jeffhacks/smbscan
GitHub: jeffhacks/smbscan
一款用于枚举内网SMB文件共享并自动识别敏感凭证文件的安全评估工具。
Stars: 49 | Forks: 6
# SMBScan
### 概述
SMBScan 是一款用于枚举内部网络中文件共享的工具。
其主要目标是:
* 扫描单个或数百个目标
* 枚举所有可访问的共享和文件
* 识别可能包含凭证或机密的文件
* 尝试避免被蓝队检测
### 目录
1. [入门指南](#getting-started)
2. [运行扫描](#running-scans)
3. [扫描输出](#scan-output)
4. [分析输出](#analysing-output)
5. [作者](#authors)
6. [致谢](#acknowledgments)
## 入门指南
从 git 仓库克隆或下载。
### 安装
```
pip3 install -r requirements.txt
```
## 运行扫描
以访客身份扫描单个目标
```
python3 src/smbscan.py 192.168.0.0/24
```
```
[2022-05-21 22:14:17 INFO] src/smbscan.py 192.168.0.26
[2022-05-22 20:45:36 INFO] Scanning 192.168.0.26
[2022-05-21 22:14:17 INFO] 192.168.0.26 (TESTSERVER) Connected as tester, Target OS: eWeblrdS
[2022-05-21 22:14:17 INFO] 192.168.0.26 (TESTSERVER) Scanning \\TESTSERVER\TESTER
[2022-05-21 22:14:17 CRITICAL] Suspicous file: \\TESTSERVER\TESTER\.ssh\id_rsa.pub (Sat May 21 21:12:21 2022, 563)
[2022-05-21 22:14:17 CRITICAL] Suspicous file: \\TESTSERVER\TESTER\.ssh\id_rsa (Sat May 21 21:12:21 2022, 2590)
[2022-05-21 22:14:18 CRITICAL] Suspicous file: \\TESTSERVER\TESTER\.aws\credentials (Sat May 21 21:12:23 2022, 119)
[2022-05-21 22:14:26 INFO] Scan completed
```
以特定域用户身份扫描目标范围,并在目标和目标上的操作之间设置 1-3 秒的随机延迟:
```
python3 src/smbscan.py 192.168.0.0/24 -u tester -p Monkey123 ---download-files --max-depth 3 --exclude-hosts 192.168.0.18
```
```
[2022-05-21 22:14:17 INFO] src/smbscan.py 192.168.0.0/24 -u tester -p Monkey123 ---download-files --max-depth 3 --exclude-hosts 192.168.0.18
[2022-05-21 22:14:17 INFO] Scanning 192.168.0.0/24
[2022-05-21 22:14:17 WARNING] Skipping 192.168.0.18 (on exclusion list)
[2022-05-21 22:14:17 INFO] 192.168.0.26 (TESTSERVER) Connected as tester, Target OS: eWeblrdS
[2022-05-21 22:14:17 INFO] 192.168.0.26 (TESTSERVER) Scanning \\TESTSERVER\TESTER
[2022-05-21 22:14:17 CRITICAL] Suspicous file: \\TESTSERVER\TESTER\.ssh\id_rsa.pub (Sat May 21 21:12:21 2022, 563)
[2022-05-21 22:14:17 CRITICAL] Suspicous file: \\TESTSERVER\TESTER\.ssh\id_rsa (Sat May 21 21:12:21 2022, 2590)
[2022-05-21 22:14:18 CRITICAL] Suspicous file: \\TESTSERVER\TESTER\.aws\credentials (Sat May 21 21:12:23 2022, 119)
[2022-05-21 22:14:18 INFO] Scanning 192.168.0.35
[2022-05-21 22:14:19 INFO] 192.168.0.35 (desktop-9kolkm4) Connected as tester, Target OS: Windows 10.0 Build 19041
[2022-05-21 22:14:19 INFO] 192.168.0.35 (desktop-9kolkm4) Scanning \\desktop-9kolkm4\ADMIN$
[2022-05-21 22:14:19 INFO] 192.168.0.35 (desktop-9kolkm4) Error accessing ADMIN$
[2022-05-21 22:14:19 INFO] 192.168.0.35 (desktop-9kolkm4) Scanning \\desktop-9kolkm4\Backups
