> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/credentials/filesystem-search/trick-0185.md).

# Credential Discovery in SNMP Config

***

After gaining access to a Linux system, check the SNMP configuration file for embedded credentials. The primary configuration file is typically located at `/etc/snmp/snmpd.conf`.

```bash
cat /etc/snmp/snmpd.conf
```

Look for lines specifying user creation, such as those using `createUser`. These lines define SNMPv3 users and can contain plain text passwords or weakly obscured hashes for authentication and privacy. The notes indicate finding a line like `createUser bootstrap MD5 [REDACTED] DES`, which revealed a password that could be reused for other users or services on the system.

Configuration examples often show the syntax for creating users with different security levels:

```
createUser authOnlyUser MD5 "authentication password"
createUser authPrivUser SHA "authentication password" AES "privacy password"
```

These examples demonstrate the `createUser` directive followed by the username, the authentication protocol (MD5 or SHA), the authentication passphrase enclosed in quotes, the privacy protocol (DES or AES), and the privacy passphrase also in quotes. The presence of these passphrases directly in the configuration file represents a significant security risk. Another example shows using SHA for authentication and AES for privacy:

```
createUser SHAvite SHA "The SHAvite password" AES "The AES password"
```

Examining these lines will reveal the passphrases configured for SNMPv3 users, which could potentially be reused for other access methods if the system administrator practices password reuse.
