One way to assess the security of SNMP on a network is to use an SNMP scanner. An SNMP scanner is a tool that sends SNMP requests to multiple IP addresses, trying different community strings and waiting for a reply. A successful reply indicates that the device is running SNMP and that the community string is valid. The reply also contains valuable information about the device, such as its system description, which can be used for further enumeration or exploitation.
However, most SNMP scanners are very inefficient, because they send one request at a time and wait for a response before sending the next one. This means that the scanner will spend a lot of time waiting for replies that will never come, either because the device is unreachable, not running SNMP, or using a different community string. Moreover, the underlying UDP protocol does not reliably report closed UDP ports, so the scanner cannot tell if the device is not running SNMP or simply ignoring the request.
onesixtyone is an SNMP scanner that takes a different approach to overcome these limitations. It takes advantage of the fact that SNMP is a connectionless protocol and sends all SNMP requests as fast as it can, without waiting for responses. Then it waits for responses to come back and logs them, in a fashion similar to Nmap ping sweeps. This way, onesixtyone can scan thousands of IP addresses in a matter of seconds, without wasting time on non-responsive hosts.
onesixtyone was originally written by Daniel Roethlisberger in 2001, and later updated by Trail of Bits in 2016. The latest version is 0.3.2, which was released in February 2021. It supports both IPv4 and IPv6 addresses, and can scan multiple subnets and community strings simultaneously. It also allows the user to specify the OID (Object Identifier) to request from the devices, which can be useful for querying specific information or testing for vulnerabilities.
onesixtyone is written in C and can be compiled on Linux, Windows, and Mac OS X platforms. It has a simple command-line interface that accepts various options and arguments. For example, to scan the subnet 192.168.0.0/24 with the community string public, one can use the following command:
onesixtyone -c public 192.168.0.*
This will send a request for the system.sysDescr.0 value, which is present on almost all SNMP enabled devices. This returned value gives us a description of the system software running on the device. Here is an excerpt of a log file generated by onesixtyone:
192.168.0.1 [public] Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE4 192.168.0.10 [public] Linux server.example.com 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 192.168.0.20 [public] HP ETHERNET MULTI-ENVIRONMENT 192.168.0.30 [public] Brother NC-6800h 192.168.0.40 [public] Hardware: Intel64 Family 6 Model 158 Stepping 10 AT/AT COMPATIBLE - Software: Windows Version 10 (Build 19041 Multiprocessor Free)
As we can see, onesixtyone provides us with useful information about the devices on the network, such as their vendor, model, software version, and hostname.
onesixtyone is a powerful and efficient tool for scanning SNMP on large networks quickly and easily. It can help network administrators to identify and secure SNMP devices, and also assist penetration testers and security researchers in finding potential targets and vulnerabilities. onesixtyone is available for download from GitHub, where you can also find the source code, documentation, and bug reports.
References:
: GitHub - trailofbits/onesixtyone: Fast SNMP Scanner
: onesixtyone - an SNMP scanner
: onesixtyone-0.3.2-3.el4 Build Info koji
: onesixtyone-0.3.2-14.fc24 Build Info koji
: GitHub - trailofbits/onesixtyone: Fast SNMP Scanner
a7a7d27f09