• Stars
    star
    162
  • Rank 232,284 (Top 5 %)
  • Language
    Perl
  • License
    GNU General Publi...
  • Created over 8 years ago
  • Updated over 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

3 tools that work together to simplify reconaissance of Windows File Shares

SMBCrunch

One of the most time consuming tasks as a red teamer is diving into filesystems and shares, attempting to identify any potentially sensitive information. SMBCrunch allows a red teamer to quickly identify Windows File Shares in a network, performs a recursive directory listing of the provided shares, and can even grab a file from the remote share if it looks like a juicy target.

There are three (3) different tools that work together. Read all three sections below to get an idea of how they work together.


SMBHunt

Given a file (or gnmap file), SMBHunt finds all the Windows File Shares associated with the servers provided (if gnmap file is provided, it looks at servers with port 445 open). If no credentials are supplied to perform the check, it will check for null session shares.

Warning: If your user has access to one share on the server, the script will show all shares hosted by that server. If a share is listed in this output, it does not mean you have access to that share. Use the next tool for that.

This script does warn you if the credentials you supply fail to avoid locking out domain accounts. "-f" switch overrides this protection.

This script only checks a server using one credential. This is by design since the server will respond with a full list of shares if the user has access to only one share on the system

Requirements:

  • Linux
  • Perl
  • smbclient (should be default in Kali)

Basic Usage:

./SMBHunt.pl [-a <account>] -i <file> [-o <output_file>]

Example Usage:

./SMBHunt.pl -a 'testdomain\john:hunter2' -i portscan445.gnmap -o shares_found.txt

Help to show all available options:

./SMBHunt.pl -h

Arguments:

-a, --account <string>

User credentials to test. Usernames are accepted in the form of 'Domain\Username:Password' ('Domain' is optional) If no account is given, script checks for null session shares

-i, --inputFile <file>

A file of systems separated by a new line, or a gnmap file of a portscan containing port 445. Each server with port 445 open will be checked for SMB shares

-o, --output <file>

Print results to a file

-f, --force

Forces the script to continue even if the domain credential may be incorrect.

--noipc

Do not show IPC shares (IPC$)

--nohidden

Do not show hidden shares (C$, IPC$, ADMIN$, etc)


SMBList

SMBList will take the output file from "SMBHunt.pl" (or a file of shares separated by a newline in the format of "\server\share") and will perform a recursive directory listing of those shares using the credentials provided. SMBList will attempt to authenticate to the share until a valid credential is found from the list provided. It will then store the directory listings in a subfolder specified.

This makes the file listing extremely easy to grep through!

** The best result file to use is: /ALL_COMBINED_RESULTS.txt **

Requirements:

  • Linux
  • Perl
  • smbclient (should be default in Kali)

Basic Usage:

./SMBList.pl -c <credential/file> -s <share/file> -o <nonexistent directory>

Example Usage:

./SMBList.pl -c credentials_found.txt -s shares_found.txt -o share_listing -m 150

Help to show all available options:

./SMBList.pl -h

Arguments:

-c, --credentials <credential/file>

A single credential or file of credentails to test. Credentials are accepted in the form of 'Domain\Username:Password' separated by a new line (if providing a file)

-s, --shares <share/file>

A single share or file of shares to test against. Each credential will be tested for authorization until a valid one is found. Shares should be in the form "\server\share", separated by a new line (if providing a file)

-o, --output <nonexistent directory>

A new directory will be created named this. For protection of output, the script cannot be run with this directory existing. It must be a directory that does not exist!

-m, --maxexec <seconds>

The maximum amonut of time spent dumping any one share, in seconds. Default is 300 seconds (5 minutes)

-f, --force

Never remove a share from the list if it errors and never remove a credential if it gets a logon failed message. If you are using this flag, make sure you know what you are doing! You might lock out accounts if you aren't careful!

-n, --nocreds

Don't include credentials in the output. WARNING: If you use this switch, you cannot use the output with the next tool, "SMBGrab.pl".


SMBGrab

File listings from SMBList.pl can be pipped into this utility to grab the files wanted from the shares. The original listing from SMBList.pl should be "grepped" before passing to this script, otherwise all files will be downloaded (which is the equivalent of copying the entire share and is bad)

This script requires SMBList.pl be pipped in to it. Look at "Example Usage" below

Requirements:

  • Linux
  • Perl
  • smbclient (should be default in Kali)

Basic Usage:

./SMBGrab.pl [-s <directory>]

Example Usage:

grep -i 'password.txt' share_listing/ALL_COMBINED_RESULTS.TXT | ./SMBGrab.pl -s savedfiles

Help to show all available options:

./SMBGrab.pl -h

Arguments:

If no arguments are supplied, the file is retrieved from the share and displayed to the user. It is not saved.

-s, --savedir <directory>

A directory to save all the grabbed files to. If this directory does not exist, it will be created. Using this argument saves the files but prevents the files from being printed to the screen

-a, --all

Read all files pipped in. Without this switch, the script protects against accidentally downloading massive amounts of files by limiting the input to 100 files.

-n, --noedit

This will preserve the files to their original form. If this switch is not used, a note will be made at the bottom of each file containing information about the file metadata (read/write times, file location in the Share, etc)

-h, --help

Display a help menu


Contact Information

Feel free to contact me with any changes or feature request!

More Repositories

1

FiercePhish

FiercePhish is a full-fledged phishing framework to manage all phishing engagements. It allows you to track separate phishing campaigns, schedule sending of emails, and much more.
PHP
1,324
star
2

UhOh365

A script that can see if an email address is valid in Office365 (user/email enumeration). This does not perform any login attempts, is unthrottled, and is incredibly useful for social engineering assessments to find which emails exist and which don't.
Python
590
star
3

CredNinja

A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter
C#
442
star
4

Kali-Setup

Script for Kali that adds a bunch of tools and customizes it to be much better
Python
171
star
5

Recon-NG-API-Key-Creation

One of the biggest annoyances of using Recon-ng is getting everything set up to use it. So here I’ll outline the different API keys it can use and where to get them yourself.
162
star
6

SharpStat

C# utility that uses WMI to run "cmd.exe /c netstat -n", save the output to a file, then use SMB to read and delete the file remotely
C#
39
star
7

Get-ReconInfo

A powershell script that prints a lot of IP and connection info to the screen
PowerShell
30
star
8

Nmap-scripts

A collection of nmap scripts I've written
Lua
23
star
9

CredSwissArmy

DEPRECATED! LOOK AT CREDNINJA! A tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB
Perl
15
star
10

Misc-scripts

Honestly, these are just scripts for my own use and consumption. If someone wants to use them too, cool.
Shell
5
star
11

IPCheckScope

A simple script to help check if a list of IPs are within the provided network scopes
Python
3
star
12

dotfiles

Some simple dotfiles of mine.
Prolog
1
star