Skip to content

Commit

Permalink
Release 3.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@p0dalirius
p0dalirius committed Apr 17, 2023
1 parent 954ac30 commit 092f657
Show file tree
Hide file tree
Showing 6 changed files with 118 additions and 62 deletions.
Binary file modified .github/example.png
100755 → 100644
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
24 changes: 12 additions & 12 deletions FindUncommonShares.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
import traceback
import xlsxwriter

VERSION = "2.6"
VERSION = "3.0"

COMMON_SHARES = [
"C$",
Expand Down Expand Up @@ -246,7 +246,7 @@ def export_xlsx(options, results):


def export_sqlite(options, results):
print("[>] Exporting results to %s ..." % options.export_sqlite, end="")
print("[>] Exporting results to %s ... " % options.export_sqlite, end="")
sys.stdout.flush()
basepath = os.path.dirname(options.export_sqlite)
filename = os.path.basename(options.export_sqlite)
Expand All @@ -259,17 +259,18 @@ def export_sqlite(options, results):

conn = sqlite3.connect(path_to_file)
cursor = conn.cursor()
cursor.execute("CREATE TABLE IF NOT EXISTS shares(fqdn VARCHAR(255), ip VARCHAR(255), shi1_netname VARCHAR(255), shi1_remark VARCHAR(255), shi1_type INTEGER);")
cursor.execute("CREATE TABLE IF NOT EXISTS shares(fqdn VARCHAR(255), ip VARCHAR(255), shi1_netname VARCHAR(255), shi1_remark VARCHAR(255), shi1_type INTEGER, hidden INTEGER);")
for computername in results.keys():
for share in results[computername]:
cursor.execute("INSERT INTO shares VALUES (?, ?, ?, ?, ?)", (
share["computer"]["fqdn"],
share["computer"]["ip"],
share["share"]["name"],
share["share"]["comment"],
share["share"]["type"]["stype_value"]
cursor.execute("INSERT INTO shares VALUES (?, ?, ?, ?, ?, ?)", (
share["computer"]["fqdn"],
share["computer"]["ip"],
share["share"]["name"],
share["share"]["comment"],
share["share"]["type"]["stype_value"],
share["share"]["hidden"]
)
)
)
conn.commit()
conn.close()
print("done.")
Expand Down Expand Up @@ -394,6 +395,7 @@ def print_results(options, sharename, address, sharecomment, access_rights):

str_access_readable, str_colored_access_readable = "", ""
str_access_writable, str_colored_access_writable = "", ""
str_access, str_colored_access = "", ""
if options.check_user_access:
if access_rights["readable"] == True:
str_access_readable = "READ"
Expand All @@ -413,8 +415,6 @@ def print_results(options, sharename, address, sharecomment, access_rights):
elif access_rights["readable"] == True and access_rights["writable"] == False:
str_access = "access: %s" % str_access_readable
str_colored_access = "access: %s" % str_colored_access_readable
else:
str_access, str_colored_access = "", ""

# Specific use cases
do_print_results = False
Expand Down
80 changes: 46 additions & 34 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,30 +21,52 @@
- [x] Export results in SQLITE3 with IP, name, comment, flags and UNC path with `--export-sqlite <file.db>`.
- [x] Iterate on LDAP result pages to get every computer of the domain, no matter the size.

## Quick win commands

+ List all shares where your current user has WRITE access:
```
./FindUncommonShares.py -u user -p 'Podalirius123!' -d DOMAIN --dc-ip 192.168.1.71 --writable
```

+ Export list of shares in the domain to an Excel file for the client:
```
./FindUncommonShares.py -u user -p 'Podalirius123!' -d DOMAIN --dc-ip 192.168.1.71 --export-xlsx ./examples/results.xlsx
```

+ List all shares with access rights for your current user:
```
./FindUncommonShares.py -u user -p 'Podalirius123!' -d DOMAIN --dc-ip 192.168.1.71 --check-user-access
```

