How to Find and Create Community Strings

There are few components as integral to security in SNMP as SNMP community strings. Having the correct community string determines whether you can access information contained within devices throughout your network. In this article, we’re going to look at how you can find and create community strings on Windows and Linux. However, before we look at how to find and create community strings, let’s look at what community strings are.

What are SNMP Community Strings?

A community string or SNMP community string is a user ID or password that is sent along with a Get-Request. An SNMP community string is used to allow access to statistics within a device or router. A device can access data within other devices with the correct community string. If the community string is incorrect then the device ignores the Get-Request.

The default community string of a device depends on the vendor who created the device. That being said it isn’t unheard of for vendors to choose ‘public’ as their password of choice. If you’re using one of these devices then you’d want to change the community string ASAP to keep your network protected from unauthorized access. This is important because the information enclosed within your devices can tell an attacker lots about your network and potential entry points.

It is important to note that there are a number of different types of SNMP community strings. These are as follows:

  • Read-only community string
  • Read-write community string
  • SNMP Trap community string

The read-only community string allows a device to pull read-only information from a device. In contrast, a read-write community string can be used to pull information and change the configuration of a device. Finally, the SNMP trap community string is included when a device sends an SNMP trap. Community strings also differ based on which version of SNMP is being used.

SNMP Versions and Community String Differences

There are three main versions of SNMP in use, and each of these has a slightly different slant on community strings. This is shown below:

  • SNMPv1 – This was the first version of SNMP and used community strings to restrict access. This version used read-only and read-write community strings. However, data was transmitted unencrypted and was thus vulnerable to external attackers.
  • SNMPv2c – This version of SNMP also sends data unencrypted but has additional data types like 64-bit counters that aren’t present in the original.
  • SNMPv3 – This is the secure version of SNMP which allows the user to encrypt transmissions so that they can’t be accessed by prying eyes.

The important thing to note about the first two versions of SNMP listed above is that community strings aren’t encrypted and are vulnerable to being read. They are transmitted in clear text without any protection from prying eyes. By default, SNMPv1 and SNMPv2 equipment hits the market with the read-only community string set to ‘public’.

SNMPv2c has two types of community strings; read-only and read-write. Read-only community strings allow the user to access MIB objects on a read-only basis. MIB objects is the term given to data within the Management Information Base (MIB). This is the data that is exchanged between an SNMP manager and an SNMP agent.

Read-write community strings allow the user to access and interact with MIB objects. This means that the user can log into the SNMP manager and edit the configurations of the SNMP-enabled device. You need to take extra care with these community strings because they can allow anyone to interfere with your system remotely.

Where possible we advise you to use SNMPv3 for the most protection. SNMPv3 is the safest because all transmissions are encrypted, meaning that they can’t be read. However, even if you’re using SNMPv3 you want to make sure that you create a strong community string that can’t be deciphered easily.

How to Find SNMP Community Strings on Windows

The first thing you need to when trying to use SNMP community strings on Windows is to make sure that SNMP has been installed. In the example below, we’re going to run through how you can install SNMP on Windows 7, Windows 2008 Server, and Windows 2012 R2 Server. There are a number of ways to do this but one of the simplest ways is to use a tool called SolarWinds SNMP Enabler.

To install SNMP and find Community String on Windows follow these steps below:

  1. Download SolarWinds SNMP Enabler for Windows. (100% FREE Tool)
  2. Open up the program and enter the IP address where you’d like to install SNMP.
  3. If you wish you can select multiple IP addresses by importing a file with the IP addresses listed with the Import button
  4. Click the Start button. SolarWinds SNMP Enabler will systematically check each IP address and verify whether SNMP is already up and running. If it isn’t then SNMP will be installed. In either case, a community string will be configured.
  5. Once the scan is complete you will be shown the IP address(eswhere SNMP has been installed along with your community string.

