« Windows Security: Red light district | Main | The living dead in Death Valley »

SMB Share enumeration, write testing

We had this classic incident at work where a virus made its way onto a machine, and proceeded to copy itself onto all writable SMB shares it could find. Luckily, the original infection was on a host that wasn't in the domain, so it could only write to shares that had guest access enabled. Unfortunately, there were enough of these shares to make it a problem.

This infection technique is quite old, but is sadly still very effective. I worked through some short-term solutions to get us out of the mess we had found ourselves in, but also started thinking more long-term.

The short-term solution, at least initially, was to find and disable all shares that had guest write enabled, and optionally disable shares that didn't have guest enabled but allowed control by everyone. I'm no Windows guy, but our Windows admins didn't know of and could not find a way to do this audit using standard Windows tools.

So I got creative. I fired up an nmap scan looking for open 139/445 on our entire /16, and then parsed out the hosts that were listening. For each listening host, I did an `smbclient -NL $host`, and then for each of those shares, I attempted to write test.txt to those hosts.

This worked to some extent, but was riddled with problems, not the least of which was the fact that this was horrendously slow, but it was also a giant hack. So, my perfectionist mind decided to see if there was a better way.

I took a look at the Filesys::SmbClient perl module, which actually worked quite well. The showstopper was the fact that Kerberos support does not appear to work, which was a requirement for us, as we use AD.

Many hours of shell and perl scripting out the window, I regrouped. I took a look at how Filesys::SmbClient was put together, and found that it simply used the libsmbclient library, so I started down the long road of dusting off my C skills and started to write my tool in C.

The result is smb-share-enum, and it will find all writable shares on your network, use Kerberos, do guest authentication, and even acts like a simple share enumerator too.

Guest:

smb://TUVALU/D$ is writable
smb://TUVALU/C$ is writable
smb://TUVALU/WAREZ is writable
smb://CONGO/tmp is writable

With Kerberos:

smb://USER1/C$ is writable
smb://USER2/ADMIN$ is writable
smb://USER2-GX620/C$ is writable
smb://USER2-GX620/ADMIN$ is writable
smb://GUEST/C$ is writable
smb://GUEST/ADMIN$ is writable
smb://GUEST/Documents is writable

El-cheapo SMB browser:

Workgroup SPOOFED.ORG
	Server TUVALU
		Share smb://TUVALU/IPC$
		Share smb://TUVALU/D$
		Share smb://TUVALU/C$
		Share smb://TUVALU/WAREZ
		Share smb://TUVALU/../../../../tmp/blah
		Share smb://TUVALU/print$
	Server CONGO
		Share smb://CONGO/tmp
		Share smb://CONGO/mp3
		Share smb://CONGO/CD
		Share smb://CONGO/IPC$
Workgroup MSHOME
	Server WINXP
		Share smb://WINXP/Jon's Camera
		Share smb://WINXP/ADMIN$
		Share smb://WINXP/F$
		Share smb://WINXP/2006
		Share smb://WINXP/HPDeskJet
		Share smb://WINXP/print$
		Share smb://WINXP/SharedDocs
		Share smb://WINXP/IPC$
		Share smb://WINXP/E$

The code needs a number of improvements, but it has served its purpose.

Enjoy.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

About

Jon Hart
Name: Jon Hart

Location: Hiding between the smog and the Pacific

Occupation: Security Ninja, Thrill Seeker.

Categories