Recently I encountered a snmp port which nmap said was open. Nmap version scan said it was cisco snmp service whereas without the version scan it said open/filtered.
snmpwalk with community string public(and thousand more) did not return anything.
the packet dump while running nmap showed that snmp service had actually responded to nmap and showed its version as snmp v3:-
11:24:12.379988 IP (tos 0x0, ttl 249, id 48140, offset 0, flags [none], proto UDP (17), length 131) x.x.x.x.161 > Y.Y.Y.Y.32776: [udp sum ok] { SNMPv3 { F= } { USM B=2 T=12430628 U= } { ScopedPDU E= 0x800x000x000x090x030x000x000x190x550x390xCF0x4E C= { Report(29) R=14320 .1.3.6.1.6.3.15.1.1.4.0=20 } } }
interestingly, unlike snmp v2, snmp v3 responds even if the username is wrong allowing you to identify if the port is open or not:
snmpwalk -v 3 -u public X.X.X.X snmpwalk: Unknown user name
(snmp v2 will not respond unless community string is right)
References: Nmap Snmp Fingerprinting
Sid