nmap -sU -p 161 --script snmp-ios-config --script-args snmpcommunity=private 192.168.10.100
Update June 29, 2017
nmap 7.40 and above has been updated to use a standard snmp libary for all snmp based scripts. This changes the script-args as follows:nmap -sU -p 161 --script snmp-ios-config --script-args creds.snmp=private 192.168.10.100
You should upgrade to nmap 7.50 as it includes a lot of new scripts and bug fixes.
Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-03 15:23 Pacific Standard Time
Nmap scan report for 192.168.10.100
Host is up (0.0031s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-ios-config:
| !
| ! Last configuration change at 15:21:28 PST Tue Mar 3 2015 by mhubbard
| ! NVRAM config last updated at 15:21:31 PST Tue Mar 3 2015 by mhubbard
| !
| version 15.0
| no service pad
| service tcp-keepalives-in
| service tcp-keepalives-out
| service timestamps debug datetime msec localtime show-timezone
| service timestamps log datetime msec localtime show-timezone
| service password-encryption
| service sequence-numbers
| !
| hostname ACME_Test
| !
| boot-start-marker
| boot-end-marker
| !
| !
| username Test privilege 15 password 7 0037312531682F2506324F41
| username cisco privilege 15 secret 5 $1$CxMS$kdjNOfZxN6qcqqCWBDEvQ1
Snipped
This example should be enough to convince you not to use private as a RW string and use ACLs to limit logical access to your network devices!
In our example the SNMP monitoring stations are at 192.168.10.200 and .201. To add access lists:
ACME_Test(config)# access-list 99 permit 192.168.10.200
ACME_Test(config)# access-list 99 permit 192.168.10.201
ACME_Test(config)# snmp-server community public ro 99
Trouble Shooting
I have found this script to very reliable but I have run into two things that caused it fail.
You cannot have a TFTP server running on the machine you are running the script from. This is because the script has a TFTP server built in. On Windows you will get the following error "NSOCK ERROR [9.3070s] mksock_bind_addr(): Bind to 0.0.0.0:69 failed (IOD #2): An attempt was made to access a socket in a way forbidden by its access permissions. (10013)".
A community string that is for lack of a better word invalid. What does that mean? I could not get the script to work during a new deployment. I ran Wireshark and saw that the script sent the snmp SET but the switch didn't answer. I checked the access list on the SNMP config, made sure there wasn't a TFTP server running, checked the firewall, etc. Finally I ran "show snmp community" and to my surprise the RW string wasn't bound to any interfaces!
On this switch I am using vlan18 as the management vlan. You can see that the RW string isn't listed with an interface. I changed the RW string and ran the show command again. This time the RW string had vlan18 and the access-list and the script worked.
These aren't the actual strings I was using. The real strings had a lot of special characters and mixed caps.
ACME_Test#sh run | sec snmp
snmp-server community SuperSecret RW 25
snmp-server community BigSecret RO 20
snmp-server trap-source Vlan18
ACME_Test#sh snmp com
Community name: SuperSecret
Community Index: SuperSecret
Community SecurityName: SuperSecret
storage-type: nonvolatile active
Community name: BigSecret
Community Index: BigSecret
Community SecurityName: BigSecret
storage-type: nonvolatile active access-list: 20
Community name: BigSecret@18
Community Index: BigSecret@18
Community SecurityName: BigSecret
storage-type: read-only active access-list: 20