UJP - 技術情報1

Life is fun and easy!

不正IP報告数

Okan Sensor
 
メイン
ログイン
ブログ カテゴリ一覧

SMBMapを使ってみる

SMBMap


更新履歴


  • 2021.02.06

はじめに

 このドキュメントでは, ネットワーク内のアクセス可能なSMB共有の一覧を取得したりアクセスするツール,SMBMapをインストールして使ってみる.
 利用したのは,macOS Mojave.

入手

 以下の公式サイト.
ShawnDEvans/smbmap
https://github.com/ShawnDEvans/smbmap

 作業用ディレクトリを作成.

[macmini2014:ujpadmin 17:36:25 ~ ]
$ mkdir SMBMap🆑
[macmini2014:ujpadmin 17:36:33 ~ ]
$ cd SMBMap/🆑
[macmini2014:ujpadmin 17:36:37 ~/SMBMap ]
$

 gitコマンドで入手.

$ git clone git://github.com/ShawnDEvans/smbmap.git🆑
Cloning into 'smbmap'...
remote: Enumerating objects: 19, done.
remote: Counting objects: 100% (19/19), done.
remote: Compressing objects: 100% (18/18), done.
remote: Total 440 (delta 9), reused 4 (delta 1), pack-reused 421
Receiving objects: 100% (440/440), 183.84 KiB | 426.00 KiB/s, done.
Resolving deltas: 100% (228/228), done.
[macmini2014:ujpadmin 17:38:54 ~/SMBMap ]
$

 取得したファイルを確認.

$ cd smbmap🆑
[macmini2014:ujpadmin 17:39:03 ~/SMBMap/smbmap ]
$ ls -la
total 120
drwxr-xr-x  8 ujpadmin staff   256  2  6 17:38 .
drwxr-xr-x  3 ujpadmin staff    96  2  6 17:38 ..
drwxr-xr-x 12 ujpadmin staff   384  2  6 17:38 .git
-rw-r--r--  1 ujpadmin staff 35121  2  6 17:38 LICENSE
-rw-r--r--  1 ujpadmin staff 13065  2  6 17:38 README.md
drwxr-xr-x  3 ujpadmin staff    96  2  6 17:38 psutils
-rw-r--r--  1 ujpadmin staff   108  2  6 17:38 requirements.txt🈁
-rwxr-xr-x  1 ujpadmin staff 65118  2  6 17:38 smbmap.py
[macmini2014:ujpadmin 17:39:06 ~/SMBMap/smbmap ]
$

requirements.txtを使って必要なパッケージを入手.

