SySS-Research/smbcrawler SySS-Research/smbcrawler

  • Stars
    star
    143
  • Rank 257,007 (Top 6 %)
  • Language
    Python
  • License
    MIT License
  • Created over 3 years ago
  • Updated 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
SySS-Research/smbcrawler
github

SySS-Research

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

smbcrawler is no-nonsense tool that takes credentials and a list of hosts and 'crawls' (or 'spiders') through those shares

SmbCrawler

SmbCrawler is no-nonsense tool that takes credentials and a list of hosts and 'crawls' (or 'spiders') through those shares. Features:

  • takes host names, IP addresses, IP ranges, or an nmap xml file as input
  • checks permissions (check for 'write' permissions is opt-in, because it requires creating an empty directory on the share)
  • crawling depth is customizable
  • threaded
  • outputs machine-readable formats
  • pass-the-hash support
  • auto-download interesting files
  • report potential secrets
  • pausable
  • interactively skips single shares and hosts

Installation

Install with python3 -m pip install . or pipx install .. Make sure $HOME/.local/bin is in your $PATH.

The pdftotext dependency will be built from source during the installation, which requires the poppler C++ headers. On Debian-based systems like Kali or Ubuntu, they can be installed with apt install libpoppler-cpp-dev.

Example

Run it like this:

$ smbcrawler -i hosts.txt -u pen.tester -p iluvb0b -d contoso.local \
        -t 5 -D 5

Usage

During run time, you can use the following keys:

  • p: pause the crawler and skip single hosts or shares (experimental feature, be careful)
  • <space>: print the current progress

For more information, run smbcrawler -h.

Notes

Even in medium sized networks, SmbCrawler will find tons of data. The challenge is to reduce false positives.

Notes on permissions

READ is not an interesting permission. This means you have read permissions at the share level, but access can still be restricted at the file system level. LIST_ROOT means you can actually list the root directory of that share.

In general, the permissions reported by SmbCrawler only apply to the root directory of a share.

Also, the WRITE permission means that you have the permission to create directories.

Because it is non-trivial to check permissions of SMB shares without attempting the action in question, SmbCrawler will attempt to create a directory on each share. Its name is smbcrawler_DELETEME_<8 random characters> and will be deleted immediately, but be aware anyway. Sometimes you have the permission to create directories, but not to delete them, so you will leave an empty directory there.

Typical workflow

It makes sense to first run SmbCrawler with crawling depth 0 to get an idea of what you're dealing with. In this first run, you can enable the write check with -w:

$ smbcrawler -D0 -t10 -w -i <INPUT FILE> \
    -u <USER> -d <DOMAIN> -p <PASSWORD> \
    -s permission_check

Afterwards, you can identify interesting and boring shares for your next run or several runs. Some shares like SYSVOL and NETLOGON appear many times, so you should declare these as "boring" on your next run and pick one host to scan these duplicate shares in a third run. Here is an example:

$ smbcrawler -D5 -t10 -i <NEW INPUT FILE> \
    -u <USER> -d <DOMAIN> -p <PASSWORD> \
    -aA 'boring_shares:SYSVOL|NETLOGON' \
    -s full_run
$ smbcrawler -D -1 <DC IP> \
    -u <USER> -d <DOMAIN> -p <PASSWORD> \
    -s dc_only

Errors

Some errors like "STATUS_ACCESS_DENIED" are not necessarily a problem. It's normal to encounter directories to which you have no access.

Output

You can increase or decrease the verbosity with command line arguments, but it's best to leave it at the default value. To see what's going, run tail -f either on the log file or one of the grep files in another terminal as needed.

This makes it easier to see the progress when pressing <space>.

Secrets

SmbCrawler automatically reports obvious secrets, but it's also a good idea to grep for several keywords (case insensitive) in the autodownload directory:

  • net use
  • runas
  • ConverTo-SecureString
  • ----- PRIVATE KEY
  • password in various languages
  • ...

Be creative!

