SMBMap
更新履歴
- 2021.02.06
はじめに
このドキュメントでは, ネットワーク内のアクセス可能なSMB共有の一覧を取得したりアクセスするツール,SMBMapをインストールして使ってみる.
利用したのは,macOS Mojave.
入手
以下の公式サイト.ShawnDEvans/smbmap
https://github.com/ShawnDEvans/smbmap
作業用ディレクトリを作成.
[macmini2014:ujpadmin 17:36:25 ~ ]
$ mkdir SMBMap🆑
[macmini2014:ujpadmin 17:36:33 ~ ]
$ cd SMBMap/🆑
[macmini2014:ujpadmin 17:36:37 ~/SMBMap ]
$
gitコマンドで入手.
$ git clone git://github.com/ShawnDEvans/smbmap.git🆑
Cloning into 'smbmap'...
remote: Enumerating objects: 19, done.
remote: Counting objects: 100% (19/19), done.
remote: Compressing objects: 100% (18/18), done.
remote: Total 440 (delta 9), reused 4 (delta 1), pack-reused 421
Receiving objects: 100% (440/440), 183.84 KiB | 426.00 KiB/s, done.
Resolving deltas: 100% (228/228), done.
[macmini2014:ujpadmin 17:38:54 ~/SMBMap ]
$
取得したファイルを確認.
$ cd smbmap🆑
[macmini2014:ujpadmin 17:39:03 ~/SMBMap/smbmap ]
$ ls -la
total 120
drwxr-xr-x 8 ujpadmin staff 256 2 6 17:38 .
drwxr-xr-x 3 ujpadmin staff 96 2 6 17:38 ..
drwxr-xr-x 12 ujpadmin staff 384 2 6 17:38 .git
-rw-r--r-- 1 ujpadmin staff 35121 2 6 17:38 LICENSE
-rw-r--r-- 1 ujpadmin staff 13065 2 6 17:38 README.md
drwxr-xr-x 3 ujpadmin staff 96 2 6 17:38 psutils
-rw-r--r-- 1 ujpadmin staff 108 2 6 17:38 requirements.txt🈁
-rwxr-xr-x 1 ujpadmin staff 65118 2 6 17:38 smbmap.py
[macmini2014:ujpadmin 17:39:06 ~/SMBMap/smbmap ]
$
requirements.txtを使って必要なパッケージを入手.
$ python3 -m pip install -r requirements.txt🆑
Collecting https://github.com/CoreSecurity/impacket/archive/impacket_0_9_21.zip (from -r requirements.txt (line 1))
Downloading https://github.com/CoreSecurity/impacket/archive/impacket_0_9_21.zip
| 1.5 MB 2.4 MB/s
Collecting pyasn1
Downloading pyasn1-0.4.8-py2.py3-none-any.whl (77 kB)
|████████████████████████████████| 77 kB 2.3 MB/s
Collecting flask>=1.0
Downloading Flask-1.1.2-py2.py3-none-any.whl (94 kB)
|████████████████████████████████| 94 kB 4.1 MB/s
Collecting click>=5.1
Downloading click-7.1.2-py2.py3-none-any.whl (82 kB)
|████████████████████████████████| 82 kB 1.9 MB/s
Collecting itsdangerous>=0.24
Downloading itsdangerous-1.1.0-py2.py3-none-any.whl (16 kB)
Collecting Jinja2>=2.10.1
Downloading Jinja2-2.11.3-py2.py3-none-any.whl (125 kB)
|████████████████████████████████| 125 kB 5.3 MB/s
Collecting ldap3!=2.5.0,!=2.5.2,!=2.6,>=2.5
Downloading ldap3-2.9-py2.py3-none-any.whl (430 kB)
|████████████████████████████████| 430 kB 8.1 MB/s
Collecting ldapdomaindump>=0.9.0
Downloading ldapdomaindump-0.9.3-py3-none-any.whl (18 kB)
Collecting MarkupSafe>=0.23
Downloading MarkupSafe-1.1.1-cp39-cp39-macosx_10_9_x86_64.whl (16 kB)
Collecting pyOpenSSL>=0.13.1
Downloading pyOpenSSL-20.0.1-py2.py3-none-any.whl (54 kB)
|████████████████████████████████| 54 kB 5.8 MB/s
Collecting cryptography>=3.2
Downloading cryptography-3.3.1-cp36-abi3-macosx_10_10_x86_64.whl (1.8 MB)
|████████████████████████████████| 1.8 MB 5.3 MB/s
Collecting cffi>=1.12
Downloading cffi-1.14.4-cp39-cp39-macosx_10_9_x86_64.whl (177 kB)
|████████████████████████████████| 177 kB 4.7 MB/s
Collecting six
Downloading six-1.15.0-py2.py3-none-any.whl (10 kB)
