Last active
August 31, 2024 10:35
-
-
Save nullbind/e766dedd8e4a646883cb5e077ee46b30 to your computer and use it in GitHub Desktop.
Revisions
-
nullbind revised this gist
Aug 20, 2020 . 1 changed file with 0 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -92,7 +92,6 @@ function Get-SMBShareInventory [*] - 43 D$ [*] - 6 SYSVOL [*] ----------------------------------------------- #> [CmdletBinding()] -
Aug 20, 2020 . 1 changed file with 68 additions and 22 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -19,7 +19,7 @@ function Get-SMBShareInventory .EXAMPLE PS C:\temp\test> Get-SMBShareInventory -Threads 100 -OutputDirectory c:\temp\test --------------------------------------------------------------- | Get-SMBShareInventory v1.2.6 | --------------------------------------------------------------- | This function automates the following tasks: | | | @@ -126,8 +126,9 @@ function Get-SMBShareInventory Begin { $TheVersion = "v1.2.6" Write-Output " ---------------------------------------------------------------" Write-Output " | Get-SMBShareInventory $TheVersion |" Write-Output " ---------------------------------------------------------------" Write-Output " | This function automates the following tasks: |" Write-Output " | |" @@ -162,14 +163,20 @@ function Get-SMBShareInventory # Enumerate domain computers # ---------------------------------------------------------------------- # Set target domain $DCRecord = Get-LdapQuery -LdapFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" -DomainController $DomainController -Username $username -Password $Password | select -first 1 | select properties -expand properties [string]$DCHostname = $DCRecord.dnshostname [string]$DCCn = $DCRecord.cn [string]$TargetDomain = $DCHostname -replace ("$DCCn\.","") if($DCHostname) { Write-Output " [*] Successful connection to domain controller: $DCHostname" }else{ Write-Output " [*] There appears to have been an error connecting to the domain controller." Write-Output " [*] Aborting." break } # Status user Write-Output " [*] Performing LDAP query for computers associated with the $TargetDomain domain" @@ -222,12 +229,18 @@ function Get-SMBShareInventory # Status user $ComputerPingableCount = $ComputersPingable.count Write-Output " [*] - $ComputerPingableCount computers responded to ping requests." # Stop if no hosts are accessible If ($ComputerPingableCount -eq 0) { Write-Output " [*] - Aborting." break } # Save results Write-Output " [*] - Saving results to $OutputDirectory\$TargetDomain-Domain-Computers-Pingable.csv" $ComputersPingable | Export-Csv -NoTypeInformation "$OutputDirectory\$TargetDomain-Domain-Computers-Pingable.csv" # ---------------------------------------------------------------------- # Identify computers that have TCP 445 open and accessible # ---------------------------------------------------------------------- @@ -273,6 +286,14 @@ function Get-SMBShareInventory # Status user $Computers445OpenCount = $Computers445Open.count Write-Output " [*] - $Computers445OpenCount computers have TCP port 445 open." # Stop if no ports are accessible If ($Computers445OpenCount -eq 0) { Write-Output " [*] - Aborting." break } # Save results Write-Output " [*] - Saving results to $OutputDirectory\$TargetDomain-Domain-Computers-Open445.csv" @@ -296,6 +317,13 @@ function Get-SMBShareInventory # Status user $AllSMBSharesCount = $AllSMBShares.count Write-Output " [*] - $AllSMBSharesCount SMB shares were found." # Stop if no shares If ($AllSMBSharesCount -eq 0) { Write-Output " [*] - Aborting." break } # Save results Write-Output " [*] - Saving results to $OutputDirectory\$TargetDomain-Shares-Inventory-All.csv" @@ -348,13 +376,19 @@ function Get-SMBShareInventory # Status user $ShareACLsCount = $ShareACLs.count Write-Output " [*] - $ShareACLsCount share permissions were enumerated." # Stop if no shares ACLs were enumerated If ($ShareACLsCount -eq 0) { Write-Output " [*] - Aborting." break } # Save results Write-Output " [*] - Saving results to $OutputDirectory\$TargetDomain-Shares-Inventory-All-ACL.csv" $ShareACLs | Export-Csv -NoTypeInformation "$OutputDirectory\$TargetDomain-Shares-Inventory-All-ACL.csv" # ---------------------------------------------------------------------- # Get potentially excessive share permissions # ---------------------------------------------------------------------- @@ -371,7 +405,7 @@ function Get-SMBShareInventory if($line.ShareAccess -like "Yes"){ if(($line.ShareName -notlike "print$") -and ($line.ShareName -notlike "prnproc$") -and ($line.ShareName -notlike "*printer*")) { $line } @@ -387,8 +421,12 @@ function Get-SMBShareInventory Write-Output " [*] - $ExcessiveSharePrivsCount potentially excessive privileges were found across $ComputerWithExcessive systems." # Save results if($ExcessiveSharesCount -ne 0){ Write-Output " [*] - Saving results to $OutputDirectory\$TargetDomain-Shares-Inventory-Excessive-Privileges.csv" $ExcessiveSharePrivs | Export-Csv -NoTypeInformation "$OutputDirectory\$TargetDomain-Shares-Inventory-Excessive-Privileges.csv" }else{ break } # ---------------------------------------------------------------------- # Identify shares that provide write access @@ -410,9 +448,10 @@ function Get-SMBShareInventory Write-Output " [*] - $SharesWithWriteCount shares can be written to across $ComputerWithWriteCount systems." # Save results if($SharesWithWriteCount -ne 0){ Write-Output " [*] - Saving results to $OutputDirectory\$TargetDomain-Shares-Inventory-Excessive-Privileges-Write.csv" $SharesWithWrite | Export-Csv -NoTypeInformation "$OutputDirectory\$TargetDomain-Shares-Inventory-Excessive-Privileges-Write.csv" } # ---------------------------------------------------------------------- # Identify shares that are high risk @@ -422,7 +461,7 @@ function Get-SMBShareInventory $SharesHighRisk = $ExcessiveSharePrivs | Foreach { if(($_.ShareName -like 'c$') -or ($_.ShareName -like 'admin$') -or ($_.ShareName -like "*wwwroot*") -or ($_.ShareName -like "*inetpub*") -or ($_.ShareName -like 'c') -or ($_.ShareName -like 'c_share')) { $_ # out to file } @@ -434,8 +473,10 @@ function Get-SMBShareInventory Write-Output " [*] - $SharesHighRiskCount that are considered high risk across $ComputerwithHighRisk systems." # Save results if($SharesHighRiskCount -ne 0){ Write-Output " [*] - Saving results to $OutputDirectory\$TargetDomain-Shares-Inventory-Excessive-Privileges-HighRisk.csv" $SharesHighRisk | Export-Csv -NoTypeInformation "$OutputDirectory\$TargetDomain-Shares-Inventory-Excessive-Privileges-HighRisk.csv" } # ---------------------------------------------------------------------- # Identify common share names @@ -444,10 +485,15 @@ function Get-SMBShareInventory # Status user Write-Output " [*] Generating summary data" Write-Output " [*] Saving results to $OutputDirectory\$TargetDomain-Shares-Inventory-Common-Names.csv" $CommonShareNames = $ExcessiveSharePrivs | Select-Object ComputerName,ShareName -Unique | Group-Object ShareName | Sort Count -Descending | select count,name | foreach{ if( ($_.name -ne 'SYSVOL') -and ($_.name -ne 'NETLOGON')) { $_ } } $CommonShareNames | Export-Csv -NoTypeInformation "$OutputDirectory\$TargetDomain-Shares-Inventory-Common-Names.csv" # Get percent of shared covered by top 5 # If very weighted this indicates if the shares are part of a deployment process, image, or app @@ -542,7 +588,7 @@ $HTMLReport1 = @" <ul> <li>$AllSMBSharesCount shares were found.</li> <li>$ExcessiveSharePrivsCount potentially excessive ACLs on $ExcessiveSharesCount shares across $ComputerWithExcessive systems.</li> <li>$SharesWithWriteCount shares can be written to across $ComputerWithWriteCount systems.</li> <li>$SharesHighRiskCount shares are considered high risk across $ComputerwithHighRisk systems. (c`$,admin`$,wwwroot)</li> <li>$Top5ShareCountTotal of $AllAccessibleSharesCount ($DupPercent) shares are associated with the top 5 share names.<Br> -