## Usage

```
$ ./FindUncommonShares.py -h
FindUncommonShares v2.6 - by @podalirius_
FindUncommonShares v3.0 - by @podalirius_
usage: FindUncommonShares.py [-h] [-v] [--use-ldaps] [-q] [--debug] [-no-colors] [-t THREADS] [-l LDAP_QUERY] [-ns NAMESERVER] [-I] [-i IGNORED_SHARES] [-s ACCEPTED_SHARES] [--export-xlsx EXPORT_XLSX] [--export-json EXPORT_JSON]
[--export-sqlite EXPORT_SQLITE] --dc-ip ip address [-d DOMAIN] [-u USER] [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key] [-k]
usage: FindUncommonShares.py [-h] [-v] [--use-ldaps] [-q] [--debug] [-no-colors] [-t THREADS] [-l LDAP_QUERY] [-ns NAMESERVER]
[--check-user-access] [--readable] [--writable] [-I] [-i IGNORED_SHARES] [-s ACCEPTED_SHARES]
[--export-xlsx EXPORT_XLSX] [--export-json EXPORT_JSON] [--export-sqlite EXPORT_SQLITE] --dc-ip ip
address [-d DOMAIN] [-u USER] [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key] [-k]
Find uncommon SMB shares on remote machines.
options:
-h, --help show this help message and exit
-v, --verbose Verbose mode. (default: False)
--use-ldaps Use LDAPS instead of LDAP
-v, --verbose Verbose mode. (default: False).
--use-ldaps Use LDAPS instead of LDAP.
-q, --quiet Show no information at all.
--debug Debug mode. (default: False)
-no-colors Disables colored output mode
--debug Debug mode. (default: False).
-no-colors Disables colored output mode.
-t THREADS, --threads THREADS
Number of threads (default: 20)
Number of threads (default: 20).
-l LDAP_QUERY, --ldap-query LDAP_QUERY
LDAP query to use to extract computers from the domain.
-ns NAMESERVER, --nameserver NAMESERVER
IP of the DNS server to use, instead of the --dc-ip.
--check-user-access Check if current user can access the share.
--readable Only list shares that current user has READ access to.
--writable Only list shares that current user has WRITE access to.
-I, --ignore-hidden-shares
Ignores hidden shares (shares ending with $)
-i IGNORED_SHARES, --ignore-share IGNORED_SHARES
Expand All @@ -61,7 +83,8 @@ Output files:
Output SQLITE3 file to store the results in.
Authentication & connection:
--dc-ip ip address IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the identity parameter
--dc-ip ip address IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the
domain part (FQDN) specified in the identity parameter
-d DOMAIN, --domain DOMAIN
(FQDN) domain to authenticate to
-u USER, --user USER user to authenticate with
Expand All @@ -73,46 +96,35 @@ Credentials:
-H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH
NT/LM hashes, format is LMhash:NThash
--aes-key hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-k, --kerberos Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line
```

## Examples :

```
$ ./FindUncommonShares.py -u 'user1' -d 'LAB.local' -p 'P@ssw0rd!' --dc-ip 192.168.2.1
FindUncommonShares v2.5 - by @podalirius_
[>] Extracting all computers ...
[+] Found 2 computers.
[>] Enumerating shares ...
[>] Found 'Users' on 'DC01.LAB.local'
[>] Found 'WeirdShare' on 'DC01.LAB.local' (comment: 'Test comment')
[>] Found 'AnotherShare' on 'PC01.LAB.local'
[>] Found 'Users' on 'PC01.LAB.local
$
-k, --kerberos Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If
valid credentials cannot be found, it will use the ones specified in the command line
```

