Skip to content

securitytime/smbclientmap

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
README.md
README.md
 
 
smbclientmap.sh
smbclientmap.sh
 
 

Repository files navigation

smbclientmap

For security testing I needed a tool to scan a network for readable and writable SMB shares.

I found that existing tools like smbmap and nmap's smb-enum-shares were not 100% reliable. On the other hand, smbclient was working correctly. So I wrote a wrapper for smbclient which automatically tests read and write permissions for a given IP address.

Authentication is done via null sessions (i.e. no username and password).

The script smbclientmap.sh does the following:

  1. The script takes one IP address as input.
  2. The script lists all available shares on that IP address via smbclient -N -g -L //ip.
  3. For each Disk share, the script attempts to run the command dir. If it works, that means we have READ ACCESS.
  4. If we have READ ACCESS, then the script will attempt to run the command mkdir on a random directory name. If it works, that means we have WRITE ACCESS.

Usage

$ bash smbclientmap.sh 192.168.0.1

Example

[tux@system ~]$ bash smbclientmap.sh
Usage: smbclientmap.sh IP

[tux@system ~]$ bash smbclientmap.sh 192.168.0.1

=> Testing //192.168.0.2
Disk|print$|Printer Drivers
tree connect failed: NT_STATUS_ACCESS_DENIED
Disk|storage|
  .                                   D        0  Fri Feb 12 10:11:20 2021
  ..                                  D        0  Sun May 17 17:28:54 2020
  test_565335                         D        0  Fri Feb 12 10:11:20 2021
  Documents                           D        0  Thu Aug 13 12:13:40 2020
  notes.txt                           A      320  Sun Jan 17 18:40:56 2021

                15023184 blocks of size 1024. 11777864 blocks available
===> READ SUCCESS for //192.168.0.2/storage
===> WRITE SUCCESS for //192.168.0.2/storage (using test directory test_835028)
IPC|IPC$|IPC Service (Samba 4.9.5-Debian)

In this example, two shares (print$ and storage) were be found. The storage share had read and write permissions.

Scan multiple servers

Create a new file with one IP address per line.

Now run smbclientmap as follows:

$ for ip in $(cat ips.txt); do bash smbclientmap.sh $ip; done | tee output.txt

SMBv1

When using smbclient, SMBv1 support is turned off by default. When smbclient connects to an SMBv1 server, then it will display the following error: protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED.

To turn on SMBv1 support, I added the parameter --option='client min protocol=NT1' to smbclient.

smb.conf

If the file /etc/samba/smb.conf does not exist, then smbclient will print this warning message:

Can't load /etc/samba/smb.conf - run testparm to debug it

The script will create the empty /tmp/smb.conf file to prevent this warning message.

About

A simple wrapper for smbclient for finding readable and writable SMB shares

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Contributors

Languages