Aug 20, 2020 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -19,7 +19,7 @@ function Get-SMBShareInventory .EXAMPLE PS C:\temp\test> Get-SMBShareInventory -Threads 100 -OutputDirectory c:\temp\test --------------------------------------------------------------- | Get-SMBShareInventory v1.2.3 | --------------------------------------------------------------- | This function automates the following tasks: | | | @@ -127,7 +127,7 @@ function Get-SMBShareInventory Begin { Write-Output " ---------------------------------------------------------------" Write-Output " | Get-SMBShareInventory v1.2.3 |" Write-Output " ---------------------------------------------------------------" Write-Output " | This function automates the following tasks: |" Write-Output " | |" @@ -429,7 +429,7 @@ function Get-SMBShareInventory } # Status user $SharesHighRiskCount = $SharesHighRisk | Select-Object SharePath -Unique | Measure-Object | select count -ExpandProperty count $ComputerwithHighRisk = $SharesHighRisk | Select-Object ComputerName -Unique | Measure-Object | select count -ExpandProperty count Write-Output " [*] - $SharesHighRiskCount that are considered high risk across $ComputerwithHighRisk systems." -
Aug 20, 2020 . 1 changed file with 33 additions and 9 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,8 +2,7 @@ # Function: Get-SMBShareInventory #-------------------------------------- # Author: Scott Sutherland, 2020 NetSPI # References: This script includes code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. function Get-SMBShareInventory { @@ -15,10 +14,12 @@ function Get-SMBShareInventory Number of concurrent tasks to run at once. .PARAMETER Output Directory File path where all csv and html report will be exported. .EXAMPLE PS C:\temp\test> Get-SMBShareInventory -Threads 100 -OutputDirectory c:\temp\test -DomainController 10.1.1.1 -Username user -Password password .EXAMPLE PS C:\temp\test> Get-SMBShareInventory -Threads 100 -OutputDirectory c:\temp\test --------------------------------------------------------------- | Get-SMBShareInventory v1.2.2 | --------------------------------------------------------------- | This function automates the following tasks: | | | @@ -96,6 +97,23 @@ function Get-SMBShareInventory #> [CmdletBinding()] Param( [Parameter(Mandatory = $false, HelpMessage = 'Domain user to authenticate with domain\user. For computer lookup.')] [string]$Username, [Parameter(Mandatory = $false, HelpMessage = 'Domain password to authenticate with domain\user. For computer lookup.')] [string]$Password, [Parameter(Mandatory = $false, HelpMessage = 'Credentials to use when connecting to a Domain Controller. For computer lookup.')] [System.Management.Automation.PSCredential] [System.Management.Automation.Credential()]$Credential = [System.Management.Automation.PSCredential]::Empty, [Parameter(Mandatory = $false, HelpMessage = 'Domain controller for Domain and Site that you want to query against. For computer lookup.')] [string]$DomainController, [Parameter(Mandatory = $false, HelpMessage = 'Number of threads to process at once.')] [int]$Threads = 100, @@ -109,7 +127,7 @@ function Get-SMBShareInventory Begin { Write-Output " ---------------------------------------------------------------" Write-Output " | Get-SMBShareInventory v1.2.2 |" Write-Output " ---------------------------------------------------------------" Write-Output " | This function automates the following tasks: |" Write-Output " | |" @@ -145,13 +163,19 @@ function Get-SMBShareInventory # ---------------------------------------------------------------------- # Determine current computer's domain #$TargetDomain = $env:USERDNSDOMAIN $DCRecord = Get-LdapQuery -LdapFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" -DomainController $DomainController -Username $username -Password $Password | select -first 1 | select properties -expand properties [string]$DCHostname = $DCRecord.dnshostname [string]$DCCn = $DCRecord.cn [string]$TargetDomain = $DCHostname -replace ("$DCCn\.","") # Status user Write-Output " [*] Performing LDAP query for computers associated with the $TargetDomain domain" # Get domain computers $DomainComputersRecord = Get-LdapQuery -LdapFilter "(objectCategory=Computer)" -DomainController $DomainController -Username $username -Password $Password $DomainComputers = $DomainComputersRecord | foreach{ @@ -518,7 +542,7 @@ $HTMLReport1 = @" <ul> <li>$AllSMBSharesCount shares were found.