p0dalirius/FindUncommonShares p0dalirius/FindUncommonShares

  • Stars
    star
    376
  • Rank 113,810 (Top 3 %)
  • Language
    Python
  • Created about 3 years ago
  • Updated 6 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
p0dalirius/FindUncommonShares
github

p0dalirius

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

FindUncommonShares is a Python script allowing to quickly find uncommon shares in vast Windows Domains, and filter by READ or WRITE accesses.

The script FindUncommonShares.py is a Python equivalent of PowerView's Invoke-ShareFinder.ps1 allowing to quickly find uncommon shares in vast Windows Active Directory Domains.
GitHub release (latest by date) YouTube Channel Subscribers

Features

  • Only requires a low privileges domain user account.
  • Automatically gets the list of all computers from the domain controller's LDAP.
  • Ignore the hidden shares (ending with $) with --ignore-hidden-shares.
  • Multithreaded connections to discover SMB shares.
  • Export results in JSON with IP, name, comment, flags and UNC path with --export-json <file.json>.
  • Export results in XLSX with IP, name, comment, flags and UNC path with --export-xlsx <file.xlsx>.
  • Export results in SQLITE3 with IP, name, comment, flags and UNC path with --export-sqlite <file.db>.
  • Iterate on LDAP result pages to get every computer of the domain, no matter the size.

Demonstration

Quick win commands

  • List all shares where your current user has WRITE access:

    ./FindUncommonShares.py -u user -p 'Podalirius123!' -d DOMAIN --dc-ip 192.168.1.71 --writable

  • Export list of shares in the domain to an Excel file for the client:

    ./FindUncommonShares.py -u user -p 'Podalirius123!' -d DOMAIN --dc-ip 192.168.1.71 --export-xlsx ./examples/results.xlsx

  • List all shares with access rights for your current user:

    ./FindUncommonShares.py -u user -p 'Podalirius123!' -d DOMAIN --dc-ip 192.168.1.71 --check-user-access

Usage

$ ./FindUncommonShares.py -h
FindUncommonShares v3.0 - by @podalirius_

usage: FindUncommonShares.py [-h] [-v] [--use-ldaps] [-q] [--debug] [-no-colors] [-t THREADS] [-l LDAP_QUERY] [-ns NAMESERVER]
                             [--check-user-access] [--readable] [--writable] [-I] [-i IGNORED_SHARES] [-s ACCEPTED_SHARES]
                             [--export-xlsx EXPORT_XLSX] [--export-json EXPORT_JSON] [--export-sqlite EXPORT_SQLITE] --dc-ip ip
                             address [-d DOMAIN] [-u USER] [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key] [-k]

Find uncommon SMB shares on remote machines.

options:
  -h, --help            show this help message and exit
  -v, --verbose         Verbose mode. (default: False).
  --use-ldaps           Use LDAPS instead of LDAP.
  -q, --quiet           Show no information at all.
  --debug               Debug mode. (default: False).
  -no-colors            Disables colored output mode.
  -t THREADS, --threads THREADS
                        Number of threads (default: 20).
  -l LDAP_QUERY, --ldap-query LDAP_QUERY
                        LDAP query to use to extract computers from the domain.
  -ns NAMESERVER, --nameserver NAMESERVER
                        IP of the DNS server to use, instead of the --dc-ip.
  --check-user-access   Check if current user can access the share.
  --readable            Only list shares that current user has READ access to.
  --writable            Only list shares that current user has WRITE access to.
  -I, --ignore-hidden-shares
                        Ignores hidden shares (shares ending with $)
  -i IGNORED_SHARES, --ignore-share IGNORED_SHARES
                        Specify shares to ignore explicitly. (e.g., --ignore-share 'C$' --ignore-share 'Backup')
  -s ACCEPTED_SHARES, --show-share ACCEPTED_SHARES
                        Specify shares to show explicitly. (e.g., --show-share 'C$' --show-share 'Backup')

Output files:
  --export-xlsx EXPORT_XLSX
                        Output XLSX file to store the results in.
  --export-json EXPORT_JSON
                        Output JSON file to store the results in.
  --export-sqlite EXPORT_SQLITE
                        Output SQLITE3 file to store the results in.