SolarWinds SNMP Enabler for WindowsDownload 100% FREE Tool

 

Configuring SNMPv2c

Even though SNMPv3 is more secure, SNMPv2c is still more widely-used by technology vendors. As a result, it is handy to know how to configure a community string on an SNMPv2c-enabled device. To do this there are a number of things you need to do:

  1. The first step is to configure the community string by entering the following (“comp” is the name of the community string and “ro” stands for read-only, the securer of the two read permissions):
    Router(config)#snmp-server community comp ro
  2. Enter the IP address of the host receiver or SNMP manager:
    Router(config)#snmp-server host 10.10.10.12 version 2c TRAPCOMM
  3. Enable SNMP traps by entering the following:
    Router(config)#snmp-server enable traps

How to Find an SNMP Community String on  Linux

As a basic rule, if you want to make use of SNMP community strings then you need to have an SNMP client that has been installed and configured. You can install SNMP on Linux via the following command (we’re using CentOS in the example below):
yum -y install net-snmp-snmp-utils

The configuration file within SNMP will not only determine which type of traffic will be monitored but will also define the community string. On Linux you can find the configuration file under the following name:
snmpd.conf

This configuration file is generally located in a subdirectory called /etc/snmp.

How to Find Community Strings

Now that we know what community strings are, its time to look at how to find them. There are many different ways to find community strings, depending on the hardware you’re using. In this example, we’re going to be referring to how to find SNMP community strings on a Cisco Router or Cisco IOS-based catalyst switch.

Enabling on CISCO router

To enable an SNMP community string on a Cisco router you need to do the following:

  1. Telnet the following command to the router:
    prompt#telnet 172.16.99.20
  2. Enter the enable password to launch enable mode:
    Router>enable
    Password:
    Router#
  3. Show the running configuration and look for the SNMP data. If you don’t find any SNMP data then move on to the next step. However, if you find an SNMP command you’ll want to modify or disable it:
    Router#show running-config
    Building configuration…
    ….
    ….
  4. Enter configuration mode:
    Router#configure terminal
    Enter configuration commands, one per line.  End
    with CNTL/Z
    Router (config) #
  5. Enter the following command to enable the read-only community string:
    Router (config) #snmp-server community public RO
  6. To enable the read-write community string, enter the following:
    Router(config)#snmp-server community private RW
  7. Exit configuration mode back to the main prompt:
    Router (config) #exit)
    Router#
  8. To save the settings to RAM enter the following:
    Router#write memory
    Building configuration…
    [OK]
    Router#

How to Configure Community Strings on Windows

The process for configuring a community string on Windows depends on the version of Windows that you’re using. In this section, we’re going to look at how to configure an SNMP agent and community string on Windows 2012, Windows 2008 R2, and Windows 2003.

Configuring on Windows 2012

  1. The first thing you need to do is to log into your dedicated server with Remote Desktop.
  2. Next click on Windows Key>Administrative Tools>Server Manager.
  3. Now click the Manage button, then Add Roles and Features.
  4. Click Next four times. Check that SNMP service has been installed in the Features view. Now click Cancel.
  5. At this point you need to click on Windows Key>Administrative Tools, followed by Services.
  6. Right-click on SNMP service and click Properties.
  7. Go to the Security tab and enter your connection string. This needs to be between 8-10 characters.
  8. Make sure that your connection string is set to Read-Only in the SNMP Service Configuration box.
  9. Click on Add to finish.

Configuring on Windows 2008 R2

  1. First, log into your dedicated server with Remote Desktop.
  2. Once you’ve logged in, click Start>Administrative Tools>Server Manager.
  3. Now click Features>Add Features. Make sure that SNMP services are installed!
  4. Next click on Configuration>Services.
  5. Right-click on SNMP service followed by Properties
  6. Go to the Security tab and enter your connection string.
  7. Make sure that the Community rights box is set to Read-Only in the SNMP Service Configuration box.
  8. Click Add.

