HIGH: Open SNMP Report

DESCRIPTION LAST UPDATED: 2024-08-29

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts with SNMPv2 publicly accessible, that are responding to the community “public”, and that have the potential to be used in amplification attacks by criminals who wish to perform denial of service attacks.

IMPORTANT: As of 2023-05 it also identifies SNMPv3 hosts as well as Cisco routers vulnerable to CVE-2017-6736 a CVS 8.8 RCE which is known to be abused by APT28 as reported by NCSC UK in “APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers”. See also our blog UK/US Joint Announcements Remind Us That Un-Remediated Vulnerabilities Snowball. If you receive an entry tagged CVE-2017-6736, make sure to apply patches!

The OID being probed for is 1.3.6.1.2.1.1.1.0 (sysDescr) and if the host responds to that probe, the host is then probed for OID 1.3.6.1.2.1.1.5.0 (sysName). The analogous shell commands would be:

snmpget -c public -v 2c [ip] 1.3.6.1.2.1.1.1.0

snmpget -c public -v 2c [ip] 1.3.6.1.2.1.1.5.0

For more details on our results, please visit our SNMP dashboard results.

For latest CVE-2017-6736 scan results visit our Dashboard here.

You can learn more on the report in our Open SNMP Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

For more information on our scanning efforts, check out our Internet scanning summary page.

Filename(s): scan_snmp, scan6_snmp

Fields

timestamp

Time that the IP was probed in UTC+0
severity

Severity level
ip

The IP address of the device in question
protocol

Protocol that the DNS response came on (usually UDP)
port

Port that the SNMP response came from
hostname

Reverse DNS name of the device in question
sysdesc

System Description as obtained from OID 1.3.6.1.2.1.1.1
sysname

System Name as obtained from OID 1.3.6.1.2.1.1.5
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
version

The SNMP probe version that the IP responded to (usually 2)
naics

North American Industry Classification System Code
hostname_source

Hostname source
sector

Sector to which the IP belongs to
device_vendor

Device vendor
device_type

Device type
device_model

Device model
device_version

Device version
device_sector

Device sector (that the device belongs to, like consumer or enterprise)
tag

Set to snmp, may also include other entries, like "CVE-2017-6736"
community

SNMP community name
response_size

Response size in bytes
amplification

Amplification factor (This amplification is is based solely on the payload size sent and payload size received)
uptime

Device uptime (seconds)
mac_address

MAC address (if extracted)
vendor_id

Vendor ID (Enterprise ID)
vendor

Vendor name (as returned by device) from Enterprise ID

Sample

"timestamp","severity","ip","protocol","port","hostname","sysdesc","sysname","asn","geo","region","city","version","naics","hostname_source","sector","device_vendor","device_type","device_model","device_version","device_sector","tag","community","response_size","amplification","uptime","mac_address","vendor_id","vendor"
"2010-02-10 00:00:00",high,192.168.0.1,udp,161,node01.example.com,,,64512,ZZ,Region,City,2,0,,,,,,,,snmp,public,85,1.00,,,,
"2010-02-10 00:00:01",high,192.168.0.2,udp,161,node02.example.com,,,64512,ZZ,Region,City,2,0,ptr,"Communications, Service Provider, and Hosting Service",,,,,,snmp,public,85,1.00,,,,
"2010-02-10 00:00:02",high,192.168.0.3,udp,161,node03.example.com,"Linux iKuai 5.10.194 #0 SMP Mon Dec 13 10:43:05 2021 i686",,64512,ZZ,Region,City,2,0,,,iKuai,router,,,,iot;snmp,public,158,1.86,857042,,8072,net-snmp

Our 135 Report Types

« Back to Network Reporting