$ python3 -m pip install -r requirements.txt🆑
Collecting https://github.com/CoreSecurity/impacket/archive/impacket_0_9_21.zip (from -r requirements.txt (line 1))
  Downloading https://github.com/CoreSecurity/impacket/archive/impacket_0_9_21.zip
     | 1.5 MB 2.4 MB/s
Collecting pyasn1
  Downloading pyasn1-0.4.8-py2.py3-none-any.whl (77 kB)
     |████████████████████████████████| 77 kB 2.3 MB/s
Collecting flask>=1.0
  Downloading Flask-1.1.2-py2.py3-none-any.whl (94 kB)
     |████████████████████████████████| 94 kB 4.1 MB/s
Collecting click>=5.1
  Downloading click-7.1.2-py2.py3-none-any.whl (82 kB)
     |████████████████████████████████| 82 kB 1.9 MB/s
Collecting itsdangerous>=0.24
  Downloading itsdangerous-1.1.0-py2.py3-none-any.whl (16 kB)
Collecting Jinja2>=2.10.1
  Downloading Jinja2-2.11.3-py2.py3-none-any.whl (125 kB)
     |████████████████████████████████| 125 kB 5.3 MB/s
Collecting ldap3!=2.5.0,!=2.5.2,!=2.6,>=2.5
  Downloading ldap3-2.9-py2.py3-none-any.whl (430 kB)
     |████████████████████████████████| 430 kB 8.1 MB/s
Collecting ldapdomaindump>=0.9.0
  Downloading ldapdomaindump-0.9.3-py3-none-any.whl (18 kB)
Collecting MarkupSafe>=0.23
  Downloading MarkupSafe-1.1.1-cp39-cp39-macosx_10_9_x86_64.whl (16 kB)
Collecting pyOpenSSL>=0.13.1
  Downloading pyOpenSSL-20.0.1-py2.py3-none-any.whl (54 kB)
     |████████████████████████████████| 54 kB 5.8 MB/s
Collecting cryptography>=3.2
  Downloading cryptography-3.3.1-cp36-abi3-macosx_10_10_x86_64.whl (1.8 MB)
     |████████████████████████████████| 1.8 MB 5.3 MB/s
Collecting cffi>=1.12
  Downloading cffi-1.14.4-cp39-cp39-macosx_10_9_x86_64.whl (177 kB)
     |████████████████████████████████| 177 kB 4.7 MB/s
Collecting six
  Downloading six-1.15.0-py2.py3-none-any.whl (10 kB)
Collecting Werkzeug>=0.15
  Downloading Werkzeug-1.0.1-py2.py3-none-any.whl (298 kB)
     |████████████████████████████████| 298 kB 5.5 MB/s
Collecting configparser
  Downloading configparser-5.0.1-py3-none-any.whl (22 kB)
Collecting pycrypto
  Downloading pycrypto-2.6.1.tar.gz (446 kB)
     |████████████████████████████████| 446 kB 4.5 MB/s
Collecting termcolor
  Downloading termcolor-1.1.0.tar.gz (3.9 kB)
Collecting dnspython
  Downloading dnspython-2.1.0-py3-none-any.whl (241 kB)
     |████████████████████████████████| 241 kB 4.1 MB/s
Collecting future
  Downloading future-0.18.2.tar.gz (829 kB)
     |████████████████████████████████| 829 kB 3.8 MB/s
Collecting pycparser
  Downloading pycparser-2.20-py2.py3-none-any.whl (112 kB)
     |████████████████████████████████| 112 kB 3.4 MB/s
Collecting pycryptodomex
  Downloading pycryptodomex-3.9.9.tar.gz (15.5 MB)
     |████████████████████████████████| 15.5 MB 706 kB/s
Building wheels for collected packages: impacket, pycrypto, termcolor, future, pycryptodomex
  Building wheel for impacket (setup.py) ... done
  Created wheel for impacket: filename=impacket-0.9.21-py3-none-any.whl size=1271345 sha256=eeef8549d5f5f50d7b285a0d9779ffbcfc2cf2c5f3f593ee748dcb5f89479e54
  Stored in directory: /private/var/folders/cf/cvnxx48j19v2vgc556zs4qgh0000gq/T/pip-ephem-wheel-cache-gw6nhq7f/wheels/13/2f/e2/79e50bd5a904670df2a47aef02fc9d31d280593c0adcdb2b19
  Building wheel for pycrypto (setup.py) ... done
  Created wheel for pycrypto: filename=pycrypto-2.6.1-cp39-cp39-macosx_10_14_x86_64.whl size=488363 sha256=aeac1168e08e3427579a49bbe1337193b02129288fc4252e0b8ad5b509e04c0f
  Stored in directory: /Users/ujpadmin/Library/Caches/pip/wheels/9d/29/32/8b8f22481bec8b0fbe7087927336ec167faff2ed9db849448f
  Building wheel for termcolor (setup.py) ... done
  Created wheel for termcolor: filename=termcolor-1.1.0-py3-none-any.whl size=4829 sha256=024ea56ff51726c2448153f5b9a5ccc386a90980e220dfa53665949aee68382e
  Stored in directory: /Users/ujpadmin/Library/Caches/pip/wheels/b6/0d/90/0d1bbd99855f99cb2f6c2e5ff96f8023fad8ec367695f7d72d
  Building wheel for future (setup.py) ... done
  Created wheel for future: filename=future-0.18.2-py3-none-any.whl size=491059 sha256=1d9ddde1e79fa4c7e4c26d3eb4cd08d55ad0e6969d9e9dd71c50aad4e4be1534
  Stored in directory: /Users/ujpadmin/Library/Caches/pip/wheels/2f/a0/d3/4030d9f80e6b3be787f19fc911b8e7aa462986a40ab1e4bb94
  Building wheel for pycryptodomex (setup.py) ... done
  Created wheel for pycryptodomex: filename=pycryptodomex-3.9.9-cp39-cp39-macosx_10_14_x86_64.whl size=13329046 sha256=2748e86881e400dd99b5714e8f09de6bad323052b7afd4ca9aa33038b6a8da4a
  Stored in directory: /Users/ujpadmin/Library/Caches/pip/wheels/5c/32/e1/57bb63b8af45375248987d6d84fb5d1fc0922929a8661697f9
Successfully built impacket pycrypto termcolor future pycryptodomex
Installing collected packages: pycparser, six, pyasn1, MarkupSafe, cffi, Werkzeug, ldap3, Jinja2, itsdangerous, future, dnspython, cryptography, click, pyOpenSSL, pycryptodomex, ldapdomaindump, flask, termcolor, pycrypto, impacket, configparser
Successfully installed Jinja2-2.11.3 MarkupSafe-1.1.1 Werkzeug-1.0.1 cffi-1.14.4 click-7.1.2 configparser-5.0.1 cryptography-3.3.1 dnspython-2.1.0 flask-1.1.2 future-0.18.2 impacket-0.9.21 itsdangerous-1.1.0 ldap3-2.9 ldapdomaindump-0.9.3 pyOpenSSL-20.0.1 pyasn1-0.4.8 pycparser-2.20 pycrypto-2.6.1 pycryptodomex-3.9.9 six-1.15.0 termcolor-1.1.0
WARNING: You are using pip version 20.3.3; however, version 21.0.1 is available.
You should consider upgrading via the '/usr/local/opt/python@3.9/bin/python3.9 -m pip install --upgrade pip' command.
[macmini2014:ujpadmin 17:40:20 ~/SMBMap/smbmap ]
$
 
