Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rewrite #6

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Rewrite #6

wants to merge 5 commits into from

Conversation

byt3bl33d3r
Copy link

hey man,
I've been wanting to write something similar to smbmap for a long time, so I've been tweaking it the past day or so..
This is by no means finished, just wanted to submit this PR so you can kinda get a sense of the shape that it's taking.

So far there have been only a couple of major changes:

  • Whole script is now fully asynchronous (with some exceptions)
  • Added 'WMI' option for executing code using wmi
usage: smbmap.py [-h] [-u USERNAME] [-p PASSWORD] [-H HASH] [-d DOMAIN]
                 [-s SHARE] [-P {139,445}] [-t THREADS] [-S]
                 [-execm {wmi,smbexec}] [-x COMMAND]
                 target

SMBMap - Samba Share Enumerator | Shawn Evans - [email protected]

positional arguments:
  target                The target range or CIDR identifier

optional arguments:
  -h, --help            show this help message and exit
  -u USERNAME           Username, if omitted null session assumed
  -p PASSWORD           Password
  -H HASH               NTLM hash
  -d DOMAIN             Domain name (default WORKGROUP)
  -s SHARE              Specify a share (default C$)
  -P {139,445}          SMB port (default 445)
  -t THREADS            Set how many concurrent threads to use
  -S                    List shares

Command Execution:
  Options for executing commands on the specified host

  -execm {wmi,smbexec}  Method to execute the command (default: smbexec)
  -x COMMAND            Execute a command

Usage examples

  • if you just specify a target, the script will act like the smb_version Metasploit module,
    by default it will use ten threads (you can use more with the -t option)
time sudo python smbmap.py 192.168.20.0/24         
[+] 192.168.20.13:445 is running Windows 5.1 (name:WINXPHAX) (domain:WINXPHAX)
[+] 192.168.20.30:445 is running Windows 5.1 (name:IE8WINXP) (domain:IE8WINXP)
[+] 192.168.20.90:445 is running Windows 6.1 Build 7601 (name:CRAAACK-PC) (domain:CRAAACK-PC)
[+] 192.168.20.130:445 is running Windows 6.3 Build 9600 (name:IE11WIN8_1) (domain:IE11WIN8_1)
[+] 192.168.20.135:445 is running Windows 6.1 Build 7601 (name:WINDOWS7HAX-PC) (domain:WINDOWS7HAX-PC)
sudo -E python2 smbmap.py 192.168.20.0/24  0.62s user 0.14s system 1% cpu 1:15.52 total

With 100 threads:

time sudo python smbmap.py -t 100 192.168.20.0/24
[+] 192.168.20.13:445 is running Windows 5.1 (name:WINXPHAX) (domain:WINXPHAX)
[+] 192.168.20.30:445 is running Windows 5.1 (name:IE8WINXP) (domain:IE8WINXP)
[+] 192.168.20.90:445 is running Windows 6.1 Build 7601 (name:CRAAACK-PC) (domain:CRAAACK-PC)
[+] 192.168.20.130:445 is running Windows 6.3 Build 9600 (name:IE11WIN8_1) (domain:IE11WIN8_1)
[+] 192.168.20.135:445 is running Windows 6.1 Build 7601 (name:WINDOWS7HAX-PC) (domain:WINDOWS7HAX-PC)
sudo -E python2 smbmap.py -t 100 192.168.20.0/24  0.34s user 0.09s system 4% cpu 9.297 total

A very notable difference :)

  • Command execution works the same way but you can now use the -execm switch if you want to execute the command using wmi:
sudo python smbmap.py -u winxphax -p crackmeumofo 192.168.20.0/24 -execm wmi -x 'net user'
[sudo] password for byt3bl33d3r: 
[+] 192.168.20.13:445 is running Windows 5.1 (name:WINXPHAX) (domain:WINXPHAX)

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest                    HelpAssistant            
SUPPORT_388945a0         winxphax                 
The command completed with one or more errors.


[+] 192.168.20.30:445 is running Windows 5.1 (name:IE8WINXP) (domain:IE8WINXP)

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest                    HelpAssistant            
IEUser                   SUPPORT_388945a0         winxphax                 
The command completed with one or more errors.


