2017-12-11 16:44:27 +00:00
|
|
|
## Description
|
|
|
|
|
|
2018-02-24 19:31:52 +00:00
|
|
|
The `smb_enumshares` module, as would be expected, enumerates any SMB shares that are available on a remote system.
|
2017-12-11 16:44:27 +00:00
|
|
|
|
|
|
|
|
## Verification Steps
|
|
|
|
|
|
2017-12-11 16:49:15 +00:00
|
|
|
1. Do: ```use auxiliary/scanner/smb/smb_enumshares```
|
2017-12-11 16:44:27 +00:00
|
|
|
2. Do: ```set RHOSTS [IP]```
|
|
|
|
|
3. Do: ```set THREADS [number of threads]```
|
|
|
|
|
4. Do: ```run```
|
|
|
|
|
|
|
|
|
|
## Scenarios
|
|
|
|
|
|
2018-02-24 18:39:14 +00:00
|
|
|
### Uncredentialed
|
|
|
|
|
|
2017-12-11 16:44:27 +00:00
|
|
|
```
|
|
|
|
|
msf > use auxiliary/scanner/smb/smb_enumshares
|
|
|
|
|
msf auxiliary(smb_enumshares) > set RHOSTS 192.168.1.150-165
|
|
|
|
|
RHOSTS => 192.168.1.150-165
|
|
|
|
|
msf auxiliary(smb_enumshares) > set THREADS 16
|
|
|
|
|
THREADS => 16
|
|
|
|
|
msf auxiliary(smb_enumshares) > run
|
|
|
|
|
|
|
|
|
|
[*] 192.168.1.154:139 print$ - Printer Drivers (DISK), tmp - oh noes! (DISK), opt - (DISK), IPC$ - IPC Service (metasploitable server (Samba 3.0.20-Debian)) (IPC), ADMIN$ - IPC Service (metasploitable server (Samba 3.0.20-Debian)) (IPC)
|
|
|
|
|
Error: 192.168.1.160 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
|
|
|
|
|
Error: 192.168.1.160 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
|
|
|
|
|
[*] 192.168.1.161:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
|
|
|
|
|
Error: 192.168.1.162 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
|
|
|
|
|
Error: 192.168.1.150 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
|
|
|
|
|
Error: 192.168.1.150 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
|
|
|
|
|
[*] Scanned 06 of 16 hosts (037% complete)
|
|
|
|
|
[*] Scanned 09 of 16 hosts (056% complete)
|
|
|
|
|
[*] Scanned 10 of 16 hosts (062% complete)
|
|
|
|
|
[*] Scanned 14 of 16 hosts (087% complete)
|
|
|
|
|
[*] Scanned 15 of 16 hosts (093% complete)
|
|
|
|
|
[*] Scanned 16 of 16 hosts (100% complete)
|
|
|
|
|
[*] Auxiliary module execution completed
|
|
|
|
|
msf auxiliary(smb_enumshares) >
|
|
|
|
|
```
|
|
|
|
|
|
2018-02-24 18:39:14 +00:00
|
|
|
### Credentialed
|
|
|
|
|
|
2018-02-24 19:31:52 +00:00
|
|
|
As you can see in the previous scan, access is denied to most of the systems that are probed.
|
2018-02-24 18:39:14 +00:00
|
|
|
Doing a Credentialed scan produces much different results.
|
2017-12-11 16:44:27 +00:00
|
|
|
|
|
|
|
|
```
|
|
|
|
|
msf auxiliary(smb_enumshares) > set SMBPass s3cr3t
|
|
|
|
|
SMBPass => s3cr3t
|
|
|
|
|
msf auxiliary(smb_enumshares) > set SMBUser Administrator
|
|
|
|
|
SMBUser => Administrator
|
|
|
|
|
msf auxiliary(smb_enumshares) > run
|
|
|
|
|
|
|
|
|
|
[*] 192.168.1.161:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
|
|
|
|
|
[*] 192.168.1.160:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
|
|
|
|
|
[*] 192.168.1.150:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
|
|
|
|
|
[*] Scanned 06 of 16 hosts (037% complete)
|
|
|
|
|
[*] Scanned 07 of 16 hosts (043% complete)
|
|
|
|
|
[*] Scanned 12 of 16 hosts (075% complete)
|
|
|
|
|
[*] Scanned 15 of 16 hosts (093% complete)
|
|
|
|
|
[*] Scanned 16 of 16 hosts (100% complete)
|
|
|
|
|
[*] Auxiliary module execution completed
|
|
|
|
|
msf auxiliary(smb_enumshares) >
|
|
|
|
|
```
|
