• Stars
    star
    555
  • Rank 80,213 (Top 2 %)
  • Language
    PowerShell
  • License
    Other
  • Created over 2 years ago
  • Updated about 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

PowerHuntShares is an audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains.

PowerHuntShares

PowerHuntShares is design to automatically inventory, analyze, and report excessive privilege assigned to SMB shares on Active Directory domain joined computers.
It is intented to help IAM and other blue teams gain a better understand of their SMB Share attack surface and provides data insights to help naturally group related share to help stream line remediation efforts at scale.

It supports functionality to:

  • Authenticate using the current user context, a credential, or clear text user/password.
  • Discover accessible systems associated with an Active Directory domain automatically. It will also filter Active Directory computers based on available open ports.
  • Target a single computer, list of computers, or discovered Active Directory computers (default).
  • Collect SMB share ACL information from target computers using PowerShell.
  • Analyze collected Share ACL data.
  • Report summary reports and excessive privilege details in HTML and CSV file formats.

Excessive SMB share ACLs are a systemic problem and an attack surface that all organizations struggle with. The goal of this project is to provide a proof concept that will work towards building a better share collection and data insight engine that can help inform and priorititize remediation efforts.

Bonus Features:

  • Generate directory listing dump for configurable depth
  • Search for file types across discovered shares

I've also put together a few other resources to get you started:

Vocabulary

PowerHuntShares will inventory SMB share ACLs configured with "excessive privileges" and highlight "high risk" ACLs. Below is how those are defined in this context.

Excessive Privileges
Excessive read and write share permissions have been defined as any network share ACL containing an explicit ACE (Access Control Entry) for the "Everyone", "Authenticated Users", "BUILTIN\Users", "Domain Users", or "Domain Computers" groups. All provide domain users access to the affected shares due to privilege inheritance issues. Note there is a parameter that allow operators to add their own target groups.
Below is some additional background:

  • Everyone is a direct reference that applies to both unauthenticated and authenticated users. Typically only a null session is required to access those resources.
  • BUILTIN\Users contains Authenticated Users
  • Authenticated Users contains Domain Users on domain joined systems. That's why Domain Users can access a share when the share permissions have been assigned to "BUILTIN\Users".
  • Domain Users is a direct reference
  • Domain Users can also create up to 10 computer accounts by default that get placed in the Domain Computers group
  • Domain Users that have local administrative access to a domain joined computer can also impersonate the computer account.

Please Note: Share permissions can be overruled by NTFS permissions. Also, be aware that testing excluded share names containing the following keywords:

print$, prnproc$, printer, netlogon,and sysvol

High Risk Shares
In the context of this report, high risk shares have been defined as shares that provide unauthorized remote access to a system or application. By default, that includes the shares

 wwwroot, inetpub, c$, and admin$   
However, additional exposures may exist that are not called out beyond that.

Setup Commands

Below is a list of commands that can be used to load PowerHuntShares into your current PowerShell session. Please note that one of these will have to be run each time you run PowerShell is run. It is not persistent.

# Bypass execution policy restrictions
Set-ExecutionPolicy -Scope Process Bypass

# Import module that exists in the current directory
Import-Module .\PowerHuntShares.psm1

or

# Reduce SSL operating level to support connection to github
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
[Net.ServicePointManager]::SecurityProtocol =[Net.SecurityProtocolType]::Tls12

# Download and load PowerHuntShares.psm1 into memory
IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerHuntShares/main/PowerHuntShares.psm1")

Example Commands

Important Note: All commands should be run as an unprivileged domain user.

.EXAMPLE 1: Run from a domain computer. Performs Active Directory computer discovery by default.
PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test 

.EXAMPLE 2: Run from a domain computer with alternative domain credentials. Performs Active Directory computer discovery by default.
PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test -Credentials domain\user

.EXAMPLE 3: Run from a domain computer as current user. Target hosts in a file. One per line.
PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test  -HostList c:\temp\hosts.txt      

.EXAMPLE 4: Run from a non-domain computer with credential. Performs Active Directory computer discovery by default.
C:\temp\test> runas /netonly /user:domain\user PowerShell.exe
PS C:\temp\test> Import-Module PowerHuntShares.psm1
PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -RunSpaceTimeOut 10 -OutputDirectory c:\folder\ -DomainController 10.1.1.1 -Credential domain\user 

===============================================================
PowerHuntShares
===============================================================
 This function automates the following tasks:     

 o Determine current computer's domain
 o Enumerate domain computers        
 o Filter for computers that respond to ping reqeusts          
 o Filter for computers that have TCP 445 open and accessible  
 o Enumerate SMB shares 
 o Enumerate SMB share permissions   
 o Identify shares with potentially excessive privielges       
 o Identify shares that provide reads & write access           
 o Identify shares thare are high risk
 o Identify common share owners, names, & directory listings   
 o Generate creation, last written, & last accessed timelines
 o Generate html summary report and detailed csv files         

