We had this classic incident at work where a virus made its way onto a machine, and proceeded to copy itself onto all writable SMB shares it could find. Luckily, the original infection was on a host that wasn't in the domain, so it could only write to shares that had guest access enabled. Unfortunately, there were enough of these shares to make it a problem.
This infection technique is quite old, but is sadly still very effective. I worked through some short-term solutions to get us out of the mess we had found ourselves in, but also started thinking more long-term.
The short-term solution, at least initially, was to find and disable all shares that had guest write enabled, and optionally disable shares that didn't have guest enabled but allowed control by everyone. I'm no Windows guy, but our Windows admins didn't know of and could not find a way to do this audit using standard Windows tools.
So I got creative. I fired up an nmap scan looking for open 139/445 on our entire /16, and then parsed out the hosts that were listening. For each listening host, I did an `smbclient -NL $host`, and then for each of those shares, I attempted to write test.txt to those hosts.
This worked to some extent, but was riddled with problems, not the least of which was the fact that this was horrendously slow, but it was also a giant hack. So, my perfectionist mind decided to see if there was a better way.
I took a look at the Filesys::SmbClient perl module, which actually worked quite well. The showstopper was the fact that Kerberos support does not appear to work, which was a requirement for us, as we use AD.
Many hours of shell and perl scripting out the window, I regrouped. I took a look at how Filesys::SmbClient was put together, and found that it simply used the libsmbclient library, so I started down the long road of dusting off my C skills and started to write my tool in C.
The result is smb-share-enum, and it will find all writable shares on your network, use Kerberos, do guest authentication, and even acts like a simple share enumerator too.
Guest:
smb://TUVALU/D$ is writable smb://TUVALU/C$ is writable smb://TUVALU/WAREZ is writable smb://CONGO/tmp is writable
With Kerberos:
smb://USER1/C$ is writable smb://USER2/ADMIN$ is writable smb://USER2-GX620/C$ is writable smb://USER2-GX620/ADMIN$ is writable smb://GUEST/C$ is writable smb://GUEST/ADMIN$ is writable smb://GUEST/Documents is writable
El-cheapo SMB browser:
Workgroup SPOOFED.ORG Server TUVALU Share smb://TUVALU/IPC$ Share smb://TUVALU/D$ Share smb://TUVALU/C$ Share smb://TUVALU/WAREZ Share smb://TUVALU/../../../../tmp/blah Share smb://TUVALU/print$ Server CONGO Share smb://CONGO/tmp Share smb://CONGO/mp3 Share smb://CONGO/CD Share smb://CONGO/IPC$ Workgroup MSHOME Server WINXP Share smb://WINXP/Jon's Camera Share smb://WINXP/ADMIN$ Share smb://WINXP/F$ Share smb://WINXP/2006 Share smb://WINXP/HPDeskJet Share smb://WINXP/print$ Share smb://WINXP/SharedDocs Share smb://WINXP/IPC$ Share smb://WINXP/E$
The code needs a number of improvements, but it has served its purpose.
Enjoy.
Posted by Jon Hart on February 11, 2007 11:23 PM
| Permalink