Authentication & connection:
  --dc-ip ip address    IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the
                        domain part (FQDN) specified in the identity parameter
  -d DOMAIN, --domain DOMAIN
                        (FQDN) domain to authenticate to
  -u USER, --user USER  user to authenticate with

Credentials:
  --no-pass             Don't ask for password (useful for -k)
  -p PASSWORD, --password PASSWORD
                        Password to authenticate with
  -H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH
                        NT/LM hashes, format is LMhash:NThash
  --aes-key hex key     AES key to use for Kerberos Authentication (128 or 256 bits)
  -k, --kerberos        Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If
                        valid credentials cannot be found, it will use the ones specified in the command line

Exported results

Each JSON entry looks like this:

{
    "computer": {
        "fqdn": "TDC01.DOMAIN.local",
        "ip": "192.168.1.71"
    },
    "share": {
        "name": "IPC$",
        "comment": "Remote IPC",
        "hidden": true,
        "uncpath": "\\\\192.168.1.71\\IPC$\\",
        "type": {
            "stype_value": 2147483651,
            "stype_flags": [
                "STYPE_IPC",
                "STYPE_TEMPORARY"
            ]
        },
        "access_rights": {
            "readable": true,
            "writable": false
        }
    }
}

Credits

More Repositories

1

Awesome-RCE-techniques

Awesome list of step by step techniques to achieve Remote Code Execution on various apps!
Dockerfile
1,809
star
2

Coercer

A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods.
Python
1,702
star
3

LDAPmonitor

Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!
C#
803
star
4

ApacheTomcatScanner

A python script to scan for Apache Tomcat server vulnerabilities.
Python
766
star
5

smbclient-ng

smbclient-ng, a fast and user friendly way to interact with SMB shares.
Python
693
star
6

webapp-wordlists

This repository contains wordlists for each versions of common web applications and content management systems (CMS). Each version contains a wordlist of all the files directories for this version.
480
star
7

windows-coerced-authentication-methods

A list of methods to coerce a windows machine to authenticate to an attacker-controlled machine through a Remote Procedure Call (RPC) with various protocols.
Python
478
star
8

ipsourcebypass

This Python script can be used to bypass IP source restrictions using HTTP headers.
Python
366
star
9

LDAPWordlistHarvester

A tool to generate a wordlist from the information present in LDAP, in order to crack passwords of domain accounts.
Python
318
star
10

ExtractBitlockerKeys

A system administration or post-exploitation script to automatically extract the bitlocker recovery keys from a domain.
Python
298
star
11

DumpSMBShare

A script to dump files and folders remotely from a Windows SMB share.
Python
200
star
12

GeoWordlists

GeoWordlists is a tool to generate wordlists of passwords containing cities at a defined distance around the client city.
Python
143
star
13

MSSQL-Analysis-Coerce

A technique to coerce a Windows SQL Server to authenticate on an arbitrary machine.
Python
123
star
14

ctfd-parser

A python script to dump all the challenges locally of a CTFd-based Capture the Flag.
Python
121
star
15

ldap2json

The ldap2json script allows you to extract the whole LDAP content of a Windows domain into a JSON file.
Python
113
star
16

CVE-2022-36446-Webmin-Software-Package-Updates-RCE

A Python script to exploit CVE-2022-36446 Software Package Updates RCE (Authenticated) on Webmin < 1.997.
Python
109
star
17

pdbdownload

A Python script to download PDB files associated with a Portable Executable (PE)
Python
109
star
18

Tomcat-webshell-application

A webshell application and interactive shell for pentesting Apache Tomcat servers.
Java
89
star
19

CVE-2022-21907-http.sys

Proof of concept of CVE-2022-21907 Double Free in http.sys driver, triggering a kernel crash on IIS servers
Python
78
star
20

objectwalker

A python module to explore the object tree to extract paths to interesting objects in memory.
Python
77
star
21

RDWAtool

A python script to extract information from a Microsoft Remote Desktop Web Access (RDWA) application
Python
74
star
22

CVE-2021-43008-AdminerRead

Exploit tool for CVE-2021-43008 Adminer 1.0 up to 4.6.2 Arbitrary File Read vulnerability
Python
73
star
23

pyLAPS

Python setter/getter for property ms-Mcs-AdmPwd used by LAPS.
Python
67
star
24

LFIDump

A simple python script to dump remote files through a local file read or local file inclusion web vulnerability.
Python
63
star
25

Wordpress-webshell-plugin

A webshell plugin and interactive shell for pentesting a WordPress website.
Python
59
star
26

owabrute

Hydra wrapper for bruteforcing Microsoft Outlook Web Application.
Shell
56
star
27

ldapconsole

The ldapconsole script allows you to perform custom LDAP requests to a Windows domain.
Python
56
star
28

pydsinternals

A Python native library containing necessary classes, functions and structures to interact with Windows Active Directory.
Python
52
star
29

