SNMPwn is an SNMPv3 user enumerator and attack tool. It is a legitimate security tool designed to be used by security professionals and penetration testers against hosts you have permission to test. It takes advantage of the fact that SNMPv3 systems will respond with "Unknown user name" when an SNMP user does not exist, allowing us to cycle through large lists of users to find the ones that do.
Built for and tested on Kali Linux 2.x rolling. Should work on any Linux platform but does not work currently on Mac OSX, but will when I get around to it. This is due to the stdout messages for snmpwalk on OSX being different. This script basically wraps snmpwalk. The version of snmpwalk I used was 5.7.3.
git clone https://github.com/hatlord/snmpwn.git cd snmpwn gem install bundler bundle install ./snmpwn.rb
Built for Ruby 2.3.x. Older versions of Ruby may work, but older than 1.9 may not.
You need to provide the script a list of users, a hosts list, a password list and an encryption password list. Basic users.txt and passwords.txt files are included. You could use passwords.txt for your encryption list also. I would recommend generating one specific to the organisation you are pen testing.
The command line options are available via
--help as always and should be clear enough. The only ones I would make specific comment on are:
--showfail - This will show you all password attack attempts, both successful and failed. It clutters the console output though, so if you do not choose this option you will get a spinning progress indicator instead.
--timeout - This is the timeout in milliseconds for the command response, which in this case is snmpwalk. It is set to 0.3 by default, which is 300 milliseconds. If you are testing hosts across a slow link you are going to want to extend this. I wouldn't personally go lower than 300 or results may become unreliable.
./snmpwn.rb --hosts hosts.txt --users users.txt --passlist passwords.txt --enclist passwords.txt