</li> <li>$ExcessiveSharePrivsCount potentially excessive ACLs on $ExcessiveSharesCount shares across $ComputerWithExcessive systems."</li> <li>$SharesWithWriteCount shares can be written to across $ComputerWithWriteCount systems.</li> <li>$SharesHighRiskCount shares are considered high risk across $ComputerwithHighRisk systems. (c`$,admin`$,wwwroot)</li> <li>$Top5ShareCountTotal of $AllAccessibleSharesCount ($DupPercent) shares are associated with the top 5 share names.<Br> @@ -669,7 +693,7 @@ function Get-LdapQuery } Process { try { # Return object -
Aug 20, 2020 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -18,7 +18,7 @@ function Get-SMBShareInventory .EXAMPLE PS C:\temp\test> Get-SMBShareInventory -Threads 100 -OutputDirectory c:\temp\test --------------------------------------------------------------- | Get-SMBShareInventory v1.2.1 | --------------------------------------------------------------- | This function automates the following tasks: | | | @@ -477,7 +477,7 @@ function Get-SMBShareInventory Write-Output " [*] - $ExcessiveSharePrivsCount potentially excessive ACLs on $ExcessiveSharesCount shares across $ComputerWithExcessive systems." Write-Output " [*] - $SharesWithWriteCount shares can be written to across $ComputerWithWriteCount systems." Write-Output " [*] - $SharesHighRiskCount shares are considered high risk across $ComputerwithHighRisk systems." Write-Output " [*] - $Top5ShareCountTotal of $AllAccessibleSharesCount ($DupPercent) shares are associated with the top 5 share names." Write-Output " [*] - The 5 most common share names are:" $CommonShareNamesTop5 | foreach { @@ -518,7 +518,7 @@ $HTMLReport1 = @" <ul> <li>$AllSMBSharesCount shares were found.</li> <li>$ExcessiveSharePrivsCount potentially excessive ACLs on $ExcessiveSharesCount shares across $ComputerWithExcessive systems.</li> <li>$SharesWithWriteCount shares can be written to across $ComputerWithWriteCount systems.</li> <li>$SharesHighRiskCount shares are considered high risk across $ComputerwithHighRisk systems. (c`$,admin`$,wwwroot)</li> <li>$Top5ShareCountTotal of $AllAccessibleSharesCount ($DupPercent) shares are associated with the top 5 share names.<Br> -
Aug 18, 2020 . 1 changed file with 7 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,7 +3,7 @@ #-------------------------------------- # Author: Scott Sutherland, 2020 NetSPI # References: This script includes code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. # TODO: Add alternative domain support. function Get-SMBShareInventory { @@ -442,11 +442,12 @@ function Get-SMBShareInventory # Get count of all accessible shares $AllAccessibleSharesCount = $ExcessiveSharePrivs | Select-Object ComputerName,ShareName -Unique | measure | select count -ExpandProperty count # Get percent $DupDec = $Top5ShareCountTotal / $AllAccessibleSharesCount $DupPercent = $DupDec.tostring("P") Write-Output " [*] - $Top5ShareCountTotal of $AllAccessibleSharesCount ($DupPercent) shares are associated with the top 5 share names." # ---------------------------------------------------------------------- # Display final summary @@ -519,8 +520,8 @@ $HTMLReport1 = @" <li>$AllSMBSharesCount shares were found.</li> <li>$ExcessiveSharePrivsCount potentially excessive ACLs on $ExcessiveSharesCount shares across $ComputerWithExcessive systems."</li> <li>$SharesWithWriteCount shares can be written to across $ComputerWithWriteCount systems.</li> <li>$SharesHighRiskCount shares are considered high risk across $ComputerwithHighRisk systems. (c`$,admin`$,wwwroot)</li> <li>$Top5ShareCountTotal of $AllAccessibleSharesCount ($DupPercent) shares are associated with the top 5 share names.<Br> The 5 most common share names are:<br> <ul> "@ -