Configuring on Windows 2003

  1. Log into your dedicated server with Remote Desktop.
  2. Click Start>Control Panel>Administrative Tools>Computer Management.
  3. Click on Services>Applications>Services.
  4. Double-click on the SNMP Service option.
  5. Go to the Security tab and enter your connection string.
  6. Check that your connection string is set to read-only.
  7. Press Add.

How to Configure Community Strings on Linux

On RedHat/CentOS

  1. Firstly, install the RPM by entering the following command:
    yum install net-snmp
  2. At this stage you can install snmpwalk to aid your troubleshooting with the following:
    yum install net-snmp-utils
  3. Next move the default configuration file and establish it as a backup:
    mv /etc/snmp/snmpd.conf /etc/snmp/snmpd/conf.original
  4. Enter a new SNMP community within a new config file:
    echo “rocommunity notpublic”>/etc/snmp/snmpd.conf

On Debian/Ubuntu

  1. Install the snmpd package by entering the following:
    apt-get install snmpd
  2. Next, back up the snmp.conf file by entering the following:
    mv /etc/snmp/snmpd/conf /etc/snmp/snmpd.conf.org
  3. Create your new snmpd.conf file by entering the following (replace Comparitech with the community string you want to use):
    echo “rocommunity comparitech”>/etc/snmp/snmpd.conf
  4. Edit your snmpd file:
    nano /etc/default/snmpd
  5. Find and comment out the following:
    SNMPSDOPTS=‘ -Lsd -Lf /dev/null -u snmp -p /var/run/snmpd.pid’
  6. Now add the following line:
    SNMPDOPTS=‘ -Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd/pid -c /etc/snmp/snmpd/conf’
  7. Close and save the file.
  8. Restart snmpd by entering the following:
    /etc/init.d/snmpd restart
    sysv-rc-conf snmpd on

Community String Best Practices

One of the most commonly-overlooked aspects of configuring a community string is picking a community string that is completely secure. Community strings act like passwords and just like passwords they need to be written in a way that isn’t easy to guess. When you’re configuring SNMP strings in your network you want to make sure they are as hard to guess as possible.

There are a number of ways you can do this:

  • Create community strings of 20 characters or more.
  • Include a mix of uppercase characters, lowercase characters, digits, and symbols.
  • Don’t use dictionary words.
  • Don’t refer to any personal information.
  • Make sure that public and private community strings are different!
  • Apply different community strings to different devices!

Employing the best practices above is very important because unlike a password, SNMP won’t lock out a user if they guess wrong too many times. Hackers will have an indefinite amount of attempts to guess your community string so you need to make sure the characters are as difficult to guess as possible.

Closing Words: SNMP Community Strings

If you want additional peace of mind then you can hire a professional to conduct a penetration test. A penetration test is where someone attempts to breach your network and exploit existing vulnerabilities. A successful penetration test will make sure that you don’t have any gaps in your security that hackers can target. So long as you’ve implemented the steps above you should be completely fine but it is always worth verifying that your network is protected from unauthorized users.

That concludes our guide to finding and creating community strings in Windows and Linux. As you can see, the process is relatively simple on both operating systems. Regardless of what platform you’re on, make sure that SNMP is enabled before you go dabbling about with any configurations.

Likewise, whenever you enter a community string always make sure that you make the string as difficult to guess as possible. If you have a community string that is easy to guess, then you’re leaving your network open to attacks and downtime. Following the best practices listed above will help to make sure that this isn’t an issue.

For the utmost in security, you want to make sure that you’re using SNMPv3. This way you will be able to benefit from encryption and keep your community strings protected. Likewise, you want to keep a close lock on read-write community strings because these represent the biggest threat to your security.

If an unauthorized user gets access to a read-write community string then they will not only be able to read your device data but will also be able to change your configurations as well! Carefully managing your usage of SNMP and community strings will make sure that you can use community strings without leaving your network vulnerable to an attacker.