Saturday, 9 February 2013

Parsing Nmap smb-enum-shares Output

This is quick post about the Nmap smb-enum-shares script.

http://nmap.org/nsedoc/scripts/smb-enum-shares.html

I wanted to track down open shares on a /16 and was having some difficulty parsing the results. I did some googling but couldn't find any help. In the end a grep/awk one liner saved the day and that's what I'll be talking about.


Pew pew with nmap scripts

Before I delve into smb-enum-shares I wanted to big up one of my favourite posts about nmap scripts by Matt at AttackVector.org:

http://www.attackvector.org/favorite-nmap-nse-scripts/

He covers some of the most useful scripts http-enum, smb-check-vulns, smb-enum-users to name a few, and also looks at handling the output using some perl kungfu. The one script he missed out though was smb-enum-shares!


Your company and its shares

From a defensive perspective open shares are a pain in the ass. It can be difficult preventing users from creating shares, difficult to manage permissions and difficult to classify what information should/shouldn't be shared. Not to mention the risks of SMB and pass the hash.


Removing local admin rights, properly enforcing GPOs, using a host based firewall/ips or a document repository can help but there's always going to be some folks who slip by. This is where nmap and smb-enum-shares comes in. To find open shares just run the following:

nmap -T4 -v -oA myshares --script smb-enum-shares --script-args smbuser=pwndizzle,smbpass=mypassword -p445 192.168.1.1-255

Replacing the ip range and domain creds as necessary.

The nmap grepable format and xml format are usually easy to manipulate either on the command line or with Excel. However when you run the smb-enum-shares script the output isn't uniform and in my case I had such a large data set it was proving difficult to filter effectively.

Below is a demo output, notice the variety of data and the way it is spread over multiple lines:

Nmap scan report for 192.168.3.1
Host is up (0.0024s latency).
PORT    STATE  SERVICE
445/tcp closed microsoft-ds

Nmap scan report for server1.company.local (192.168.3.66)
Host is up (0.023s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   ADMIN$
|     Anonymous access: <none>
|     Current user ('pwndizzle') access: <none>
|   SecretShare
|     Anonymous access: <none>
|     Current user ('pwndizzle') access: READ/WRITE
|   C$
|     Anonymous access: <none>
|     Current user ('pwndizzle') access: <none>
|   IPC$
|     Anonymous access: READ <not a file share>
|_    Current user ('pwndizzle') access: READ <not a file share>


For two machines it's easy to understand. How about if you had 2000 machines? Not so easy :)



Bring on the Grep, Awk, Sed

My aim was to get a list of IP's and associated shares. No doubt there's a million and one ways to do this with different linux utilities, perl or python and the different nmap outputs. The simplest technique I could find was using a bit of awk/grep to parse the data from the basic nmap output file (.nmap):

cat sharescan.nmap|grep '|\|192'|awk '/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ { line=$0 } /\|/ { $0 = line $0}1'|grep \||grep -v -E '(smb-enum-shares|access: <none>|ADMIN\$|C\$|IPC\$|U\$|access: READ)'|awk '{ sub(/Nmap scan report for /, ""); print }'
  • I first selected only the lines that contain an ip or a pipe character (lines with shares)
  • Then, as the share and ip are on different lines we select the ip column and copy it in front of the share lines.
  • We do some more grepping to remove unneeded nmap output and default shares.
  • And finally we perform a substitution to remove the starting text.

Here's the final output:


As either an attacker or defender you've now got yourself a clear list of shares that may contain sensitive information.

Regarding the one-liner, there are one or two points to note:
  • There are probably better ways to implement this! I'm no awk/sed master.
  • You'll need to change the "192" to fit your network.
  • By excluding shares we might actually exclude something we want to see.
  • When scanning you need to use valid AD credentials for the best results.
  • Although the nmap script output says READ,READ/WRITE, I didn't always find this was accurate. Often readable shares, well, weren't readable. However you may want to remove the "access: READ" exclusion as this also filters WRITE folders which can be pretty handy!

Although it hasn't been the focus of this post, the smb-enum-shares script can verily easily be used for network wide pass the hash and remote access testing. There's a great blog post about this by Zeknox here:



Final thoughts

Although often seen as an offensive tool, Nmap's ability to provide a quick view of your assets and running services make it an awesome tool for attackers and defenders alike.

Network wide scans are extremely quick, it's analyzing the results that actually takes some time. But with a little manipulation you can usually speed this process up. And when it comes to manipulation you can't get better than grep/awk/sed!

Also if anyone can come up with a simpler one liner let me know! ;)

Pwndizzle over and out

2 comments:

  1. Very nice. I'll add that command to my shortcuts.

    I don't know about simpler, but you can make your regular expression that looks for IP addresses more accurate by using the following:

    25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?

    Also, if you know the first octet you could use the following:

    192\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)

    I've not tested it, but the following compression *might* work if you want to save the planet by using fewer characters:

    192(\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}

    ReplyDelete
  2. I saw the big regexs on google but decided to go for the simplified version. (to keep the one liner at least vaguely readable!)

    However the regex you mentioned seems to work well. Another alternative I discovered was:

    cat test|awk --re-interval '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/'

    I also found I needed to include the re-interval flag for awk to process the interval expressions (curly brackets) correctly.

    ReplyDelete