Aug 18, 2020 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -476,7 +476,7 @@ function Get-SMBShareInventory Write-Output " [*] - $ExcessiveSharePrivsCount potentially excessive ACLs on $ExcessiveSharesCount shares across $ComputerWithExcessive systems." Write-Output " [*] - $SharesWithWriteCount shares can be written to across $ComputerWithWriteCount systems." Write-Output " [*] - $SharesHighRiskCount shares are considered high risk across $ComputerwithHighRisk systems." Write-Output " [*] - $CommonShareNamesCount share names were discovered with more than 5 instances" Write-Output " [*] - The 5 most common share names are:" $CommonShareNamesTop5 | foreach { @@ -508,7 +508,7 @@ $HTMLReport1 = @" <H3>Computer Summary</H3> <ul> <li>$ComputerCount domain computers found.</li> <li>$ComputerPingableCount domain computers responded to ping.</li> <li>$Computers445OpenCount domain computers had TCP port 445 accessible.</li> </ul> @@ -520,7 +520,7 @@ $HTMLReport1 = @" <li>$ExcessiveSharePrivsCount potentially excessive ACLs on $ExcessiveSharesCount shares across $ComputerWithExcessive systems."</li> <li>$SharesWithWriteCount shares can be written to across $ComputerWithWriteCount systems.</li> <li>$SharesHighRiskCount shares are considered high risk across $ComputerwithHighRisk systems.</li> <li>$CommonShareNamesCount share names were discovered with more than 5 instances. <Br> The 5 most common share names are:<br> <ul> "@ -
Aug 18, 2020 . 1 changed file with 13 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,6 +3,8 @@ #-------------------------------------- # Author: Scott Sutherland, 2020 NetSPI # References: This script includes code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. # TODO: Add alternative domain support. function Get-SMBShareInventory { <# @@ -354,6 +356,8 @@ function Get-SMBShareInventory } # Status user $ExcessiveShares = $ExcessiveSharePrivs | Select-Object ComputerName,ShareName -unique $ExcessiveSharesCount = $ExcessiveShares.count $ExcessiveSharePrivsCount = $ExcessiveSharePrivs.count $ComputerWithExcessive = $ExcessiveSharePrivs | Select-Object ComputerName -Unique | Measure-Object | select count -ExpandProperty count Write-Output " [*] - $ExcessiveSharePrivsCount potentially excessive privileges were found across $ComputerWithExcessive systems." @@ -469,7 +473,7 @@ function Get-SMBShareInventory Write-Output " [*] " Write-Output " [*] Share Summary" Write-Output " [*] - $AllSMBSharesCount shares were found." Write-Output " [*] - $ExcessiveSharePrivsCount potentially excessive ACLs on $ExcessiveSharesCount shares across $ComputerWithExcessive systems." Write-Output " [*] - $SharesWithWriteCount shares can be written to across $ComputerWithWriteCount systems." Write-Output " [*] - $SharesHighRiskCount shares are considered high risk across $ComputerwithHighRisk systems." Write-Output " [*] - $CommonShareNamesCount sharenames were discovered with more than 5 instances" @@ -492,27 +496,28 @@ $HTMLReport1 = @" </HEAD> <BODY> <H1>SMB Share Inventory Summary Report</H1> <strong>Domain:</strong>$TargetDomain<Br> <H3>Scan Time</H3> <ul> <li>Start Time: $StartTime</li> <li>End Time: $EndTime</li> <li>Run Time: $RunTime</li> </ul> <H3>Computer Summary</H3> <ul> <li>$ComputerCount domain computers found</li> <li>$ComputerPingableCount domain computers responded to ping.</li> <li>$Computers445OpenCount domain computers had TCP port 445 accessible.</li> </ul> <H3>Share Summary</H3> <ul> <li>$AllSMBSharesCount shares were found.</li> <li>$ExcessiveSharePrivsCount potentially excessive ACLs on $ExcessiveSharesCount shares across $ComputerWithExcessive systems."</li> <li>$SharesWithWriteCount shares can be written to across $ComputerWithWriteCount systems.</li> <li>$SharesHighRiskCount shares are considered high risk across $ComputerwithHighRisk systems.</li> <li>$CommonShareNamesCount sharenames were discovered with more than 5 instances. <Br> -