CVE-2022-45771-Pwndoc-LFI-to-RCE

Pwndoc local file inclusion to remote code execution of Node.js code on the server
Python
46
star
30

volatility2-profiles

Memory mapping profiles for forensic analysis using volatility 2
43
star
31

microsoft-rpc-fuzzing-tools

This repository contains a list of python scripts to work with Microsoft RPC for research purposes.
Python
43
star
32

RemoteMouse-3.008-Exploit

This exploit allows to connect to the remote RemoteMouse 3.008 service to virtually press arbitrary keys and execute code on the machine.
Python
41
star
33

Joomla-webshell-plugin

A webshell plugin and interactive shell for pentesting a Joomla website.
Python
39
star
34

robotstester

This Python script can enumerate all URLs present in robots.txt files, and test whether they can be accessed or not.
Python
39
star
35

DomainUsersToXLSX

Extract all users from an Active Directory domain to an Excel worksheet.
Python
30
star
36

sectools

A Python native library containing lots of useful functions to write efficient scripts to hack stuff.
Python
29
star
37

Argon2Cracker

A multithreaded bruteforcer of argon2 hashes.
Python
27
star
38

p0dalirius

Front page README of my GitHub profile
27
star
39

Moodle-webshell-plugin

A webshell plugin and interactive shell for pentesting a Moodle instance.
PHP
26
star
40

WifiListProbeRequests

Monitor 802.11 probe requests from a capture file or network sniffing!
Python
26
star
41

GetFortinetSerialNumber

A Python script to extract the serial number of a remote Fortinet device.
Python
26
star
42

TargetAllDomainObjects

A python wrapper to run a command on against all users/computers/DCs of a Windows Domain
Python
25
star
43

crEAP

crEAP will identify WPA Enterprise mode EAP types and harvest usernames and/or handshakes if insecure protocols are in use.
Python
24
star
44

RobotsValidator

A python script to check if URLs are allowed or disallowed by a robots.txt file.
Python
22
star
45

AccountShadowTakeover

A python script to automatically add a KeyCredentialLink to newly created users, by quickly connecting to them with default credentials.
Python
21
star
46

msFlagsDecoder

Decode the values of common Windows properties such as userAccountControl and sAMAccountType.
Python
20
star
47

volatility3-symbols

Memory mapping profiles for forensic analysis using volatility 3
20
star
48

crawlersuseragents

Python script to check if there is any differences in responses of an application when the request comes from a search engine's crawler.
Python
19
star
49

Hashes-Harvester

Automatically extracts NT and LM hashes from Windows memory dumps based on volatility.
Shell
19
star
50

MSRPRN-Coerce

A python script to force authentication using MS-RPRN RemoteFindFirstPrinterChangeNotificationEx function (opnum 65).
Python
18
star
51

binaryexploitation

A massive documentation about binary protections, exploitation techniques, and computer architecture concepts.
17
star
52

TimeBasedLoginUserEnum

A script to enumerate valid usernames based on the requests response times.
Python
17
star
53

CVE-2022-30780-lighttpd-denial-of-service

CVE-2022-30780 - lighttpd remote denial of service
Perl
16
star
54

GithubBackupAllRepos

A Python script to backup all repos (public or private) of a user.
Python
16
star
55

Sprayer

Multithreaded spraying of a password on all accounts of a domain.
Python
16
star
56

CVE-2020-14144-GiTea-git-hooks-rce

A script to exploit CVE-2020-14144 - GiTea authenticated Remote Code Execution using git hooks
Python
16
star
57

LootApacheServerStatus

A script to automatically dump all URLs present in /server-status to a file locally.
Python
15
star
58

CVE-2016-10956-mail-masta

MailMasta wordpress plugin Local File Inclusion vulnerability (CVE-2016-10956)
Python
15
star
59

DescribeNTSecurityDescriptor

A python tool to parse and describe the contents of a raw ntSecurityDescriptor structure.
Python
15
star
60

volatility2docker

A volatility 2 docker for forensic investigations
Makefile
14
star
61

http-fuzzing-scripts

A collection of http fuzzing python scripts to fuzz HTTP servers for bugs.
Python
13
star
62

hivetools

A collection of python scripts to work with Windows Hives.
Python
13
star
63

gitea-extract-users

A Python script to extract the list of users of a GiTea instance, unauthenticated or authenticated.
Python
13
star
64

