communitiesdb=wordlist.txt targetTroubleshooting
# Test connectivity
snmpwalk -v 2c -c public -t 5 target 1.3.6.1.2.1.1.1.0
# Increase timeout for slow devices
snmpwalk -v 2c -c public -t 30 target 1.3.6.1.2.1.1
# Enable verbose error messages
snmpwalk -v 2c -c public -d target 1.3.6.1.2.1.1
# Check for firewall blocking
nmap -p 161 targetCommon Payloads
# System reconnaissance
snmpwalk -v 2c -c public target 1.3.6.1.2.1.1
# OS detection
snmpwalk -v 2c -c public target 1.3.6.1.2.1.1.1.0
# Uptime info
snmpwalk -v 2c -c public target 1.3.6.1.2.1.1.3.0
# Contact information
snmpwalk -v 2c -c public target 1.3.6.1.2.1.1.4.0
# System name
snmpwalk -v 2c -c public target 1.3.6.1.2.1.1.5.0
# Location
snmpwalk -v 2c -c public target 1.3.6.1.2.1.1.6.0Last updated: March 2026