 Note: This can take hours to run in large environments.       
---------------------------------------------------------------
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---------------------------------------------------------------
SHARE DISCOVERY      
---------------------------------------------------------------
[*][03/01/2021 09:35] Scan Start
[*][03/01/2021 09:35] Output Directory: c:\temp\smbshares\SmbShareHunt-03012021093504
[*][03/01/2021 09:35] Successful connection to domain controller: dc1.demo.local
[*][03/01/2021 09:35] Performing LDAP query for computers associated with the demo.local domain
[*][03/01/2021 09:35] - 245 computers found
[*][03/01/2021 09:35] Pinging 245 computers
[*][03/01/2021 09:35] - 55 computers responded to ping requests.
[*][03/01/2021 09:35] Checking if TCP Port 445 is open on 55 computers
[*][03/01/2021 09:36] - 49 computers have TCP port 445 open.
[*][03/01/2021 09:36] Getting a list of SMB shares from 49 computers
[*][03/01/2021 09:36] - 217 SMB shares were found.
[*][03/01/2021 09:36] Getting share permissions from 217 SMB shares
[*][03/01/2021 09:37] - 374 share permissions were enumerated.
[*][03/01/2021 09:37] Getting directory listings from 33 SMB shares
[*][03/01/2021 09:37] - Targeting up to 3 nested directory levels
[*][03/01/2021 09:37] - 563 files and folders were enumerated.
[*][03/01/2021 09:37] Identifying potentially excessive share permissions
[*][03/01/2021 09:37] - 33 potentially excessive privileges were found across 12 systems..
[*][03/01/2021 09:37] Scan Complete
---------------------------------------------------------------
SHARE ANALYSIS      
---------------------------------------------------------------
[*][03/01/2021 09:37] Analysis Start
[*][03/01/2021 09:37] - 14 shares can be read across 12 systems.
[*][03/01/2021 09:37] - 1 shares can be written to across 1 systems.
[*][03/01/2021 09:37] - 46 shares are considered non-default across 32 systems.
[*][03/01/2021 09:37] - 0 shares are considered high risk across 0 systems
[*][03/01/2021 09:37] - Identified top 5 owners of excessive shares.
[*][03/01/2021 09:37] - Identified top 5 share groups.
[*][03/01/2021 09:37] - Identified top 5 share names.
[*][03/01/2021 09:37] - Identified shares created in last 90 days.
[*][03/01/2021 09:37] - Identified shares accessed in last 90 days.
[*][03/01/2021 09:37] - Identified shares modified in last 90 days.
[*][03/01/2021 09:37] Analysis Complete
---------------------------------------------------------------
SHARE REPORT SUMMARY      
---------------------------------------------------------------
[*][03/01/2021 09:37] Domain: demo.local
[*][03/01/2021 09:37] Start time: 03/01/2021 09:35:04
[*][03/01/2021 09:37] End time: 03/01/2021 09:37:27
[*][03/01/2021 09:37] Run time: 00:02:23.2759086
[*][03/01/2021 09:37] 
[*][03/01/2021 09:37] COMPUTER SUMMARY
[*][03/01/2021 09:37] - 245 domain computers found.
[*][03/01/2021 09:37] - 55 (22.45%) domain computers responded to ping.
[*][03/01/2021 09:37] - 49 (20.00%) domain computers had TCP port 445 accessible.
[*][03/01/2021 09:37] - 32 (13.06%) domain computers had shares that were non-default.
[*][03/01/2021 09:37] - 12 (4.90%) domain computers had shares with potentially excessive privileges.
[*][03/01/2021 09:37] - 12 (4.90%) domain computers had shares that allowed READ access.
[*][03/01/2021 09:37] - 1 (0.41%) domain computers had shares that allowed WRITE access.
[*][03/01/2021 09:37] - 0 (0.00%) domain computers had shares that are HIGH RISK.
[*][03/01/2021 09:37] 
[*][03/01/2021 09:37] SHARE SUMMARY
[*][03/01/2021 09:37] - 217 shares were found. We expect a minimum of 98 shares
[*][03/01/2021 09:37]   because 49 systems had open ports and there are typically two default shares.
[*][03/01/2021 09:37] - 46 (21.20%) shares across 32 systems were non-default.
[*][03/01/2021 09:37] - 14 (6.45%) shares across 12 systems are configured with 33 potentially excessive ACLs.
[*][03/01/2021 09:37] - 14 (6.45%) shares across 12 systems allowed READ access.
[*][03/01/2021 09:37] - 1 (0.46%) shares across 1 systems allowed WRITE access.
[*][03/01/2021 09:37] - 0 (0.00%) shares across 0 systems are considered HIGH RISK.
[*][03/01/2021 09:37] 
[*][03/01/2021 09:37] SHARE ACL SUMMARY
[*][03/01/2021 09:37] - 374 ACLs were found.
[*][03/01/2021 09:37] - 374 (100.00%) ACLs were associated with non-default shares.
[*][03/01/2021 09:37] - 33 (8.82%) ACLs were found to be potentially excessive.
[*][03/01/2021 09:37] - 32 (8.56%) ACLs were found that allowed READ access.
[*][03/01/2021 09:37] - 1 (0.27%) ACLs were found that allowed WRITE access.
[*][03/01/2021 09:37] - 0 (0.00%) ACLs were found that are associated with HIGH RISK share names.
[*][03/01/2021 09:37] 
[*][03/01/2021 09:37] - The 5 most common share names are:
[*][03/01/2021 09:37] - 9 of 14 (64.29%) discovered shares are associated with the top 5 share names.
[*][03/01/2021 09:37]   - 4 backup
[*][03/01/2021 09:37]   - 2 ssms
[*][03/01/2021 09:37]   - 1 test2
[*][03/01/2021 09:37]   - 1 test1
[*][03/01/2021 09:37]   - 1 users
[*] -----------------------------------------------