GhostSPN

List accounts with Service Principal Names (SPN) not linked to active dns records in an Active Directory Domain.
Python
13
star
65

windows-cryptography-explained

Detailed explanation of Windows cryptographic algorithms, with examples and schemes.
Python
13
star
66

LimeSurvey-webshell-plugin

A webshell plugin and interactive shell for pentesting a LimeSurvey application.
Python
12
star
67

ParseFortinetSerialNumber

A Python script to parse Fortinet products serial numbers, and detect the associated model and revision.
Python
12
star
68

wav2mmv

WAV to MMV converter. You can then use the MMV file in input of MSSTV to decode Slow Scan Television (SSTV) sound signals.
Shell
12
star
69

JoGet-webshell-plugin

A webshell plugin and interactive shell for pentesting JoGet application.
Java
12
star
70

CVE-2022-26159-Ametys-Autocompletion-XML

A python exploit to automatically dump all the data stored by the auto-completion plugin of Ametys CMS to a local sqlite database file.
Python
12
star
71

CodeIgniter-session-unsign

Command line tool to fetch, decode and brute-force CodeIgniter session cookies by guessing and bruteforcing secret keys.
Python
12
star
72

goLAPS

Go setter/getter for property ms-Mcs-AdmPwd used by LAPS.
Go
12
star
73

CVE-2018-16763-FuelCMS-1.4.1-RCE

Exploit to trigger RCE for CVE-2018-16763 on FuelCMS <= 1.4.1 and interactive shell.
PHP
11
star
74

ListValidGSuiteEmails

A Python script to list valid emails of GSuite accounts.
Python
11
star
75

Joomla-1.6-1.7-2.5-Privilege-Escalation-Vulnerability

A Python script to create an administrator account on Joomla! 1.6/1.7/2.5 using a privilege escalation vulnerability
Python
10
star
76

factorizator

A script to factorize integers with sagemath and factordb.
Python
10
star
77

hexcat

A tool to show only printable characters of a file
C
10
star
78

DescribeSDDL

A python tool to parse and describe the SDDL string.
Python
10
star
79

mercurial-scm-extract

A tool to extract and dump files of mercurial SCM exposed on a web server.
Python
9
star
80

FindAzureDomainTenant

A Python script to find tenant id an region from a list of domain names.
Python
9
star
81

SortWindowsISOs

Extract the windows major and minor build numbers from an ISO file, and automatically sort the iso files.
Python
9
star
82

pwndocapi

A python library to interact with Pwndoc instances for pentest reports generation
Python
9
star
83

WindowsBuilds

This repository contains the list of windows builds as parsable JSON files.
8
star
84

python_packages_paths

This repository contains paths to python modules from inside python modules.
8
star
85

UsersWithPwdLastSetOlderThan

Extract all users from an Active Directory domain with password last set older than X days to an Excel worksheet.
Python
8
star
86

linux-kernels

List of linux kernel versions and download links in JSON
Python
7
star
87

CVE-2021-31800-Impacket-SMB-Server-Arbitrary-file-read-write

A path traversal in smbserver.py allows an attacker to read/write arbitrary files on the server.
Python
7
star
88

streamableDownloader

A simple python script to download videos hosted on streamable from their link
Python
7
star
89

Windows-Hardening

6
star
90

win32errorcodes

A small C/C++ library to lookup Windows error codes.
C
6
star
91

SweetRice-webshell-plugin

A webshell plugin and interactive shell for pentesting a SweetRice website.
PHP
6
star
92

CrackedNTDStoXLSX

A python tool to generate an Excel file linking the list of cracked accounts and their LDAP attributes.
Python
6
star
93

SymfonyDumpSource

A python script to automatically dump files and source code of a Symfony server in debug mode.
Python
6
star
94

what-if

Python
5
star
95

lib-parseargs

A simple library to parse command line arguments in C++.
C++
5
star
96

CVE-2020-8813-Cacti-RCE-in-graph_realtime

CVE-2020-8813 - RCE through graph_realtime.php in Cacti 1.2.8
Python
5
star
97

pdsimage-downloader

A python script to filter by filename and download PDS images.
Python
4
star
98

stackdumper

A python tool to autmatically dump the stack content with a format string vulnerability in CTF.
Python
4
star
99

SortPEbyVersions

A Python script to sort Portable Executable (PE) files by their version and download debug symbols if existing.
Python
3
star
100

CpuCoresTemperatureGraph

A python tool to print CPU core temperatures for each cores.
Python
3
star