PIPが古いと出ている.

PIPのバージョンアップ


 ワーニングを解消する.(これは実行している人の環境に依存する)

$ /usr/local/opt/python@3.9/bin/python3.9 -m pip install --upgrade pip🆑
Requirement already satisfied: pip in /usr/local/lib/python3.9/site-packages (20.3.3)
Collecting pip
  Downloading pip-21.0.1-py3-none-any.whl (1.5 MB)
     |████████████████████████████████| 1.5 MB 6.4 MB/s
Installing collected packages: pip
  Attempting uninstall: pip
    Found existing installation: pip 20.3.3
    Uninstalling pip-20.3.3:
      Successfully uninstalled pip-20.3.3
Successfully installed pip-21.0.1
[macmini2014:ujpadmin 18:00:57 ~/SMBMap/smbmap ]
$

 問題なく完了.

SMBMapのヘルプを確認


[macmini2014:ujpadmin 18:04:37 ~/SMBMap/smbmap ]
$ python3 smbmap.py🆑
usage: smbmap.py [-h] (-H HOST | --host-file FILE) [-u USERNAME] [-p PASSWORD | --prompt] [-s SHARE] [-d DOMAIN] [-P PORT] [-v]
                 [--admin] [--no-banner] [--no-color] [--no-update] [-x COMMAND] [--mode CMDMODE] [-L | -R [PATH] | -r [PATH]]
                 [-A PATTERN | -g FILE | --csv FILE] [--dir-only] [--no-write-check] [-q] [--depth DEPTH]
                 [--exclude SHARE [SHARE ...]] [-F PATTERN] [--search-path PATH] [--search-timeout TIMEOUT] [--download PATH]
                 [--upload SRC DST] [--delete PATH TO FILE] [--skip]