[2022-05-21 22:14:19 INFO] 192.168.0.35 (desktop-9kolkm4) Scanning \\desktop-9kolkm4\C$
[2022-05-21 22:14:19 INFO] 192.168.0.35 (desktop-9kolkm4) Error accessing C$
[2022-05-21 22:14:20 INFO] 192.168.0.35 (desktop-9kolkm4) Scanning \\desktop-9kolkm4\E$
[2022-05-21 22:14:20 INFO] 192.168.0.35 (desktop-9kolkm4) Error accessing E$
[2022-05-21 22:14:20 INFO] 192.168.0.35 (desktop-9kolkm4) Scanning \\desktop-9kolkm4\inetpub
[2022-05-21 22:14:24 CRITICAL] Suspicous file: \\desktop-9kolkm4\inetpub\wwwroot\web.config (Sat May 21 20:48:54 2022, 31506)
[2022-05-21 22:14:24 INFO] 192.168.0.35 (desktop-9kolkm4) Scanning \\desktop-9kolkm4\Users
[2022-05-21 22:14:26 CRITICAL] Suspicous file: \\desktop-9kolkm4\Users\tester\Documents\Passwords.kdbx (Fri May 20 21:57:30 2022, 1870)
[2022-05-21 22:14:26 INFO] Scan completed
```
## 扫描输出
SMBScan 会生成多个文件。
* 主日志文件
* 每次扫描的主日志文件 - 记录输出到终端的所有内容
* CSV 索引文件
* 所有可访问共享和文件的列表。每个目标一个 CSV 文件
* 下载的文件
* 已下载可疑文件的集合(如果启用了下载)。按 TARGET\SHARE\DIRECTORY\FILE 结构组织
```
logs
│ smbscan-20220518-075257.log
│ smbscan-desktop-9kolm4-20220518-075257.csv
│ smbscan-testserver-20220518-075257.csv
│
└───
│ └───
│ └───
│ │ suspicious-file
|
└───DESKTOP-9KOLKM4
│ └───inetpub
│ | └───wwwroot
│ | │ web.config
│ └───Users
│ └───tester
│ └───Documents
│ │ Passwords.kdbx
│
└───TESTSERVER
│ └───TESTER
│ └───.aws
│ | credentials
│ └───.ssh
│ | id_rsa.pub
```
## 分析输出
### 搜索下载的文件
使用 grep,或使用 grauit (https://github.com/wireghoul/graudit) 加速过程
```
graudit -d secrets -x *.csv logs/
```
### 查看 CSV 文件
```
cat logs/smbscan-desktop-9kolm4-20220518-075257.csv | sed -e 's/,,/, ,/g' | column -s, -t | less -#5 -N -S
```
```
1 tester DESKTOP-9KOLKM4 desktop-9kolkm4 192.168.0.35 Backups \MSSQL
2 tester DESKTOP-9KOLKM4 desktop-9kolkm4 192.168.0.35 Backups \MSSQL\BookingSystem.bak
3 tester DESKTOP-9KOLKM4 desktop-9kolkm4 192.168.0.35 inetpub \wwwroot
4 tester DESKTOP-9KOLKM4 desktop-9kolkm4 192.168.0.35 inetpub \wwwroot\index.cs
5 tester DESKTOP-9KOLKM4 desktop-9kolkm4 192.168.0.35 inetpub \wwwroot\Robots.txt
6 tester DESKTOP-9KOLKM4 desktop-9kolkm4 192.168.0.35 inetpub \wwwroot\web.config
```
### 搜索 CSV 文件
```
grep -i -e \.bak *.csv
tester,DESKTOP-9KOLKM4,desktop-9kolkm4,192.168.0.35,Backups,\MSSQL\BookingSystem.bak.....
```
## 作者
* Jeff Thomas - https://github.com/jeffhacks
* Yianna Paris - https://github.com/nekosoft
## 致谢
* Wireghoul - https://github.com/wireghoul
* Justin Steven - https://github.com/justinsteven
* Impacket - https://github.com/SecureAuthCorp/impacket
标签:HTTP工具, Python, SMB协议, SMB扫描, Web技术栈, 代码生成, 凭证探测, 安全助手, 敏感文件发现, 文件共享枚举, 无后门, 横向移动辅助, 渗透测试工具, 网络安全, 网络安全审计, 网页爬虫, 蓝队规避, 逆向工具, 隐私保护