Explain SNMP Enumeration.

SNMP enumeration is the process of using SNMP to enumerate user accounts on a target system. SNMP employs two major types of software components for communication: the SNMP agent, which is located on the networking device, and the SNMP management station, which communicates with the agent.

Almost all network infrastructure devices, such as routers and switches and including Windows systems, contain an SNMP agent to manage the system or device. The SNMP management station sends requests to agents, and the agents send back replies. The requests and replies refer to configuration variables accessible by agent software. Management stations can also send requests to set values for certain variables. Traps let the management station know that something significant has happened in the agent software, such as a reboot or an interface failure. Management Information Base (MIB) is the database of configuration variables that resides on the networking device.

SNMP has two passwords you can use to access and configure the SNMP agent from the management station. The first is called a read community string. This password lets you view the configuration of the device or system. The second is called the read/write community string; it's for changing or editing the configuration on the device. Generally, the default read community string is public and the default read/write community string is private. A common security loophole occurs when the community strings are left at the default settings: a hacker can use these default passwords to view or change the device configuration.


The simplest way to prevent SNMP enumeration is to remove the SNMP agent on the potential target systems or turn off the SNMP service. If shutting off SNMP isn't an option, then change the default read and read/write community names.In addition, an administrator can implement the Group Policy security option Additional Restrictions For Anonymous Connections, which restricts SNMP connections.


Network/infrastructure testing cases - describe possible insecure wireless configuration issues.

Wireless access is enabled (and not required)? Wireless access is configured with open access? SSID suppressed/not broadcast? not ideal, will confuse users, hackers can find it.

MAC address filtering? not ideal, can be spoofed

Wireless access point uses WEP? Wireless passphrase is easily-guessable? 

Bluetooth access is enabled (and not required)? Bluetooth pairing is not configured with authentication?


Network/infrastructure testing cases - describe possible insecure DNS configuration issues.

Does the DNS service allow unauthorized zone transfers? Is the DNS service vulnerable to cache poisoning? Does the DNS service allow unauthorized dynamic updates?


Network/infrastructure testing cases - describe possible insecure NTP configuration issues.

Is the system configured for NTP? Is NTP from an authenticated and authorized source?


Network/infrastructure testing cases - describe possible unnecessary services.

Is FTP (21/TCP) enabled? Is anonymous FTP login allowed? Is TFTP enabled and not necessary? Is DHCP enabled and not necessary? Is DNS enabled and not necessary? Are unnecessary routing protocols (e.g. BGP, EIGRP, OSPF, RIP, VRRP, GLBP, VTP, DTP) enabled? Are other unnecessary protocols (e.g. echo, finger, chargen) enabled?


Network/infrastructure testing cases - describe possible insecure remote administration issues.

Is Telnet (23/TCP) running on the system? Is HTTP login enabled on the system? If HTTPS is enabled, are weak ciphersand protocols suported? If SSH is enabled, is SSHv1 supported? Is SNMP v1 or 2c supported? Is the administrative interface accessible over other clear-text protocols (e.g. rlogin, rsh)?​

Wow you made it to the end. That's all we have so far. You probably have some inside knowledge of your own. Send it our way, we'll review, and post.

You can then come back and refresh your memory, with your own...memories.