> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/credential-recovery/separate-service/trick-0244.md).

# SNMP Enumeration for Exposed Credentials

***

Enumerate SNMP information, often using default community strings like `public`, to potentially find sensitive details including credentials leaked in process command lines. A community string acts like a password, controlling access to the SNMP agent on a device. The strings `public` (typically read-only) and `private` (typically read-write) are widely known default values. Devices configured with these default strings are vulnerable to information disclosure.

```bash
snmpwalk -v1 -c public <target_IP>
```

Examine the output, particularly sections related to running processes and their command-line arguments, for hardcoded credentials or other sensitive information. Misconfigured SNMP can expose details like `/usr/bin/host_check -u daniel -p HotelBabylon23`. Enumerating SNMP can reveal system information, network interfaces, installed software, and running processes, among other data points, depending on the MIBs supported and the access level granted by the community string. Using default or easily guessable community strings allows attackers to gather significant information about the target system without authentication.
