Enumerating SMB Shares With Smbscan: A Hands-on Guide

• Sun, Sep 3, 2023
• 5-minute read

In the realm of network security and penetration testing, understanding and effectively enumerating SMB (Server Message Block) shares is a crucial task. SMB shares, if configured incorrectly can leak sensitive information or be abused as hidden file storage. In large company networks, where complexity and size are significant, tools like smbscan and smbmap become indispensable for auditing SMB shares.

In this blog post, we’ll delve into the world of SMB enumeration, focusing on how to use smbscan to explore and enumerate SMB shares in a large company network. We’ll cover what SMB is, introduce smbscan, and walk you through practical examples of how to use it effectively.

What is SMB and Why Does it Matter?

SMB, or Server Message Block, is a network protocol used for sharing files, printers, and other resources between devices on a network. It’s widely employed in Windows environments, making it a crucial component of many corporate networks. SMB operates over TCP/IP, and its primary purpose is to enable efficient communication between networked computers. The ports most commonly used by SMB are 139 or 445.

Introducing smbscan

smbscan is a powerful and versatile command-line tool based on Impacket specifically for enumerating and interacting with SMB shares.

Here are some of the key features of smbscan:

1. Share Enumeration: smbscan allows you to list all available shares on a target system, which can be especially useful in large corporate networks with numerous servers and shares.

2. File and Directory Listing: You can use smbscan to browse shares and list the files and directories within them.

3. File Download: smbscan enables you to download files from SMB shares, which can be helpful for gathering or exfiltrating information.

4. Access Control Testing: You can check the permissions of files and directories within shares to identify potential security misconfigurations.

Practical Use Cases

Now, let’s explore some practical scenarios in which smbscan can be invaluable when enumerating SMB shares in a large company network.

Smbscan can help you identify hidden shares and their contents, providing insight into potentially overlooked security risks. To scan a single target as a guest, you can use the following command:

1

python smbscan.py 192.168.0.26

In most cases simply connecting as a guest and a single host, won’t do the trick. For scanning a whole subnet with a valid domain user you can use the following command:

1

python smbscan.py 192.168.0.0/24 -u admin -p secret -d Cortoso --max-depth 3

Please note that in this example I have passed the password as a parameter with the option -p. To avoid logging passwords in clear text, you should remove this option and have smbscan prompt you for the password. For reducing the workloads I have also added the --max-depth 3 option, which limits the maximum depth to crawl to 3 levels. The parameter -d specifies the name of the domain.

When executed successfully, you will get a result as the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

[2023-09-03 18:02:18 INFO] Scanning 192.168.0.35
[2023-09-03 18:02:19 INFO] 192.168.0.35 (roger) Connected as tester, Target OS: Windows 10.0 Build 19041
[2023-09-03 18:02:19 INFO] 192.168.0.35 (roger) Scanning \\roger\ADMIN$
[2023-09-03 18:02:19 INFO] 192.168.0.35 (roger) Error accessing ADMIN$
[2023-09-03 18:02:19 INFO] 192.168.0.35 (roger) Scanning \\roger\Backups
[2023-09-03 18:02:19 INFO] 192.168.0.35 (roger) Scanning \\roger\C$
[2023-09-03 18:02:19 INFO] 192.168.0.35 (roger) Error accessing C$
[2023-09-03 18:02:20 INFO] 192.168.0.35 (roger) Scanning \\roger\E$
[2023-09-03 18:02:20 INFO] 192.168.0.35 (roger) Error accessing E$
[2023-09-03 18:02:20 INFO] 192.168.0.35 (roger) Scanning \\roger\inetpub
[2023-09-03 18:02:24 CRITICAL] Suspicous file: \\roger\inetpub\.ssh\id_rsa.pub (Sat Sep 02 10:48:14 2023, 4809)
[2023-09-03 18:02:25 INFO] Scan completed

The output shows that smbscan has found an accessible share containing potentially sensitive information. In this case a SSH public key.

Other options I have found useful when testing smbscan, were -t to run multiple threads in parallel, -f to provide a file with hosts to test, --exclude-shares to exclude known good shares, such as IPC$ and print$ shares. If you are on the hunt for specific files a domain, passing a custom pattern file using the parameter --patterns-file can be worth a try.

By default, smbscan creates a single CSV file per host that has scanned. If you rather work with one large CSV file instead, you can combine them into one as follows:

1

cat logs/smbscan-*.csv > smb_shares_combined.csv

Alternatives to smbscan

There is a plethora of SMB enumeration tools that currently exists. I have used the following with varying success.

1. Nmap smb-enum-shares Script: It comes with the default script set of Nmap script and allows to enumerate shares on if an open SMB port is discovered. While it’s super straightforward its biggest problem is the lack of proper support for higher SMB versions. When combing through large networks I’d discovered several times that Nmap simply could not see shares if they were using SMB 2 and SMB 3.

2. smbmap: smbmap is a popular tool that has been developed and maintained by ShawnDEvans and it comes as part of Kali Linux. Over time smbmap has developed into a swiss army knife for doing SMB operations. Among many things it allows to download and upload files, check file permissions and establish shells. From comparing smbmap and smbscan side by side I have noticed that smbscan runs much more reliable than smbscan. Especially when working in large domain settings, scans might break as noted in serveral issues (see issue 72 and issue 66).

Conclusion

In the ever-evolving world of network security, understanding and effectively enumerating SMB shares is still essential for discovering possible data leaks due to overly open file permissions and storage of sensitive files on shares. Remember, while smbscan can provide security professionals with valuable insights, always use it responsibly and in accordance with ethical hacking guidelines and legal requirements.