Note that encoding can be an issue. grep -ir password will not find passwords in UTF-16 encoded files, for example. That's why the secret detection of SmbCrawler attempts to normalize the encoding beforehand. PDFs are also automatically converted to text. (Office documents are TBD.)

Don't forget about the files itself. These might be interesting:

  • kdbx (KeePass database)
  • vhdx, vhd, vmdk (virtual hard drives)
  • CVs, employee reviews, etc.
  • ...

If you notice a lot of false positives or false negatives, please help out and let me know. Community input is important when trying to improve automatic detection.

Credits

Adrian Vollmer, SySS GmbH

License

MIT License

More Repositories

1

Seth

Perform a MitM attack and extract clear text credentials from RDP connections
Python
1,390
star
2

hallucinate

One-stop TLS traffic inspection and manipulation using dynamic instrumentation
JavaScript
239
star
3

WireBug

WireBug is a toolset for Voice-over-IP penetration testing
Python
170
star
4

outis

outis is a custom Remote Administration Tool (RAT) or something like that. It was build to support various transport methods (like DNS) and platforms (like Powershell).
Python
123
star
5

hashcathelper

Convenience tool for hashcat
Python
109
star
6

dns-mitm

A minimal DNS service that can provide spoofed replies
Python
98
star
7

clone-cert

Simple shell script to "clone" X.509 certificates
Shell
97
star
8

nrf24-playset

Software tools for Nordic Semiconductor nRF24-based devices like wireless keyboards, mice, and presenters
Python
89
star
9

radio-hackbox

PoC tool to demonstrate vulnerabilities in wireless input devices
Python
85
star
10

azurenum

Enumerate Microsoft Entra ID (Azure AD) fast
Python
85
star
11

icestick-lpc-tpm-sniffer

FPGA-based LPC bus sniffing tool for Lattice iCEstick Evaluation Kit
Verilog
75
star
12

nand-dump-tools

Simple software tools for encoding and decoding dumps of NAND memory chips using implemented error correcting codes (ECC)
Python
75
star
13

icestick-glitcher

Simple voltage glitcher implementation for the Lattice iCEstick Evaluation Kit
Verilog
55
star
14

MAT

This tool, programmed in C#, allows for the fast discovery and exploitation of vulnerabilities in MSSQL servers
C#
54
star
15

bluetooth-keyboard-emulator

Simple proof-of-concept software tool for emulating Bluetooth BR/EDR (a.k.a. Bluetooth Classic) keyboards
Python
52
star
16

ldap-swak

LDAP Swiss Army Knife
Java
43
star
17

slig

Siemens LOGO!8 PLC Password Hacking Proof-of-Concept-Tool
Lua
41
star
18

ldif2bloodhound

Convert an LDIF file to JSON files ingestible by BloodHound
Python
38
star
19

Lauschgeraet

Gets in the way of your victim's traffic and out of yours
Python
27
star
20

netns.sh

A simple script to make network namespaces more usable
Shell
20
star
21

icebreaker-glitcher

Simple voltage glitcher implementation for the iCEBreaker FPGA board
Verilog
13
star
22

biometricks

Fun with biometrics
C#
8
star
23

burp-extender-json-api

A Burp extension that provides an API to build other extensions in any programming language
Java
7
star
24

Single-User-BloodHound

Run BloodHound CE in a single-user setup with podman
Shell
7
star
25

radio-hackbox2

PoC tool to demonstrate vulnerabilities in wireless input devices
Python
5
star
26

protectimus-slim-proxmark3

Proxmark3 Lua script for attacking vulnerable Protectimus SLIM NFC TOTP hardware tokens
Lua
4
star
27

syss-crc

Simple Python CRC implementation for playing around with cyclic redundancy checks
Python
4
star
28

logic2-atecc508-extension

Logic 2 High Level Protocol Analyzer for the Microchip ATECC508A I2C communication with support for I2C encryption
Python
3
star
29

invoke-lsaparse

PowerShell implementation for parsing LSA (Local Security Authority) process memory dumps
PowerShell
1
star