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

optional arguments:
  -h, --help            show this help message and exit

Main arguments:
  -H HOST               IP of host
  --host-file FILE      File containing a list of hosts
  -u USERNAME           Username, if omitted null session assumed
  -p PASSWORD           Password or NTLM hash
  --prompt              Prompt for a password
  -s SHARE              Specify a share (default C$), ex 'C$'
  -d DOMAIN             Domain name (default WORKGROUP)
  -P PORT               SMB port (default 445)
  -v                    Return the OS version of the remote host
  --admin               Just report if the user is an admin
  --no-banner           Removes the banner from the top of the output
  --no-color            Removes the color from output
  --no-update           Removes the "Working on it" message

Command Execution:
  Options for executing commands on the specified host

  -x COMMAND            Execute a command ex. 'ipconfig /all'
  --mode CMDMODE        Set the execution method, wmi or psexec, default wmi

Shard drive Search:
  Options for searching/enumerating the share of the specified host(s)

  -L                    List all drives on the specified host, requires ADMIN rights.
  -R [PATH]             Recursively list dirs, and files (no share\path lists ALL shares), ex. 'C$\Finance'
  -r [PATH]             List contents of directory, default is to list root of all shares, ex. -r 'C$\Documents and
                        Settings\Administrator\Documents'
  -A PATTERN            Define a file name pattern (regex) that auto downloads a file on a match (requires -R or -r), not case
                        sensitive, ex '(web|global).(asax|config)'
  -g FILE               Output to a file in a grep friendly format, used with -r or -R (otherwise it outputs nothing), ex -g
                        grep_out.txt
  --csv FILE            Output to a CSV file, used with -r or -R outputs file listings, ex --csv shares.csv
  --dir-only            List only directories, ommit files.
  --no-write-check      Skip check to see if drive grants WRITE access.
  -q                    Quiet verbose output. Only shows shares you have READ or WRITE on, and suppresses file listing when performing
                        a search (-A).
  --depth DEPTH         Traverse a directory tree to a specific depth. Default is 5.
  --exclude SHARE [SHARE ...]
                        Exclude share(s) from searching and listing, ex. --exclude ADMIN$ C$'

File Content Search:
  Options for searching the content of files (must run as root), kind of experimental

  -F PATTERN            File content search, -F '[Pp]assword' (requires admin access to execute commands, and PowerShell on victim
                        host)
  --search-path PATH    Specify drive/path to search (used with -F, default C:\Users), ex 'D:\HR\'
  --search-timeout TIMEOUT
                        Specifcy a timeout (in seconds) before the file search job gets killed. Default is 300 seconds.

Filesystem interaction:
  Options for interacting with the specified host's filesystem

  --download PATH       Download a file from the remote system, ex.'C$\temp\passwords.txt'
  --upload SRC DST      Upload a file to the remote system ex. '/tmp/payload.exe C$\temp\payload.exe'
  --delete PATH TO FILE
                        Delete a remote file, ex. 'C$\temp\msf.exe'
  --skip                Skip delete file confirmation prompt

Examples:

$ python smbmap.py -u jsmith -p password1 -d workgroup -H 192.168.0.1
$ python smbmap.py -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20
$ python smbmap.py -u 'apadmin' -p 'asdf1234!' -d ACME -Hh 10.1.3.30 -x 'net group "Domain Admins" /domain'
[macmini2014:ujpadmin 18:04:50 ~/SMBMap/smbmap ]
$

使ってみる

 コマンドを実行.対象はWindows 10 Professionalで,ファイル共有をオンにした状態.

$ python3 smbmap.py -u ujpadmin -p adminpassword -d workgroup -H 192.168.20.150🆑

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap


[+] IP: 192.168.20.150:445    Name: 192.168.20.150          Status: Authenticated
        Disk                                                      Permissions    Comment
    ----                                                      -----------    -------
    ADMIN$                                                NO ACCESS    Remote Admin
    C$                                                    NO ACCESS    Default share
    IPC$                                                  READ ONLY    Remote IPC
    Users                                                 READ ONLY
[macmini2014:ujpadmin 18:16:34 ~/SMBMap/smbmap ]
$

 usersが共有されている事が確認できた.




広告スペース
Google