[+] 192.168.20.90:445 is running Windows 6.1 Build 7601 (name:CRAAACK-PC) (domain:CRAAACK-PC)
[-] 192.168.20.90:445 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[+] 192.168.20.130:445 is running Windows 6.3 Build 9600 (name:IE11WIN8_1) (domain:IE11WIN8_1)
[-] 192.168.20.130:445 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[+] 192.168.20.135:445 is running Windows 6.1 Build 7601 (name:WINDOWS7HAX-PC) (domain:WINDOWS7HAX-PC)
[-] 192.168.20.135:445 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

If you don't specify the execution method it will default to smbexec.
The reason for this is that wmiexec contains blocking calls so it can't be made asynchronous, smbexec on the other hand can , so I thought it was best to default to that.

I'm still working on re-implementing all of the other options such as file searching ecc...

Let me know what you think!

Cheers

unknown and others added 5 commits April 28, 2015 16:49
… passed causing ip->name resolution to fail 100% of the time
Fixed bug in socket.getnameinfo() call
re-wrote the argument parsing, using argparse
Added wmi as a method for command execution
By default will act as the smb_version scanner in metasploit
@ShawnDEvans
Copy link
Owner

Hey man!

Holy cow these changes are amazing! Threading was something I was planning on doing for a while now. I've never really done any work with threads though, and I knew that adding it would require some pretty major changes to the way in which the script executed. I'm currently engaged with a couple of clients at the moment, so I'll have to check this out in detail during some down time later in the week. Talk about some major changes though :) . I think this might warrant an entirely new branch for us to work with. I'm a thrilled that someone with some actual coding skills took interest in this project. It started a little over a year ago using PySMB, and really took off once I made the jump to Impacket. Hopefully we can get the remaining functions (path listing, file search, auto download etc) integrated into this branch. It's such a crazy useful resource to have when you're doing internals. With the addition of threading, it will now be useful for account brute forcing (gotta love Season+Year password combos and a juicy null session on the DC). Thanks a ton for putting in the effort man!! I'm really looking forward to the final take on this iteration.

-Shawn

@ShawnDEvans
Copy link
Owner

Hey Man,

One other question, i saw that you added CIDR notation support. This was
something I was going to do (see my other project NetCider), but passed on
because I hated how slow full TCP connection port scanning was in native
Python. I think that all kind of changed now with your addition of
multi-threading, but I was curious, is CIDR notation support a native
library or just another handy library someone created? Thanks again for
all the work, i'm kind of floored how quickly this tool is becoming more
awesome.

-Shawn

On Sat, May 2, 2015 at 12:33 PM, byt3bl33d3r [email protected]
wrote:

byt3bl33d3r wants to merge 5 commits into ShawnDEvans:master from
byt3bl33d3r:rewrite_:

hey man,
I've been wanting to write something similar to smbmap for a long time, so
I've been tweaking it the past day or so..
This is by no means finished, just wanted to submit this PR so you can
kinda get a sense of the shape that it's taking.

So far there have been only a couple of major changes:

  • Whole script is now fully asynchronous (with some exceptions)
  • Added 'WMI' option for executing code using wmi

usage: smbmap.py [-h] [-u USERNAME] [-p PASSWORD] [-H HASH] [-d DOMAIN]
[-s SHARE] [-P {139,445}] [-t THREADS] [-S]
[-execm {wmi,smbexec}] [-x COMMAND]
target

SMBMap - Samba Share Enumerator | Shawn Evans - [email protected]

positional arguments:
target The target range or CIDR identifier

optional arguments:
-h, --help show this help message and exit
-u USERNAME Username, if omitted null session assumed
-p PASSWORD Password
-H HASH NTLM hash
-d DOMAIN Domain name (default WORKGROUP)
-s SHARE Specify a share (default C$)
-P {139,445} SMB port (default 445)
-t THREADS Set how many concurrent threads to use
-S List shares

Command Execution:
Options for executing commands on the specified host

-execm {wmi,smbexec} Method to execute the command (default: smbexec)
-x COMMAND Execute a command