Collecting Werkzeug>=0.15
Downloading Werkzeug-1.0.1-py2.py3-none-any.whl (298 kB)
|████████████████████████████████| 298 kB 5.5 MB/s
Collecting configparser
Downloading configparser-5.0.1-py3-none-any.whl (22 kB)
Collecting pycrypto
Downloading pycrypto-2.6.1.tar.gz (446 kB)
|████████████████████████████████| 446 kB 4.5 MB/s
Collecting termcolor
Downloading termcolor-1.1.0.tar.gz (3.9 kB)
Collecting dnspython
Downloading dnspython-2.1.0-py3-none-any.whl (241 kB)
|████████████████████████████████| 241 kB 4.1 MB/s
Collecting future
Downloading future-0.18.2.tar.gz (829 kB)
|████████████████████████████████| 829 kB 3.8 MB/s
Collecting pycparser
Downloading pycparser-2.20-py2.py3-none-any.whl (112 kB)
|████████████████████████████████| 112 kB 3.4 MB/s
Collecting pycryptodomex
Downloading pycryptodomex-3.9.9.tar.gz (15.5 MB)
|████████████████████████████████| 15.5 MB 706 kB/s
Building wheels for collected packages: impacket, pycrypto, termcolor, future, pycryptodomex
Building wheel for impacket (setup.py) ... done
Created wheel for impacket:
filename=impacket-0.9.21-py3-none-any.whl size=1271345
sha256=eeef8549d5f5f50d7b285a0d9779ffbcfc2cf2c5f3f593ee748dcb5f89479e54
Stored in directory:
/private/var/folders/cf/cvnxx48j19v2vgc556zs4qgh0000gq/T/pip-ephem-wheel-cache-gw6nhq7f/wheels/13/2f/e2/79e50bd5a904670df2a47aef02fc9d31d280593c0adcdb2b19
Building wheel for pycrypto (setup.py) ... done
Created wheel for pycrypto:
filename=pycrypto-2.6.1-cp39-cp39-macosx_10_14_x86_64.whl size=488363
sha256=aeac1168e08e3427579a49bbe1337193b02129288fc4252e0b8ad5b509e04c0f
Stored in directory:
/Users/ujpadmin/Library/Caches/pip/wheels/9d/29/32/8b8f22481bec8b0fbe7087927336ec167faff2ed9db849448f
Building wheel for termcolor (setup.py) ... done
Created wheel for termcolor:
filename=termcolor-1.1.0-py3-none-any.whl size=4829
sha256=024ea56ff51726c2448153f5b9a5ccc386a90980e220dfa53665949aee68382e
Stored in directory:
/Users/ujpadmin/Library/Caches/pip/wheels/b6/0d/90/0d1bbd99855f99cb2f6c2e5ff96f8023fad8ec367695f7d72d
Building wheel for future (setup.py) ... done
Created wheel for future: filename=future-0.18.2-py3-none-any.whl
size=491059
sha256=1d9ddde1e79fa4c7e4c26d3eb4cd08d55ad0e6969d9e9dd71c50aad4e4be1534
Stored in directory:
/Users/ujpadmin/Library/Caches/pip/wheels/2f/a0/d3/4030d9f80e6b3be787f19fc911b8e7aa462986a40ab1e4bb94
Building wheel for pycryptodomex (setup.py) ... done
Created wheel for pycryptodomex:
filename=pycryptodomex-3.9.9-cp39-cp39-macosx_10_14_x86_64.whl
size=13329046
sha256=2748e86881e400dd99b5714e8f09de6bad323052b7afd4ca9aa33038b6a8da4a
Stored in directory:
/Users/ujpadmin/Library/Caches/pip/wheels/5c/32/e1/57bb63b8af45375248987d6d84fb5d1fc0922929a8661697f9
Successfully built impacket pycrypto termcolor future pycryptodomex
Installing collected packages: pycparser, six, pyasn1, MarkupSafe, cffi,
Werkzeug, ldap3, Jinja2, itsdangerous, future, dnspython, cryptography,
click, pyOpenSSL, pycryptodomex, ldapdomaindump, flask, termcolor,
pycrypto, impacket, configparser
