Searching SMB Shares

In the future, I want to try out a dedicated tool for this SMB Share searching like SnaffCon.

Shrawler

# Install
shrawler $ADDOMAIN/$ADUSER@$ADCONTROLLER --hosts $ACTIVE --spider

# Run
shrawler $ADDOMAIN/$ADUSER@$ADCONTROLLER --hosts $ACTIVE --spider

NetExec

Collect Data

NTLM

nxc smb $TARGETS -u $ADUSER -d $ADDOMAIN -p $(PSWPRMPT) -M spider_plus;PSW=""

Search Data

Overview

echo;echo;echo
UNIQ_FILES=$(cat /tmp/nxc_hosted/nxc_spider_plus/* | jq -r '.[] | select(length > 0) | keys[]' | sort -u)
echo "  [+] $(echo "$UNIQ_FILES" | wc -l) unique files found"
MEDIA_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.iso|\.img|\.vmdk|\.vdi|\.dmg|\.bin|\.nrg|\.cue|\.raw|\.ova|\.ovf')
echo "  [+] $(echo "$MEDIA_FILES" | wc -l) Media files found"
SENSITIVE_FILES=$(echo "$UNIQ_FILES" | egrep -i 'password|passwd|pwd|secret|credential|user|login|vault|key|token|apikey|auth|dbpass|rootpass|adminpass|crypto')
echo "  [+] $(echo "$SENSITIVE_FILES" | wc -l) Sensitive keyword files found"
SCRIPT_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.sh|\.ps1|\.bat|\.cmd|\.py|\.rb|\.pl|\.js|\.vbs|\.php|\.asp|\.psm1|\.ksh|\.zsh|\.bash|\.csh|\.tcsh')
echo "  [+] $(echo "$SCRIPT_FILES" | wc -l) Script files found"
DOCUMENT_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.doc|\.docx|\.xls|\.xlsx|\.ppt|\.pptx|\.pdf|\.rtf|\.csv|\.odt|\.ods|\.odp')
echo "  [+] $(echo "$DOCUMENT_FILES" | wc -l) Document files found"
TEXT_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.txt')
echo "  [+] $(echo "$TEXT_FILES" | wc -l) Text files found"
ARCHIVE_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.zip|\.tar|\.gz|\.tgz|\.bz2|\.7z|\.rar|\.xz|\.cab|\.iso')
echo "  [+] $(echo "$ARCHIVE_FILES" | wc -l) Archive files found"
DB_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.sql|\.db|\.mdb|\.sqlite|\.accdb|\.dbf|\.dump|\.bak|\.backup|\.ldif')
echo "  [+] $(echo "$DB_FILES" | wc -l) Database-related files found"
CONFIG_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.conf|\.cfg|\.ini|\.yaml|\.yml|\.properties|\.json|\.xml|\.env')
echo "  [+] $(echo "$CONFIG_FILES" | wc -l) Configuration files found"
CERT_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.pem|\.crt|\.key|\.pfx|\.p12|\.csr|\.der')
echo "  [+] $(echo "$CERT_FILES" | wc -l) Certificate and key files found"
LOG_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.log|\.out|\.audit|\.trace|\.dmp')
echo "  [+] $(echo "$LOG_FILES" | wc -l) Log files found"
EXEC_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.exe|\.dll|\.so|\.o|\.bin|\.out|\.msi|\.deb|\.rpm|\.apk|\.app|\.jar|\.war|\.ear')
echo "  [+] $(echo "$EXEC_FILES" | wc -l) Executable files found"
BACKUP_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.bak|\.tmp|\.swp|\.old|\.save|\.orig|\.bk|\.backup|\.~|\.recovery')
echo "  [+] $(echo "$BACKUP_FILES" | wc -l) Backup and temporary files found"
WEB_FILES=$(echo "$UNIQ_FILES" | egrep -i '\.html|\.htm|\.js|\.php|\.jsp|\.asp|\.aspx|\.css|\.cgi')
echo "  [+] $(echo "$WEB_FILES" | wc -l) Web-related files found"

List File Names

List Possible Sensitive Files

echo "$SENSITIVE_FILES"

List Media Files (iso, vmdk, img... ect)

echo "$MEDIA_FILES"

List Scripts (sh, ps1, bat... ect)

echo "$SCRIPT_FILES"

List Document Files (docx, xlsx, pptx... ect)

echo "$DOCUMENT_FILES"

List Text Files (txt)

echo "$TEXT_FILES"

List Archive Files (zip, tar, gz... ect)

echo "$ARCHIVE_FILES"

List Database Files (sql, db, mdb... ect)

echo "$DB_FILES"

List Config Files (conf, .cfg, .ini, .yaml... ect)

echo "$CONFIG_FILES"

List Certificate Files (... ect)

echo "$CERT_FILES"

