SNMP scanning

SNMP is an open standard network protocol for collecting information about devices on a network. There are three main versions of the protocol.

SNMP versions 1 and 2

SNMP version 1 was designed in the 1980s as an interim protocol, intended to be replaced by ISO CMIP. It was built to be used across any network common at the time, not just TCP/IP networks, so security was left up to the host network. The protocol defined a community string for arbitrary organization of groups of assets, but didn’t specify how access should be granted.

SNMP version 2 attempted to introduce a security model based on “parties,” but it wasn’t widely adopted so a revised standard was issued as SNMPv2c. SNMPv2c removed party-based security and went back to just using community strings. The previous SNMPv2 specification is considered obsolete.

Unfortunately, both SNMPv1 and SNMPv2 send community strings in plain text across the network. There’s no encryption of SNMPv1 or v2 data packets, and because the protocol is based on UDP there’s no way to simply add TLS to make a secure connection.

SNMP version 3

SNMPv3 fixes the security problems of SNMPv2 by supporting both password-based authentication and encryption (referred to as privacy protection) as part of the standard. Unfortunately there are multiple algorithms supported for both the encryption and the password authentication, and you have to know which ones your network devices use. Unlike SSH for example, the protocol doesn’t include any kind of negotiation of encryption methods.

SNMPv3 devices can operate in three different modes:

  • noAuthNoPriv, meaning no authentication is required and there’s no privacy protection (no encryption),
  • authNoPriv, meaning authentication is required but there’s still no privacy protection, and
  • authPriv, meaning both authentication and privacy protection are required.

runZero’s SNMP support

runZero supports SNMPv1, SNMPv2 (the SNMPv2c variant), and SNMPv3. Scans can be performed using only v1/v2, only v3, or both.

SNMP scanning is on by default. You can turn it off or customize it using the SNMP tab when setting up a scan or a scan template.

SNMPv1/v2 scanning

There are two ways to set up community strings for SNMPv1/v2 scanning. The first is to enter them as a comma-separated list on the SNMP tab. By default, runZero supplies the community strings public and private, as these are common defaults on network-enabled hardware such as printers and NAS servers. If you remove those defaults, runZero will not probe with them.

The second way to set up community strings is to enter them using the credentials feature as the credential type SNMP v2 Communities. While communities technically shouldn’t be used as credentials because they’re sent in plain text across the network, in practice many networks use them that way. By entering your community strings as credentials, you can use the CIDR allow list feature to control which parts of the network the community strings will be sent to, reducing the risk of their being captured by rogue devices.

If you remove all community strings from the SNMP tab and do not set up any SNMP v2 Communities as credentials, no SNMPv1/v2 scanning will be performed.

SNMPv3 scanning

Most devices which provide potentially sensitive information such as serial numbers and software versions will only do so in response to an authenticated SNMPv3 query. To perform authenticated SNMPv3 scanning, you will need to set up an SNMP v3 Credential record in runZero’s credentials feature.

The authentication protocol determines the hashing algorithm used to process the authentication passphrase – that is, how the runZero Explorer logs in to the remote device.

The most common default algorithm that devices use for authentication is sha (HMAC-SHA-96), which is required to be supported by the SNMPv3 standards. Newer devices may support more secure variants such as SHA-256, and runZero supports up to SHA-512. HMAC-MD5-96 is also supported, as per the standards, but is best not used on your network because the MD5 algorithm is known to be insecure.

The privacy protocol determines how the data sent to and from the remote device is encrypted to prevent eavesdropping. The privacy passphrase is used as seed data to initialize the encryption.

The most common privacy algorithm, required by the original SNMPv3 standards, is CBC-DES-128. It’s selected as des in the runZero user interface. Later RFCs added AES-128, represented as aes. Again, runZero supports more secure variants that may be used by newer devices, such as AES256.

As mentioned above, devices may require only authentication, both authentication and privacy, or neither. For some devices there is only space for a single passphrase in the device configuration. This usually means that the same passphrase is used for both the privacy passphrase and the authentication passphrase, if the device is running in authPriv mode.

