What do you check when you find SMB and SNMP open on a host?
Short answer
For SMB, enumerate shares, check for anonymous/null-session access, list users, and identify the version for known CVEs. For SNMP, try default community strings like 'public' and walk the MIB to extract usernames, running processes, installed software, and network details.
SMB (445/139) and SNMP (UDP 161) are two of the richest enumeration sources on the exam because they so often leak data with no credentials at all.
Enumerating SMB
Start by fingerprinting the dialect and OS — smbclient, enum4linux-ng, or nmap's smb scripts all do this. Then check for null or anonymous sessions, which on misconfigured hosts let you list shares and users without logging in. Key things to pull:
- Shares — connect with
smbclient -L //<ip>and browse any readable share for configs, scripts, backups, or credentials. - Users — RID cycling or enum4linux can dump account names that feed password spraying.
- Version — an old Samba or an unpatched Windows SMBv1 stack points straight at named CVEs (EternalBlue, Samba RCEs).
Enumerating SNMP
SNMP authentication in v1/v2c is just a community string, and admins leave the default public (and sometimes private for write) in place constantly. With it, snmpwalk lets you walk the MIB tree and read:
- Local usernames and account details
- The full process list and command lines (which sometimes contain passwords)
- Installed software, network interfaces, routing tables, and listening ports
That process and software inventory frequently reveals the exact vulnerable service to attack next, or a credential passed on a command line.
Why this matters
These protocols turn a black-box host into a near-white-box one before you fire a single exploit. The usernames you collect drive sprays; the versions drive exploit selection; the process list drives privilege escalation later.
What interviewers look for
They want concrete steps — null sessions, share and user enumeration, version-to-CVE mapping for SMB, and default community strings plus MIB walking for SNMP — not "I'd run a scanner."
Likely follow-ups
- How would a null session help you on a Windows target?
- What sensitive data does an SNMP walk commonly expose?