HTML Report Examples

HtmlReport1

Credits

Author
Scott Sutherland (@_nullbind)

Open-Source Code Used
These individuals wrote open source code that was used as part of this project. A big thank you goes out them and their work!

Name Site
Will Schroeder (@harmj0y) https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Warren F (@pscookiemonster) https://github.com/RamblingCookieMonster/Invoke-Parallel
Luben Kirov http://www.gi-architects.co.uk/2016/02/powershell-check-if-ip-or-subnet-matchesfits/

License
BSD 3-Clause

Todos

Pending Fixes/Bugs

  • Update code to avoid defender
  • Fix file listing formating on data insight pages
  • IPv6 addresses dont show up in subnets summary
  • ACLs associated with Builtin\Users sometimes shows up as LocalSystem under undefined conditions, and as a result, doesnt show up in the Excessive Privileges export. - Thanks Sam!

Pending Features

  • Add ability to specify additional groups to target
  • Add directory listing to insights page.
  • Add ability to grab system OS information for data insights.
  • Add visualization: Visual squares with coloring mapped to share volume density by subnet or ip?.
  • Add file type search. (half coded) + add to data insights. Don't forget things like *.aws, *.azure *.gcp directories that store cloud credentials.
  • Add file content search.
  • Add DontExcludePrintShares option
  • Add auto targeting of groups that contain a large % of the user population; over 70% (make configurable). Add as option.
  • Add configuration fid: netlogon and sysvol you may get access denied when using windows 10 unless the setting below is configured. Automat a check for this, and attempt to modify if privs are at correct level. gpedit.msc, go to Computer -> Administrative Templates -> Network -> Network Provider -> Hardened UNC Paths, enable the policy and click "Show" button. Enter your server name (* for all servers) into "Value name" and enter the folowing text "RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0" wihtout quotes into the "Value" field.
  • Add an interesting shares based on names to data insights. example: sql, backup, password, etc.
  • Add active sessions data to help identify potential owners/users of share.
  • Pull spns and computer description/spn account descriptions to help identify owner/business unit.
  • Create bloodhound import file / edge (highrisk share)
  • Research to identify additional high risk share names based on common technology
  • Add better support for IPv6
  • Dynamic identification of spikes in high risk share creation/common groupings, need to better summarize supporting detail beyond just the timeline. For each of the data insights, add average number of shares created for insight grouping by year/month (for folder hash / name etc), and the increase the month/year it spikes. (attempt to provide some historical context); maybe even list the most common non default directories being used by each of those. Potentially adding "first seen date" as well.
  • add showing share permissions (along with the already displayed NTFS permissions) and resultant access (most restrictive wins)

More Repositories

1

PowerUpSQL

PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
PowerShell
2,444
star
2

MicroBurst

A collection of scripts for assessing Microsoft Azure security
PowerShell
1,982
star
3

SQLInjectionWiki

A wiki focusing on aggregating and documenting various SQL injection methods
HTML
727
star
4

PESecurity

PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode.
PowerShell
593
star
5

xssValidator

This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
Java
399
star
6

NetblockTool

Find netblocks owned by a company
Python
336
star
7

PowerShell

NetSPI PowerShell Scripts
PowerShell
300
star
8

ESC

Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, but also sample files for execution through mediums like msbuild and PowerShell.
C#
278
star
9