As with SNMPv2 community strings, you can set a CIDR allow list to determine which IP addresses SNMPv3 credentials will be sent to. This is particularly recommended if your network is not set up to require privacy passphrases.

In addition to credentialed scanning, runZero will send uncredentialed SNMPv3 probes. Some devices respond to SNMPv3 with useful information without needing any credentials.

Choosing which versions of SNMP are scanned

To disable SNMPv1/v2 and only scan with SNMPv3, remove the community strings from the SNMP tab when setting up a scan or template and ensure that any SNMPv2 community strings stored as credentials are disabled on the Credentials tab.

To disable authenticated SNMPv3 scanning and only scan with SNMPv1/v2, ensure that any SNMPv3 credentials are disabled on the Credentials tab and make sure you have community strings specified, either on the SNMP tab or a credential.

To disable all SNMP scanning, including uncredentialed SNMPv3, switch off the toggle switch on the SNMP tab labeled Use the SNMP protocol for discovery.

How scans are performed

runZero will probe devices using all configured SNMP versions and all community strings. This is because devices often respond with different levels of data for SNMPv3 versus SNMPv2, and may respond with different information depending on community string.

SNMP is based on UDP, and UDP doesn’t guarantee the order of data packets, so it’s impossible to guarantee in what order community strings will be received by remote devices.

SNMPv3 authentication errors are not treated as scan failures. This is because it’s common to have multiple sets of SNMPv3 credentials used on different parts of a network, as well as misconfigured devices with incorrect passphrases.

Checking SNMPv3 credentials

If you are not getting SNMP data in your assets and think that you should be, a common cause is network firewalls, which often block SNMP traffic entirely. If possible, deploy an Explorer on the other side of the firewall, on the network segment you want to scan with SNMP.

The second most common reason for not getting the expected SNMP data in assets is incorrect SNMPv3 credentials.

If SNMPv3 authentication was attempted, you will see an SNMP engine ID recorded in the asset as snmp.EngineID.raw. The engine ID is usually a long string of hex digits and is used to calculate access keys. If the authentication failed, you will also see an error reported in the attribute snmp.failedAuth. If the error is a request timeout, that likely indicates that authentication succeeded but the encrypted data channel could not be set up, which means you may have the wrong privacy password or privacy algorithm.

It can be frustrating to debug SNMPv3 credential problems by trial and error using multiple scan attempts. Instead, you can use the snmpwalk utility. It’s part of the net-snmp open source project, packaged for most Linux distributions and available for macOS via Homebrew. There are unofficial builds for Windows, or you can install it in the Windows Subsystem for Linux (WSL).

The snmpwalk utility will connect to an IP address and dump all of the information it can retrieve. Here’s an example of how to use it to connect in authPriv mode with both authentication and privacy passphrases:

snmpwalk -v3 -l authPriv -a SHA -A "authentication passphrase" 
  -x AES -X "privacy passphrase" -u username 10.0.1.25

(Text above has been line-wrapped, but it’s one long command.) The parameters are:

  • -v3: switch to SNMPv3 mode.
  • -l authPriv: run in authPriv mode, with both authentication and privacy required.
  • -a SHA: authentication algorithm is SHA (SHA-128).
  • -A: specify the authentication passphrase as the next argument.
  • -x AES: privacy (encryption) algorithm is AES (AES-128).
  • -X: specify the privacy passphrase as the next argument.
  • -u username: specify the login username.
  • 10.0.1.25: the IP address to probe.

If you have the right passphrases and algorithms, you’ll get data back, probably a lot of it. If not, you’ll get an error message which may help identify the cause.

To check SNMPv2 community strings, you can use a command like this:

snmpwalk -v2c -c commstring 10.0.1.25

The -v2c argument chooses SNMPv2 (SNMPv2c) mode, and the -c argument specifies the community string. If you have the wrong community string, snmpwalk will run for a while and then print a timeout error.