Usage examples

  • if you just specify a target, the script will act like the
    smb_version Metasploit module, by default it will use ten threads (you
    can use more with the -t option)

time sudo python smbmap.py 192.168.20.0/24
[+] 192.168.20.13:445 is running Windows 5.1 (name:WINXPHAX) (domain:WINXPHAX)
[+] 192.168.20.30:445 is running Windows 5.1 (name:IE8WINXP) (domain:IE8WINXP)
[+] 192.168.20.90:445 is running Windows 6.1 Build 7601 (name:CRAAACK-PC) (domain:CRAAACK-PC)
[+] 192.168.20.130:445 is running Windows 6.3 Build 9600 (name:IE11WIN8_1) (domain:IE11WIN8_1)
[+] 192.168.20.135:445 is running Windows 6.1 Build 7601 (name:WINDOWS7HAX-PC) (domain:WINDOWS7HAX-PC)
sudo -E python2 smbmap.py 192.168.20.0/24 0.62s user 0.14s system 1% cpu 1:15.52 total

With 100 threads:

time sudo python smbmap.py -t 100 192.168.20.0/24
[+] 192.168.20.13:445 is running Windows 5.1 (name:WINXPHAX) (domain:WINXPHAX)
[+] 192.168.20.30:445 is running Windows 5.1 (name:IE8WINXP) (domain:IE8WINXP)
[+] 192.168.20.90:445 is running Windows 6.1 Build 7601 (name:CRAAACK-PC) (domain:CRAAACK-PC)
[+] 192.168.20.130:445 is running Windows 6.3 Build 9600 (name:IE11WIN8_1) (domain:IE11WIN8_1)
[+] 192.168.20.135:445 is running Windows 6.1 Build 7601 (name:WINDOWS7HAX-PC) (domain:WINDOWS7HAX-PC)
sudo -E python2 smbmap.py -t 100 192.168.20.0/24 0.34s user 0.09s system 4% cpu 9.297 total

A very notable difference :)

  • Command execution works the same way but you can now use the -execm
    switch if you want to execute the command using wmi:

sudo python smbmap.py -u winxphax -p crackmeumofo 192.168.20.0/24 -execm wmi -x 'net user'
[sudo] password for byt3bl33d3r:
[+] 192.168.20.13:445 is running Windows 5.1 (name:WINXPHAX) (domain:WINXPHAX)

User accounts for \


Administrator Guest HelpAssistant
SUPPORT_388945a0 winxphax
The command completed with one or more errors.

[+] 192.168.20.30:445 is running Windows 5.1 (name:IE8WINXP) (domain:IE8WINXP)

User accounts for \


Administrator Guest HelpAssistant
IEUser SUPPORT_388945a0 winxphax
The command completed with one or more errors.

[+] 192.168.20.90:445 is running Windows 6.1 Build 7601 (name:CRAAACK-PC) (domain:CRAAACK-PC)
[-] 192.168.20.90:445 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[+] 192.168.20.130:445 is running Windows 6.3 Build 9600 (name:IE11WIN8_1) (domain:IE11WIN8_1)
[-] 192.168.20.130:445 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[+] 192.168.20.135:445 is running Windows 6.1 Build 7601 (name:WINDOWS7HAX-PC) (domain:WINDOWS7HAX-PC)
[-] 192.168.20.135:445 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

If you don't specify the the exec method it will default to smbexec.
The reason for this is that wmiexeccontains blocking calls so it can't be
made asynchronous,smbexec` on the other hand can , so I thought it was
best to default to that.

I'm still working on re-implementing all of the other options such as file
searching ecc...

Let me know what you think!

Cheers

You can view, comment on, or merge this pull request online at:

#6
Commit Summary

  • Fixed bug in socket.getnameinfo() call which had incorrect
    parameters passed causing ip->name resolution to fail 100% of the time
  • Merge pull request Fixed bug in socket.getnameinfo() call  #2 from jadacyrus/master
  • Fixed shebang
  • Whole script is now asynchronous
  • fixed fingerprinting for windows > 8.1

File Changes

Patch Links:


Reply to this email directly or view it on GitHub
#6.

Shawn Evans
M: 724.494.3158

@byt3bl33d3r
Copy link
Author

@ShawnDEvans Glad you liked the changes ;)
The CIDR notation support comes from the netaddr package which was developed by Google IIRC, unfortunately it isn't native.
Btw was also thinking of adding support for IP ranges (e.g. 192.168.0.1-10), don't know if that would be redundant since it supports CIDR notation? let me know what you think..
In the meantime as soon as I push some updates to a project of my own I'll get to work re-adding all of the other features.. Plus I'll take a look at adding support for SMB brute forcing 👍

@byt3bl33d3r
Copy link
Author

@ShawnDEvans you can drop me an email anytime at [email protected] if you have any suggestions or questions

@ShawnDEvans
Copy link
Owner

I'm all for adding an IP range parser to this thing, but probably once all the features are back up and running. I'm going to have a bit of free time today so I'll checkout your commit and see if I can get anything else working on the threaded release.