## Exported results

Each JSON entry looks like this:

```json
{
"computer": {
"fqdn": "DC01.LAB.local",
"ip": "192.168.1.1"
"fqdn": "TDC01.DOMAIN.local",
"ip": "192.168.1.71"
},
"share": {
"name": "ADMIN$",
"comment": "Remote Admin",
"name": "IPC$",
"comment": "Remote IPC",
"hidden": true,
"uncpath": "\\\\192.168.1.46\\ADMIN$\\",
"uncpath": "\\\\192.168.1.71\\IPC$\\",
"type": {
"stype_value": 2147483648,
"stype_value": 2147483651,
"stype_flags": [
"STYPE_DISKTREE",
"STYPE_IPC",
"STYPE_TEMPORARY"
]
},
"access_rights": {
"readable": true,
"writable": false
}
}
}
Expand Down
76 changes: 60 additions & 16 deletions examples/results.json
View file
Original file line number Diff line number Diff line change
@@ -1,99 +1,143 @@
{
"DC2016.COERCE.local": [
"TDC01.DOMAIN.local": [
{
"computer": {
"fqdn": "DC2016.COERCE.local",
"ip": "192.168.1.46"
"fqdn": "TDC01.DOMAIN.local",
"ip": "192.168.1.71"
},
"share": {
"name": "ADMIN$",
"comment": "Remote Admin",
"hidden": true,
"uncpath": "\\\\192.168.1.46\\ADMIN$\\",
"uncpath": "\\\\192.168.1.71\\ADMIN$\\",
"type": {
"stype_value": 2147483648,
"stype_flags": [
"STYPE_DISKTREE",
"STYPE_TEMPORARY"
]
},
"access_rights": {
"readable": false,
"writable": false
}
}
},
{
"computer": {
"fqdn": "DC2016.COERCE.local",
"ip": "192.168.1.46"
"fqdn": "TDC01.DOMAIN.local",
"ip": "192.168.1.71"
},
"share": {
"name": "C$",
"comment": "Default share",
"hidden": true,
"uncpath": "\\\\192.168.1.46\\C$\\",
"uncpath": "\\\\192.168.1.71\\C$\\",
"type": {
"stype_value": 2147483648,
"stype_flags": [
"STYPE_DISKTREE",
"STYPE_TEMPORARY"
]
},
"access_rights": {
"readable": false,
"writable": false
}
}
},
{
"computer": {
"fqdn": "DC2016.COERCE.local",
"ip": "192.168.1.46"
"fqdn": "TDC01.DOMAIN.local",
"ip": "192.168.1.71"
},
"share": {
"name": "IPC$",
"comment": "Remote IPC",
"hidden": true,
"uncpath": "\\\\192.168.1.46\\IPC$\\",
"uncpath": "\\\\192.168.1.71\\IPC$\\",
"type": {
"stype_value": 2147483651,
"stype_flags": [
"STYPE_IPC",
"STYPE_TEMPORARY"
]
},
"access_rights": {
"readable": true,
"writable": false
}
}
},
{
"computer": {
"fqdn": "DC2016.COERCE.local",
"ip": "192.168.1.46"
"fqdn": "TDC01.DOMAIN.local",
"ip": "192.168.1.71"
},
"share": {
"name": "NETLOGON",
"comment": "Logon server share ",
"hidden": false,
"uncpath": "\\\\192.168.1.46\\NETLOGON\\",
"uncpath": "\\\\192.168.1.71\\NETLOGON\\",
"type": {
"stype_value": 0,
"stype_flags": [
"STYPE_DISKTREE",
"STYPE_SPECIAL",
"STYPE_TEMPORARY"
]
},
"access_rights": {
"readable": true,
"writable": false
}
}
},
{
"computer": {
"fqdn": "DC2016.COERCE.local",
"ip": "192.168.1.46"
"fqdn": "TDC01.DOMAIN.local",
"ip": "192.168.1.71"
},
"share": {
"name": "SYSVOL",
"comment": "Logon server share ",
"hidden": false,
"uncpath": "\\\\192.168.1.46\\SYSVOL\\",
"uncpath": "\\\\192.168.1.71\\SYSVOL\\",
"type": {
"stype_value": 0,
"stype_flags": [
"STYPE_DISKTREE",
"STYPE_SPECIAL",
"STYPE_TEMPORARY"
]
},
"access_rights": {
"readable": true,
"writable": false
}
}
},
{
"computer": {
"fqdn": "TDC01.DOMAIN.local",
"ip": "192.168.1.71"
},
"share": {
"name": "Users",
"comment": "",
"hidden": false,
"uncpath": "\\\\192.168.1.71\\Users\\",
"type": {
"stype_value": 0,
"stype_flags": [
"STYPE_DISKTREE",
"STYPE_SPECIAL",
"STYPE_TEMPORARY"
]
},
"access_rights": {
"readable": true,
"writable": false
}
}
}
Expand Down
Binary file modified examples/results.sqlite3
100755 → 100644
View file
Binary file not shown.
Binary file modified examples/results.xlsx
View file
Binary file not shown.

0 comments on commit 092f657

Please sign in to comment.