List Log Files (log, out, audit, trace, dmp... ect)

echo "$LOG_FILES"

List Executable Files (exe, dll, bin... ect)

echo "$EXEC_FILES"

List Web Files (html, js, php... ect)

echo "$WEB_FILES"

List all files

View all files (Names only)

echo "$UNIQ_FILES"

View all unique files + paths

cat /tmp/nxc_hosted/nxc_spider_plus/* | jq '.[] | select(length > 0) | keys[]' | tr -d '"' | sort -u

List other files

Count of files NOT detected in other checks

ALL_TYPES_REGEX='\.(iso|img|vmdk|vdi|dmg|bin|nrg|cue|raw|sh|ps1|bat|cmd|py|rb|pl|js|vbs|php|asp|psm1|ksh|zsh|bash|csh|tcsh|doc|docx|xls|xlsx|ppt|pptx|pdf|txt|rtf|csv|odt|ods|odp|zip|tar|gz|tgz|bz2|7z|rar|xz|cab|sql|db|mdb|sqlite|accdb|dbf|dump|bak|backup|ldif|conf|cfg|ini|yaml|yml|properties|json|xml|env|pem|crt|key|pfx|p12|csr|der|log|out|audit|trace|dmp|exe|dll|so|o|msi|deb|rpm|apk|app|jar|war|ear|bak|tmp|swp|old|save|orig|bk|~|recovery|html|htm|jsp|css|cgi)$'
UNDOCUMENTED_EXT_FILES=$(echo "$UNIQ_FILES" | egrep -v "$ALL_TYPES_REGEX")
echo "  [+] $(echo "$UNDOCUMENTED_EXT_FILES" | wc -l) files with unique extensions not in previous checks found"

List of file types NOT found in other checks

UNIQUE_EXTENSIONS=$(echo "$UNDOCUMENTED_EXT_FILES" | awk -F. '{if (NF>1) print $NF}' | sort -u)
echo "  [+] Unique file extensions not detected:"
echo "$UNIQUE_EXTENSIONS"

List of file names NOT found in other checks

UNDOCUMENTED_FILES=$(echo "$UNIQ_FILES" | egrep -v "$ALL_TYPES_REGEX")
echo "  [+] $(echo "$UNDOCUMENTED_FILES" | wc -l) unique file names not detected in previous checks found"
echo "  [+] Unique file names not detected:"
echo "$UNDOCUMENTED_FILES"

echo;echo
vared -p 'File Path: ' -c SEARCHTEXT

JSONFILE=$(grep -Hn "$SEARCHTEXT" /tmp/nxc_hosted/nxc_spider_plus/* | cut -d ":" -f 1)
SERVER_IP=$(echo "$JSONFILE" | sed 's/\/tmp\/nxc_hosted\/nxc_spider_plus\///g;s/.json//g')
HOSTNAME=$(dig -x $SERVER_IP +short)
SHARE_NAME=$(jq --arg filepath "$SEARCHTEXT" -r 'to_entries[] | select(.value[$filepath]) | .key' $JSONFILE)
echo;echo
echo "  [+] Server IP: $SERVER_IP ($HOSTNAME)"
echo "  [+] Share Name: $SHARE_NAME"
echo "  [+] Found File: $SEARCHTEXT"

Display File Contents (Requires Auth)

echo;echo
vared -p 'File Path: ' -c SEARCHTEXT

JSONFILE=$(grep -Hn "$SEARCHTEXT" /tmp/nxc_hosted/nxc_spider_plus/* | cut -d ":" -f 1)
SERVER_IP=$(echo "$JSONFILE" | sed 's/\/tmp\/nxc_hosted\/nxc_spider_plus\///g;s/.json//g')
SHARE_NAME=$(jq --arg filepath "$SEARCHTEXT" -r 'to_entries[] | select(.value[$filepath]) | .key' $JSONFILE)

cat >> /tmp/smb_download_script.txt << EOF
use $SHARE_NAME
cat $SEARCHTEXT
EOF

smbng --host "$SERVER_IP" -u "$ADUSER" -d "$ADDOMAIN" --no-colors -N --startup-script /tmp/smb_download_script.txt
rm /tmp/smb_download_script.txt

The above requires smbng to be installed. It can be installed with Pipx using pipx install git+https://github.com/p0dalirius/smbclient-ng.git

PreviousRPC Coercion NextActive Directory Password Spraying

Last updated 2 months ago

hashtagShrawler

hashtagNetExec

hashtagCollect Data

hashtagSearch Data

hashtagOverview

hashtagList File Names

hashtagList all files

hashtagList other files

hashtagLocate IP/Share by file name

Shrawler

NetExec

Collect Data

Search Data

Overview

List File Names

List all files

List other files

Locate IP/Share by file name