Successfully installed Jinja2-2.11.3 MarkupSafe-1.1.1 Werkzeug-1.0.1
cffi-1.14.4 click-7.1.2 configparser-5.0.1 cryptography-3.3.1
dnspython-2.1.0 flask-1.1.2 future-0.18.2 impacket-0.9.21
itsdangerous-1.1.0 ldap3-2.9 ldapdomaindump-0.9.3 pyOpenSSL-20.0.1
pyasn1-0.4.8 pycparser-2.20 pycrypto-2.6.1 pycryptodomex-3.9.9
six-1.15.0 termcolor-1.1.0
WARNING: You are using pip version 20.3.3; however, version 21.0.1 is available.
You should consider upgrading via the '/usr/local/opt/python@3.9/bin/python3.9 -m pip install --upgrade pip' command.
[macmini2014:ujpadmin 17:40:20 ~/SMBMap/smbmap ]
$
PIPが古いと出ている.
PIPのバージョンアップ
ワーニングを解消する.(これは実行している人の環境に依存する)
$ /usr/local/opt/python@3.9/bin/python3.9 -m pip install --upgrade pip🆑
Requirement already satisfied: pip in /usr/local/lib/python3.9/site-packages (20.3.3)
Collecting pip
Downloading pip-21.0.1-py3-none-any.whl (1.5 MB)
|████████████████████████████████| 1.5 MB 6.4 MB/s
Installing collected packages: pip
Attempting uninstall: pip
Found existing installation: pip 20.3.3
Uninstalling pip-20.3.3:
Successfully uninstalled pip-20.3.3
Successfully installed pip-21.0.1
[macmini2014:ujpadmin 18:00:57 ~/SMBMap/smbmap ]
$
問題なく完了.
SMBMapのヘルプを確認
[macmini2014:ujpadmin 18:04:37 ~/SMBMap/smbmap ]
$ python3 smbmap.py🆑
usage: smbmap.py [-h] (-H HOST | --host-file FILE) [-u USERNAME] [-p PASSWORD | --prompt] [-s SHARE] [-d DOMAIN] [-P PORT] [-v]
[--admin] [--no-banner] [--no-color] [--no-update] [-x COMMAND] [--mode
CMDMODE] [-L | -R [PATH] | -r [PATH]]
[-A PATTERN | -g FILE | --csv FILE] [--dir-only] [--no-write-check]
[-q] [--depth DEPTH]
[--exclude SHARE [SHARE ...]] [-F PATTERN] [--search-path PATH]
[--search-timeout TIMEOUT] [--download PATH]
[--upload SRC DST] [--delete PATH TO FILE] [--skip]
________ ___
___ _______ ___
___
__ _______
/" )|"
\ /" || _ "\ |"
\ /" |
/""\ | __ "\
(: \___/ \ \ //
|(. |_) :) \ \ //
| / \
(. |__) :)
\___ \ /\
\/. ||: \/
/\ \/. | /' /\
\ |: ____/
__/ \ |:
\. |(| _ \
|: \. | //
__' \ (| /
/" \ :) |. \ /:
||: |_) :)|. \ /: | /
/ \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
optional arguments:
-h, --help show this help message and exit
Main arguments:
-H HOST IP of host
--host-file FILE File containing a list of hosts
-u USERNAME Username, if omitted null session assumed
-p PASSWORD Password or NTLM hash
--prompt Prompt for a password
-s
SHARE
Specify a share (default C$), ex 'C$'
-d DOMAIN Domain name (default WORKGROUP)
-P PORT SMB port (default 445)
-v
Return the OS version of the remote host
--admin
Just report if the user is an admin
--no-banner Removes the banner from the top of the output
--no-color Removes the color from output
--no-update Removes the "Working on it" message
Command Execution:
Options for executing commands on the specified host
-x COMMAND Execute a command ex. 'ipconfig /all'
--mode CMDMODE Set the execution method, wmi or psexec, default wmi
Shard drive Search:
Options for searching/enumerating the share of the specified host(s)
-L
List all drives on the specified host, requires ADMIN rights.