WebLogicPasswordDecryptor

PowerShell script and Java code to decrypt WebLogic passwords
Java
240
star
10

sshkey-grab

Grab ssh keys from ssh-agent
Python
217
star
11

JavaSerialKiller

Burp extension to perform Java Deserialization Attacks
Java
205
star
12

django.nV

Vulnerable Django Application
JavaScript
197
star
13

Wsdler

WSDL Parser extension for Burp
Java
189
star
14

Swift.nV

Security Training Tool that demonstrates common mobile application vulnerabilities using Swift in iOS
Swift
180
star
15

aws_consoler

A utility to convert your AWS CLI credentials into AWS console access.
Python
178
star
16

DAFT

DAFT: Database Audit Framework & Toolkit
C#
173
star
17

Powershell-Modules

PowerShell
158
star
18

Burp-Extensions

Central Repo for Burp extensions
Java
141
star
19

BurpCollaboratorDNSTunnel

A DNS tunnel utilizing the Burp Collaborator
Java
97
star
20

BetaFast

Vulnerable thick client applications used as examples in the Introduction to Hacking Desktop Applications blog series
C#
89
star
21

BurpExtractor

A Burp extension for generic extraction and reuse of data within HTTP requests and responses.
Java
89
star
22

AWSSigner

Burp Extension for AWS Signing
Java
86
star
23

AutoDirbuster

Automatically run and save ffuf scans for multiple IPs
Python
74
star
24

SQLC2

SQLC2 is a PowerShell script for deploying and managing a command and control system that uses SQL Server as both the control server and the agent.
PowerShell
72
star
25

PowerHunt

PowerHunt is a modular threat hunting framework written in PowerShell that leverages PowerShell Remoting for data collection on scale.
PowerShell
61
star
26

FuncoPop

Tools for attacking Azure Function Apps
PowerShell
60
star
27

MonkeyWorks

C#
58
star
28

cmdsql

ASP.NET
54
star
29

heapdump-ios

Dump IOS application heap space from memory
Shell
50
star
30

SpoofSpotter

A tool to catch spoofed NBNS responses.
Python
49
star
31

skl

strace keylogger PoC
44
star
32

grails-nV

Vulnerable Grails application
JavaScript
43
star
33

JSONBeautifier

JSON Beautifier for Burp written in Java
Java
36
star
34

asa_tools

Verification tools for CVE-2016-1287
Python
32
star
35

MoneyX

MoneyX is an intentionally vulnerable JSP application used for training developers in application security concepts.
Java
30
star
36

JIG

Jira Information Gatherer
Python
29
star
37

httpillage

Java
26
star
38

HTTPScrapers

NetSPI HTTP Scrapers
Python
25
star
39

binrev

Shell
24
star
40

crossdomainscanner

Python tool for expired domain discovery in crossdomain.xml files
Python
23
star
41

goat.js

Tutorial for Node.js security
CSS
20
star
42

PS_Reflector

PowerShell
19
star
43

PS_MultiCrack

A powershell script for cracking halfLMchall password hashes
PowerShell
19
star
44

PS_CC_Checker

PowerShell
17
star
45

DataLoc

Scan MSSQL databases for payment card data without relying on key words
AutoIt
16
star
46

silkwasm

HTML Smuggling with Web Assembly
Go
15
star
47

Pin

Intel pin tools
C++
12
star
48

ruby_apk_unpack

Ruby Gem to Unpack APK(s)
Ruby
12
star
49

SVNentriesParser

A powershell script to parse SVN entries files into an HTML directory listing
PowerShell
9
star
50

Dekrypto

Ruby
8
star
51

JSWS

JavaScript Web Service Proxy Burp Plugin
Java
7
star
52

gppdecrypt

Stand alone script to decrypt GPP cpassword.
Go
7
star
53

TapJacking-Demo

Java
6
star
54

WCF

C#
6
star
55

PycroBurst

Python implementation of select MicroBurst scripts.
Python
6
star
56

Custom-Passive-Scanner

Define custom findings for Burp's Passive Scanner using regex.
Java
5
star
57

doctordocker

Docker Doctor - Automated upgrading of libraries through Docker deployments.
Ruby
5
star
58

osint_scripts

Collection of Scripts of Open Source Intelligence Gathering
Ruby
5
star
59

npm-deps-parser

Parses, summarizes, and prints "npm audit" json output to markdown for nVision reports
Python
4
star
60

DetectionRules

This is a single location to store detection rules of various types.
4
star
61

Scheduled-Task

Native Binary for Creating a Scheduled Task
C++
2
star
62

rails-scope

scoping gem for rails application
Ruby
2
star
63

CollegePresentation

2
star
64

edge-cases-in-web

PHP
1
star
65

brigade-security-scripts

Brigade scripts to perform common Kubernetes and container-level security checks triggered by events.
1
star
66

WikiJekyllTheme

Wiki theme for various NetSPI wikis
HTML
1
star