Aug 18, 2020 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -512,9 +512,9 @@ $HTMLReport1 = @" <ul> <li>$AllSMBSharesCount shares were found.</li> <li>$ExcessiveSharePrivsCount potentially excessive privileges were found across $ComputerWithExcessive systems.</li> <li>$SharesWithWriteCount shares can be written to across $ComputerWithWriteCount systems.</li> <li>$SharesHighRiskCount shares are considered high risk across $ComputerwithHighRisk systems.</li> <li>$CommonShareNamesCount sharenames were discovered with more than 5 instances. <Br> The 5 most common share names are:<br> <ul> -
Aug 18, 2020 . 1 changed file with 204 additions and 34 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,30 +1,113 @@ #-------------------------------------- # Function: Get-SMBShareInventory #-------------------------------------- # Author: Scott Sutherland, 2020 NetSPI # References: This script includes code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. function Get-SMBShareInventory { <# .SYNOPSIS This function can be used to inventory to SMB shares on the current Active Directory domain and identify potentially high risk exposures. It will automatically generate csv files and html summary report. .PARAMETER Threads Number of concurrent tasks to run at once. .PARAMETER Output Directory File path where all csv and html report will be exported. .EXAMPLE PS C:\temp\test> Get-SMBShareInventory -Threads 100 -OutputDirectory c:\temp\test --------------------------------------------------------------- | Get-SMBShareInventory v1.2 | --------------------------------------------------------------- | This function automates the following tasks: | | | | o Determine current computer's domain | | o Enumerate domain computers | | o Filter for computers that respond to ping reqeusts | | o Filter for computers that have TCP 445 open and accessible | | o Enumerate SMB shares | | o Enumerate SMB share permissions | | o Identify shares with potentially excessive privielges | | o Identify shares that provide write access | | o Identify shares thare are high risk | | o Identify common share names with more that 5 instances | | | --------------------------------------------------------------- | Note: This can take hours to run in large environments. | --------------------------------------------------------------- [*] Start time: 08/18/2020 10:16:35 [*] All results will be written to the directory c:\temp\test [*] Performing LDAP query for computers associated with the my.test.domain.com domain [*] - 10358 computers found [*] - Saving results to c:\temp\test\my.test.domain.com-Domain-Computers.csv [*] Pinging 10358 computers [*] - 5018 computers responded to ping requests. [*] - Saving results to c:\temp\test\my.test.domain.com-Domain-Computers-Pingable.csv [*] Checking if TCP Port 445 is open on 5018 computers [*] - 4900 computers have TCP port 445 open. [*] - Saving results to c:\temp\test\my.test.domain.com-Domain-Computers-Open445.csv [*] Getting a list of SMB shares from 4900 computers [*] - 10866 SMB shares were found. [*] - Saving results to c:\temp\test\my.test.domain.com-Shares-Inventory-All.csv [*] Getting share permissions from 10866 SMB shares [*] - 13399 share permissions were enumerated. [*] - Saving results to c:\temp\test\my.test.domain.com-Shares-Inventory-All-ACL.csv [*] Identifying potentially excessive share permissions [*] - 930 potentially excessive privileges were found across 170 systems. [*] - Saving results to c:\temp\test\my.test.domain.com-Shares-Inventory-Excessive-Privileges.csv [*] - 131 shares can be written to across 87 systems. [*] - Saving results to c:\temp\test\my.test.domain.com-Shares-Inventory-Excessive-Privileges-Write.csv [*] - 378 that are considered high risk across 75 systems. [*] - Saving results to c:\temp\test\my.test.domain.com-Shares-Inventory-Excessive-Privileges-HighRisk.csv [*] Generating summary data [*] Saving results to c:\temp\test\my.test.domain.com-Shares-Inventory-Common-Names.csv [*] - 274 of 325 ( %)shares are have more than 5 duplicates [*] Results written to c:\temp\test [*] [*] ----------------------------------------------- [*] Get-ShareInventory Summary Report [*] ----------------------------------------------- [*] Domain: my.test.domain.com [*] Start time: 08/18/2020 10:16:35 [*] End time: 08/18/2020 11:36:22 [*] Run time: 01:19:47.0152660 [*] [*] Computer Summary [*] - 10358 domain computers found. [*] - 5018 domain computers responded to ping. [*] - 4900 domain computers had TCP port 445 accessible. [*] [*] Share Summary [*] - 10866 shares were found. [*] - 930 potentially excessive privileges were found across 170 systems. [*] - 131 shares can be written to across 87 systems. [*] - 378 shares are considered high risk across 75 systems. [*] - 41 sharenames were discovered with more than 5 instances [*] - The 5 most common share names are: [*] - 75 Users [*] - 75 C$ [*] - 75 ADMIN$ [*] - 43 D$ [*] - 6 SYSVOL [*] ----------------------------------------------- [*] Saving results to c:\temp\test\my.test.domain.com-Shares-Inventory-Common-Names.csv #> [CmdletBinding()] Param( [Parameter(Mandatory = $false, HelpMessage = 'Number of threads to process at once.')] [int]$Threads = 100, [Parameter(Mandatory = $true, HelpMessage = 'Directory to output files to.')] [string]$OutputDirectory ) Begin { Write-Output " ---------------------------------------------------------------" Write-Output " | Get-SMBShareInventory v1.2 |" Write-Output " ---------------------------------------------------------------" Write-Output " | This function automates the following tasks: |" Write-Output " | |" @@ -272,7 +355,8 @@ function Get-SMBShareInventory # Status user $ExcessiveSharePrivsCount = $ExcessiveSharePrivs.count $ComputerWithExcessive = $ExcessiveSharePrivs | Select-Object ComputerName -Unique | Measure-Object | select count -ExpandProperty count Write-Output " [*] - $ExcessiveSharePrivsCount potentially excessive privileges were found across $ComputerWithExcessive systems." # Save results Write-Output " [*] - Saving results to $OutputDirectory\$TargetDomain-Shares-Inventory-Excessive-Privileges.csv" @@ -291,10 +375,11 @@ function Get-SMBShareInventory $_ # out to file } } # Status user $SharesWithWriteCount = $SharesWithWrite | Select-Object SharePath -Unique | Measure-Object | select count -ExpandProperty count $ComputerWithWriteCount = $SharesWithWrite | Select-Object ComputerName -Unique | Measure-Object | select count -ExpandProperty count Write-Output " [*] - $SharesWithWriteCount shares can be written to across $ComputerWithWriteCount systems." # Save results Write-Output " [*] - Saving results to $OutputDirectory\$TargetDomain-Shares-Inventory-Excessive-Privileges-Write.csv" @@ -317,7 +402,8 @@ function Get-SMBShareInventory # Status user $SharesHighRiskCount = $SharesHighRisk.count $ComputerwithHighRisk = $SharesHighRisk | Select-Object ComputerName -Unique | Measure-Object | select count -ExpandProperty count Write-Output " [*] - $SharesHighRiskCount that are considered high risk across $ComputerwithHighRisk systems." # Save results Write-Output " [*] - Saving results to $OutputDirectory\$TargetDomain-Shares-Inventory-Excessive-Privileges-HighRisk.csv" @@ -330,20 +416,33 @@ function Get-SMBShareInventory # Status user Write-Output " [*] Generating summary data" Write-Output " [*] Saving results to $OutputDirectory\$TargetDomain-Shares-Inventory-Common-Names.csv" $CommonShareNames = $ExcessiveSharePrivs | Select-Object ComputerName,ShareName -Unique | Group-Object ShareName | Sort Count -Descending | select count,name $CommonShareNames | Export-Csv -NoTypeInformation "$OutputDirectory\$TargetDomain-Shares-Inventory-Common-Names.csv" # Get percent of shared covered by top 5 # If very weighted this indicates if the shares are part of a deployment process, image, or app # Get top five share name $CommonShareNamesCount = $CommonShareNames.count $CommonShareNamesTop5 = $CommonShareNames | Select-Object count,name -First 5 # Get count of share name if in the top 5 $Top5ShareCountTotal = 0 $CommonShareNamesTop5 | foreach{ [int]$TopCount = $_.Count $Top5ShareCountTotal = $Top5ShareCountTotal + $TopCount } # Get count of all accessible shares $AllAccessibleSharesCount = $ExcessiveSharePrivs | Select-Object ComputerName,ShareName -Unique | measure | select count -ExpandProperty count # Get percent # $Top5ShareCountTotal / $AllAccessibleSharesCount Write-Output " [*] - $Top5ShareCountTotal of $AllAccessibleSharesCount ( %)shares are have more than 5 duplicates" # ---------------------------------------------------------------------- # Display final summary @@ -364,22 +463,93 @@ function Get-SMBShareInventory Write-Output " [*] Run time: $RunTime" Write-Output " [*] " Write-Output " [*] Computer Summary" Write-Output " [*] - $ComputerCount domain computers found." Write-Output " [*] - $ComputerPingableCount domain computers responded to ping." Write-Output " [*] - $Computers445OpenCount domain computers had TCP port 445 accessible." Write-Output " [*] " Write-Output " [*] Share Summary" Write-Output " [*] - $AllSMBSharesCount shares were found." Write-Output " [*] - $ExcessiveSharePrivsCount potentially excessive privileges were found across $ComputerWithExcessive systems." Write-Output " [*] - $SharesWithWriteCount shares can be written to across $ComputerWithWriteCount systems." Write-Output " [*] - $SharesHighRiskCount shares are considered high risk across $ComputerwithHighRisk systems." Write-Output " [*] - $CommonShareNamesCount sharenames were discovered with more than 5 instances" Write-Output " [*] - The 5 most common share names are:" $CommonShareNamesTop5 | foreach { $ShareCount = $_.count $ShareName = $_.name Write-Output " [*] - $ShareCount $ShareName" } Write-Output " [*] -----------------------------------------------" # ---------------------------------------------------------------------- # Display final summary - HTML # ---------------------------------------------------------------------- $HTMLReport1 = @" <HTML> <HEAD> </HEAD> <BODY> <H1>SMB Share Inventory Summary Report</H1> <H3>Scan Time</H3> <strong>Domain:</strong>$TargetDomain<Br> <strong>Start Time:</strong>$StartTime<Br> <strong>End Time:</strong>$EndTime<Br> <strong>Run Time:</strong>$RunTime<Br> <H3>Computer Summary</H3> <ul> <li>$ComputerCount domain computers found</li> <li>$ComputerPingableCount domain computers responded to ping.</li> <li>$Computers445OpenCount domain computers had TCP port 445 accessible.</li> </ul> <H3>Share Summary</H3> <ul> <li>$AllSMBSharesCount shares were found.</li> <li>$ExcessiveSharePrivsCount potentially excessive privileges were found across $ComputerWithExcessive systems."</li> <li>$SharesWithWriteCount shares can be written to across $ComputerWithWriteCount systems."</li> <li>$SharesHighRiskCount shares are considered high risk across $ComputerwithHighRisk systems."</li> <li>$CommonShareNamesCount sharenames were discovered with more than 5 instances. <Br> The 5 most common share names are:<br> <ul> "@ $HTMLReport2 = $CommonShareNamesTop5 | foreach { $ShareCount = $_.count $ShareName = $_.name Write-Output "<li>$ShareCount $ShareName</li>" } $HTMLReport3 = @" </ul> </li> </ul> </BODY> </HTML> "@ $HTMLReport = $HTMLReport1 + $HTMLReport2 + $HTMLReport3 Write-Output " [*] Saving results to $OutputDirectory\$TargetDomain-Shares-Inventory-Common-Names.csv" $HTMLReport | Out-File "$OutputDirectory\$TargetDomain-Share-Intentory-Summary-Report.html" # ---------------------------------------------------------------------- # Find high risk file names by keyword # ---------------------------------------------------------------------- # Pending # ---------------------------------------------------------------------- # Find high risk file names by extension # ---------------------------------------------------------------------- # Pending } } -
Aug 15, 2020 .There are no files selected for viewing