-R
[PATH]
Recursively list dirs, and files (no share\path lists ALL shares), ex.
'C$\Finance'
-r
[PATH]
List contents of directory, default is to list root of all shares, ex.
-r 'C$\Documents and
Settings\Administrator\Documents'
-A
PATTERN
Define a file name pattern (regex) that auto downloads a file on a
match (requires -R or -r), not case
sensitive, ex '(web|global).(asax|config)'
-g
FILE
Output to a file in a grep friendly format, used with -r or -R
(otherwise it outputs nothing), ex -g
grep_out.txt
--csv
FILE
Output to a CSV file, used with -r or -R outputs file listings, ex --csv
shares.csv
--dir-only List only directories, ommit files.
--no-write-check Skip check to see if drive grants WRITE access.
-q
Quiet verbose output. Only shows shares you have READ or WRITE on, and
suppresses file listing when performing
a search (-A).
--depth DEPTH
Traverse a directory tree to a specific depth. Default is 5.
--exclude SHARE [SHARE ...]
Exclude share(s) from searching and listing, ex. --exclude ADMIN$ C$'
File Content Search:
Options for searching the content of files (must run as root), kind of experimental
-F
PATTERN
File content search, -F '[Pp]assword' (requires admin access to execute
commands, and PowerShell on victim
host)
--search-path PATH Specify drive/path to search (used with -F, default C:\Users), ex 'D:\HR\'
--search-timeout TIMEOUT
Specifcy a timeout (in seconds) before the file search job gets killed.
Default is 300 seconds.
Filesystem interaction:
Options for interacting with the specified host's filesystem
--download PATH Download a file from the remote system, ex.'C$\temp\passwords.txt'
--upload SRC DST Upload a file to
the remote system ex. '/tmp/payload.exe C$\temp\payload.exe'
--delete PATH TO FILE
Delete a remote file, ex. 'C$\temp\msf.exe'
--skip
Skip delete file confirmation prompt
Examples:
$ python smbmap.py -u jsmith -p password1 -d workgroup -H 192.168.0.1
$ python smbmap.py -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20
$ python smbmap.py -u 'apadmin' -p 'asdf1234!' -d ACME -Hh 10.1.3.30 -x 'net group "Domain Admins" /domain'
[macmini2014:ujpadmin 18:04:50 ~/SMBMap/smbmap ]
$
使ってみる
コマンドを実行.対象はWindows 10 Professionalで,ファイル共有をオンにした状態.
$ python3 smbmap.py -u ujpadmin -p adminpassword -d workgroup -H 192.168.20.150🆑
________ ___
___ _______ ___
___
__ _______
/" )|"
\ /" || _ "\ |"
\ /" |
/""\ | __ "\
(: \___/ \ \ //
|(. |_) :) \ \ //
| / \
(. |__) :)
\___ \ /\
\/. ||: \/
/\ \/. | /' /\
\ |: ____/
__/ \ |:
\. |(| _ \
|: \. | //
__' \ (| /
/" \ :) |. \ /:
||: |_) :)|. \ /: | /
/ \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[+] IP: 192.168.20.150:445 Name:
192.168.20.150 Status:
Authenticated
Disk
Permissions Comment
----
----------- -------
ADMIN$
NO ACCESS Remote Admin
C$
NO ACCESS Default share
IPC$
READ ONLY Remote IPC
Users
READ ONLY
[macmini2014:ujpadmin 18:16:34 ~/SMBMap/smbmap ]
$
usersが共有されている事が確認できた.