masscan 0.0.0.0/0 -pU:161 --banners
SNMP is the "simple network management protocol", which is the Internet standard monitoring devices (like temperature and traffic rates), getting alerts from devices (like when the power fails), and most importantly, controlling devices. It's such a dangerous protocol that it should never be exposed to the public Internet. I should get back zero responses to my scan -- but I'm getting millions.
My query is a "GET" request for "sysName" and "sysDescr". These are relatively harmless bits of information, which is why I'm scanning for them: they are the fields that I'm most likely to get back in response. Most people don't mind exposing those fields. In future scans, I'm going to look for more sensitive information, like MAC addresses, or RMON.
This is just a sampling of early results. The most popular values for "sysName" are:
24178 ADSL Modem/Router
12374 Siemens SE261
12032 RTL867x ADSL Modem/Router
The first thing to notice about this is how this list is dominated by home cable/DSL modems. Also notice the item on the bottom of the list: AXIM is a well known manufacturer of Internet connected cameras. That could be lots of run to play with.
You see lots of devices in this list because it's usually supposed to be the human-configured name for a computer. Devices tend to be deployed without humans interacting with them, and hence come with factory preset names.
The most popular values for "sysDescr" are:
132290 Software Version 3.10L.01.
122354 Linux WNR1000v2 2.6.15 #199 Thu Jan 28 09
74654 Linux ADSL2PlusRouter 2.6.19 #2 Wed Aug 22 19
74435 Technicolor CableHome Gateway <
73785 CBW700N <
65439 System Description
55851 Thomson CableHome Gateway <
52248 Wireless ADSL Gateway
39351 Linux ADSL2PlusRouter 2.6.19 #7 Tue Apr 9 17
38372 Ubee PacketCable 1.5 W-EMTA <
31197 Netopia 3347-02 v7.8.1r2
30728 P-660HW-T1 v2
28390 Apple Base Station V3.84 Compatible
27017 ZXV10 W300
21765 P-660R-T1 v3s
19930 Linux KWS-1040G 2.4.25-LSDK-184.108.40.206 #1 Sat Jun 12 14
19753 Software Version 1132_061507-3.08L.BSNL_02.
19534 ARRIS DOCSIS 2.0 / SIP 2.0 Touchstone Telephony Modem <
15993 Linux ADSL2PlusRouter 2.6.19 #2 Mon Feb 13 14
15116 4 Port VDSL IAD
14870 BCW700J <
13577 Residential ADSL Gateway
13250 P-660HW-T1 v3
12984 Linux localhost 2.4.17_mvl21-malta-mips
12496 Cisco Internetwork Operating System Software
12163 Software Version 3.12L.BSNL_01.
12158 HP ETHERNET MULTI-ENVIRONMENT
12155 Apple AirPort - Apple Inc., 2006-2012. All rights Reserved.
12032 RTL867x System Description
11997 Linux KWS-1040G 2.4.25-LSDK-220.127.116.11 #1 Thu Sep 3 18
11617 P-660RU-T1 v2
Again, you see an overwhelming number of home devices. These come with model numbers, which is great, because it gives you a good list of products to avoid. Home cable/DSL modems should have zero ports exposed to the public Internet -- especially SNMP of all ports. If you have one of these vendors, like Zyxel or Arris, you are just begging to be hacked.
Note that both these lists exhibit a "long tail". There are hundreds of thousands of unique strings -- these are just the most popular. Although, as you can see, often time a minor version change creates a unique string. Thus, while a Zyxel device is the top of the list, that may be just because they don't have much variability in their version strings, rather than being either the worst vendor or the most popular vendor.