list SMB shares
Project description
smbls
This is a simple Impacket-based tool to check a set of credentials against many Windows hosts and get permission for SMB shares.
For the input, you give it a list of IPs/hostnames and a set of credentials, which are the domain, username, and either password or LM/NTLM hashes. The output is a JSON array of host information, including errors, SMB metadata, and information about each share, including whether the account has read access.
There are already many ways to do this. This tool was written to perform in large, heterogeneous networks where existing tools ended up being slow or unreliable in practice. It performs well in this environment because:
- It's reliable due to comprehensive error checking and simple code
- It's very fast due to parallelization
- The output is JSON
The main limitation is that it does not check whether a share is writeable or not, because the known way to do that requires attempting to write to it.
Install
pip install smbls
Alternatively, you can just drop smbls/__init__.py as smbls.py on a box with python3.9+ and Impacket installed and run that.
Usage
Create targets file:
$ printf '10.0.0.1\n10.0.0.2\n...' > targets.txt
Or for CIDR notation, consider
$ nmap -sL -n 10.0.0.0/24 | awk '/scan report for/{print $5}' > targets.txt
For a single-user scan:
$ smbls -c exampledomain/exampleuser:examplepassword targets.txt -o out.json
Or for a multi-user scan:
1. create creds file:
$ echo 'exampledomain/exampleuser:examplepassword' > creds.txt
$ echo 'localhost/exampleuser#aad3b435b51404eeaad3b435b51404ee:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' >> creds.txt
2. run scan:
$ smbls -C creds.txt targets.txt -O example_dir
Output parsing
Here are some shell-based examples.
Get list of targets with admin access:
jq -r '.[]|select(.admin)|.info.getServerDNSHostName' out.json
Get list of share names:
jq -r '.[].shares[]?|.name' out.json | sort -iu
Find hosts with given share name:
# Search for D drives
jq -r 'path(..|select(.name?==$name))[0]' out.json --arg name D
List hosts with corresponding readable shares:
jq -r '[.[] | select(.shares) | {ip: (.info.getRemoteHost), host: (.info.getServerDNSHostName), readshares: [.shares[] | select(.access != "") | {name: .name, type: .type, remark: .remark}]} | select(.readshares != [])]' out.json
# With less output
jq -r '.[] | select(.shares) | {host: (.info.getServerDNSHostName), readshares: [.shares[] | select(.access != "") | .name]} | select(.readshares != [])' out.json
# Excluding print$ and IPC$ shares:
jq -r '.[] | select(.shares) | {host: (.info.getServerDNSHostName), readshares: [.shares[] | select(.access != "" and ([.name] | inside($badsharenames) | not)) | .name]} | select(.readshares != [])' --argjson badsharenames '["print$", "IPC$"]' out.json
List hosts that failed auth:
jq -r 'path(.[]|select(.errtype == "auth"))[0]' out.json
List hosts that had a connection error (to remove them from future scans):
jq -r 'path(.[]|select(.errtype == "conn"))[0]' out.json
Get results for hosts that succeeded auth:
jq -r '.[]|select(.errtype == "")' out.json
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for smbls-1.0.2-py39.py310-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2dfba1d641cfa0ee2d681f4cd073ed1c0e04d4e3170f762b5d7c6c4b7a40b640 |
|
| MD5 | 4716288b8e073a37943d631f7e5f7b8b |
|
| BLAKE2b-256 | 862810cccaf84488cc21e09861ef3e54b538a7070f17d7d883bab53b28d59312 |
