NET-SNMP-CONFIG-DLCollection

SNMP TFTP Config Download

Specific OID writes trigger the device to TFTP its config to an attacker host — exfil interfaces, ACLs, AAA keys, RADIUS secret.

§ Where this technique fits

NET-SNMP-CONFIG-DL is catalogued under the Collection tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

SNMPv2c write-community → router config exfil → cred sprays
Find a router with 'private' RW community. Trigger SNMP-to-TFTP config download to attacker host. The config has RADIUS shared secret, AAA server IP, ISAKMP PSKs, and SSH user-pubkeys — spray harvested creds.
step 2 / 6

§ What commonly comes next

01
Unsecured Credentials
T1552 · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

SNMPv2c write-community → router config exfil → cred sprays

§ What commonly comes next