SMBCrunch: reconaissance of Windows File Shares
SMBCrunch
One of the most time-consuming tasks as a red teamer is diving into filesystems and shares, attempting to identify any potentially sensitive information. SMBCrunch allows a red teamer to quickly identify Windows File Shares in a network, performs a recursive directory listing of the provided shares, and can even grab a file from the remote share if it looks like a juicy target. There are three (3) different tools that work together.
- SMBHunt Given a file (or gnmap file), SMBHunt finds all the Windows Quick File Shares associated with the servers provided (if a gnmap file is provided, it looks at servers with port 445 open). If no credentials are supplied to perform the check, it will check for null session shares.Warning: If your user has access to one share on the server, the script will show all shares hosted by that server. If a share is listed in this output, it does not mean you have access to that share. Use the next tool for that. This script does warn you if the credentials you supply fail to avoid locking out domain accounts. “-f” switch overrides this protection. This script only checks a server using one credential. This is by design since the server will respond with a full list of shares if the user has access to only one share on the system.Usage
./SMBHunt.pl [-a <account>] -i <file> [-o <output_file>]
- SMBListSMBList will take the output file from “SMBHunt.pl” (or a file of shares separated by a newline in the format of “\server\share”) and will perform a recursive directory listing of those shares using the credentials provided. SMBList will attempt to authenticate to the share until a valid credential is found from the list provided. It will then store the directory listings in a subfolder specified.This makes the file listing extremely easy to grep through!** The best result file to use is: /ALL_COMBINED_RESULTS.txt **
Usage
./SMBList.pl -c <credential/file> -s <share/file> -o <nonexistent directory>
- SMBGrabFile listings from SMBList.pl can be pipped into this utility to grab the files wanted from the shares. The original listing from SMBList.pl should be “grepped” before passing to this script, otherwise, all files will be downloaded (which is the equivalent of copying the entire share and is bad).
Usage
./SMBGrab.pl [-s <directory>]
Install
Requirement
- Linux
- Perl
- smbclient (should be default in Kali)
Download
git clone https://github.com/Raikia/SMBCrunch.git
Copyright (C) Raikia
Source: https://github.com/Raikia/