Simple Network Management Protocol (SNMP) was designed in an era when internal networks were considered implicitly trusted environments. Decades later, it remains the backbone of network monitoring, yet it is frequently the most critical vulnerability in modern infrastructure.
While the danger of plain-text community strings in SNMPv1 and v2c is well-documented, the true catastrophic potential of this protocol is rarely understood until it is weaponized during a deep-dive audit. Leaving a Read-Only (RO) string as public or a Read-Write (RW) string as private does not just leak statistics—it provides a comprehensive architectural blueprint and a direct vector for total network hijacking and remote code execution (RCE).
A common misconception is that a Read-Only string is a low-severity information disclosure. In reality, snmpwalk can be used to meticulously map a target's internal state, bypassing the need for noisy port scans that trigger Intrusion Detection Systems (IDS).
One of the most critical phases of reconnaissance is user enumeration. By querying specific Object Identifiers (OIDs), an auditor can extract internal User IDs (UIDs), usernames, and running process contexts.
(Note: snmpwalk is used to systematically query a tree of information using GETNEXT requests. To extract data, we "walk" specific MIBs).
If the target is a Windows machine running an SNMP agent, the LanManager MIB frequently exposes local user accounts.
For Linux servers and core routers, enumerating the Host Resources MIB (hrSWRunTable) is vital. This reveals every running process, its path, and the parameters it was launched with. Administrators frequently pass credentials, UIDs, or sensitive configuration paths directly in the command line execution, which SNMP happily broadcasts.
With this data, the attacker maps the exact OS, the software stack, and the administrative usernames required for the next phase of the attack.
If the blueprint is acquired via snmpwalk, the actual hijacking is executed via snmpset. This tool sends SET requests to alter the values of specific OIDs, provided the auditor has discovered the Read-Write community string (often left as private, admin, or write).
When RW access is achieved, the network infrastructure is fundamentally compromised.
Routers rely on their routing tables to direct traffic. With RW access, an attacker does not need to intercept traffic physically; they can instruct the router to send it to them.
By modifying the ipRouteTable (OID 1.3.6.1.2.1.4.21), an attacker can inject a malicious route. For example, they can redirect all traffic destined for a secure internal subnet (like an HR database or authentication server) to a rogue machine under their control. The rogue machine captures the packets, records the data, and forwards it to the original destination, executing a perfect, silent Man-in-the-Middle (MitM) attack.
Cisco and other enterprise routers allow administrators to pull configuration files via Trivial File Transfer Protocol (TFTP). An attacker with RW SNMP access can trigger this mechanism maliciously.
By setting the ccCopyTable OIDs, the attacker instructs the router to reach out to an attacker-controlled TFTP server, download a new, malicious configuration file, and apply it to the running memory. This can be used to instantly wipe all legitimate administrative access, open external Telnet/SSH ports, and permanently backdoor the appliance.
The most devastating consequence of an exposed RW community string occurs on Linux servers running the net-snmp daemon.
If the NET-SNMP-EXTEND-MIB is loaded, the protocol allows administrators to extend SNMP's functionality by running local shell scripts and returning the output. If an attacker has RW access, they can use snmpset to dynamically inject an arbitrary command into the daemon, and then use snmpwalk to execute it and read the result.
Here is how an arbitrary command (e.g., retrieving the /etc/shadow file or establishing a reverse shell) is injected and triggered.
Step 1: Injecting the Command via snmpset
The attacker creates a new "extension" row, defining the exact binary to run and the arguments to pass.
(The long numeric strings represent the ASCII hex equivalent of the string "audit_cmd" appended to the base OID).
Step 2: Triggering the Execution via snmpwalk
Once the configuration is set, the attacker simply queries the newly created OID. When the SNMP daemon receives the GET request, it executes the payload to generate the answer.
At this moment, the network monitoring protocol has been leveraged to grant root-level execution on the target server.