One more thing I wanted to bounce off you. The current version has a distributed file content searching feature. It's stupid simple, and pretty slow (it uses findstr so maybe searching through 1gb/sec on the victim host), but it's a solid idea. Basically a findstr job is started, it gets a unique name, and the output is stored in the "temp" directory of the current user as the job name. Once SMBMap sends the command to the remote host, it periodically checks to see if the output file (jobname.txt) is still locked by the parent process (findstr). Once the lock is removed, the fiIe is downloaded. I know PowerShell has Select-String, which from what I understand is pretty fast (even compared to grep). I'm considering changing around the findstr command to run "gci" to dump the dirs, and then fire off a "Select-String" process for each top level dir (omitting Windows) to improve performance. What are your thoughts on that approach, or any other method to improve the speed with which you can scan for regex patterns within files on a remote host. Take it easy man!

@NetworkLlama
Copy link

I've been working with the @byt3bl33d3r code this week and have made some additional changes to improve the output, which has been coming out extremely scattered and difficult to read. I've also cut down the number of connections made against shares by slicing out bad logins, adding a filter (with flag) to not show NO ACCESS shares, and re-adding file read (with flag) since I often collect systems to scan from nmap. I'm also looking to add auto-mapping for discovered shares and cred sets to try in case one set fails.

However, I'm hesitant to create a pull request until you've accepted his code (or updated to whichever portion you're going to keep). That way, it reduces the amount of code that you need to review. If you'd rather I create the pull request, let me know.

@ShawnDEvans
Copy link
Owner

Hey!

Thanks for your interesting in contributing. I'm actually working on packing in all of the existing functionality into the "gevent" threaded release at the moment. I'm also pretty new to using 'git' on the command line, so I'm sure at some point i'll accidentally trash someone else's changes. That said, I'm hoping to have most of that wrapped up by tomorrow. Maybe hold off until then, and we can combine the enhanced output at that point? I'm pretty sure that all of the changes you made will still be present after everything is added back in. Again, many thanks for your interest in the project. I'm really looking forward to seeing where this tool goes with the help of the community on GitHub!

-Shawn

@NetworkLlama
Copy link

Sure. I'm following the project, so I'll see updates. I'll just rework things from what you provide from tomorrow's update.

Small request: Can you add in a version number to make tracking a little easier?

@ShawnDEvans
Copy link
Owner

Will add a version number too, any preference where it starts? Also, I got distracted by a client, so work on the threaded version is paused for the moment.

@NetworkLlama
Copy link

NetworkLlama commented May 12, 2015 via email

@ShawnDEvans
Copy link
Owner

I'll roll with subversions of the tagged release. I had to pause dev on the threaded version because I had so many issues crop up with the "stable" one. This happens literally every time I'm engaged with a client on-site (i.e on a network with lots of juicy SMB targets). That said, the changes to the non-threaded version will make their way into this fork (branch?) eventually, as 90% of the logic is the same. Baby steps.

@Lexus89
Copy link

Lexus89 commented Mar 17, 2016

Nice pull request, are this and the other pulls still going to be merged or is it not under development anymore?

@tkisason
Copy link

tkisason commented Dec 2, 2016

So, will this be merged or?

Sincerely,
Tonimir

@jayrod
Copy link

jayrod commented Mar 6, 2022

It's 2022 now.. Still no merge on this?

@ShawnDEvans
Copy link
Owner

ShawnDEvans commented Mar 6, 2022 via email

@jayrod
Copy link

jayrod commented Mar 10, 2022

Ha too long to still say I'm busy? I actually refactored the entire code base and threaded everything. It was awesome, literally 20 tunes faster....I lost everything after a hard drive crash and that kick to the nuts demotivated me. I'll review the pull soon.

On Sun, Mar 6, 2022, 2:20 PM Jerrad @.> wrote: It's 2022 now.. Still no merge on this? — Reply to this email directly, view it on GitHub <#6 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA6SKWFZ75BH3GPVXYF2TWLU6UARHANCNFSM4BBY4TIA . You are receiving this because you were mentioned.Message ID: @.>

A kick to the nuts is a fair demotivator. I've incorporated a bunch of your code as a library i'll PR it at some point.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants