[SeeRM:#1233] - Upgrade smb_enumshares to show directories & files

[wchen-r7]

[SeeRM:#1233] - This is an upgrade based on ringt's code in PR #2017. As a pentester, it's useful to obtain additional information such as device type, access rights, folders, and files, etc when doing a share enumeration. I have also enhanced exception handling to avoid shutting errors up, which is better for debugging purposes.

Module has been tested on Win XP and Windows Server 2003.

[wchen-r7]

Useful information on how to setup SMB share on Win XP/Vista... requires some manual config:
http://networking.nitecruzr.net/2005/06/file-sharing-under-windows-xp.html#Activate

[mubix]

Target is a Windows 7 SP1 x86 domain attached english install:

master:

msf auxiliary(smb_enumshares) > show options

Module options (auxiliary/scanner/smb/smb_enumshares):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   RHOSTS     172.16.10.7      yes       The target address range or CIDR identifier
   SMBDomain  projectmentor    no        The Windows domain to use for authentication
   SMBPass    ASDqwe123        no        The password for the specified username
   SMBUser    jdoe             no        The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

msf auxiliary(smb_enumshares) > run

[*] 172.16.10.7:445 ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK), IPC$ - Remote IPC (IPC)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

This pull request:

Module options (auxiliary/scanner/smb/smb_enumshares):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   RHOSTS           172.16.10.7      yes       The target address range or CIDR identifier
   SHOW_SHARE       false            yes       Show all the folders and files
   SMBDomain        projectmentor    no        The Windows domain to use for authentication
   SMBPass          ASDqwe123        no        The password for the specified username
   SMBUser          jdoe             no        The username to authenticate as
   THREADS          1                yes       The number of concurrent threads
   USE_SRVSVC_ONLY  false            yes       List shares only with SRVSVC

msf auxiliary(smb_enumshares) > run

[!] Options modified: RPORT=139, SMBDirect=false
[-] Login Failed: The server refused our NetBIOS session request
[!] Options modified: RPORT=445, SMBDirect=true
[-] The server responded with error: STATUS_NOT_SUPPORTED (Command=37 WordCount=0)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Not sure why it's not working, looking into that, but it a couple of things:

1. "SHOW_SHARE" is a bit of a confusing variable name (kinda the point of the module to "show shares", just a suggestion, but maybe LS_SHARE or DIR_SHARE, or DIRLIST

2. I am fully in the camp of more output == better, but the "Options Modified" one happens every single time, so I would suggest that either a vprint be put on some of the error messages and VERBOSE be default to true, or DEBUG or whatever. The first thing I tried when I saw the module hit pull was to try it against a range /24 and I have roughly 1000 lines of output from 255 hosts (most of which aren't live IPs)

[wchen-r7]

Login failure? Interesting. Both modules do a connect() and then smb_login()... that's where it fails? The difference is when LoginError is raised, the original one will do a next right away. The new one will make sure to do a disconnect, and then move on to the next port. I'll have to setup a Win 7 box and test this tomorrow.

[wchen-r7]

OK, problem fixed. So it's probably normal to see the LoginError, but the original one will switch to srvsvc_netshareenum, which is how it gets shares on Win 7. The fix is to add back that same behavior.

[jvazquez-r7]

Processing!

[jvazquez-r7]

Running a weird test agains Win 7 SP1 (no domain, just shared a folder) I get this result:

msf auxiliary(smb_enumshares) > set rhosts 192.168.172.147
rhosts => 192.168.172.147
msf auxiliary(smb_enumshares) > run

[-] Login Failed: The server refused our NetBIOS session request
[-] Error: '192.168.172.147' 'NoMethodError' 'undefined method `[]' for nil:NilClass'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The Backtrace associated to the exception:

[-] Error: '192.168.172.147' 'NoMethodError' 'undefined method `[]' for nil:NilClass'
[-] "/Users/juan/Projects/metasploit-framework/modules/auxiliary/scanner/smb/smb_enumshares.rb:190:in `lanman_netshareenum'"
[-] "/Users/juan/Projects/metasploit-framework/modules/auxiliary/scanner/smb/smb_enumshares.rb:354:in `block in run_host'"
[-] "/Users/juan/Projects/metasploit-framework/modules/auxiliary/scanner/smb/smb_enumshares.rb:344:in `each'"
[-] "/Users/juan/Projects/metasploit-framework/modules/auxiliary/scanner/smb/smb_enumshares.rb:344:in `run_host'"
[-] "/Users/juan/Projects/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:94:in `block in run'"
[-] "/Users/juan/Projects/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `call'"
[-] "/Users/juan/Projects/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `block in spawn'"

[wchen-r7]

OK... nil res... hmmm.

[wchen-r7]

OK, I'm done committing stuff. Let's go back to testing again.

[todb-r7]

Incidentally, correct syntax on the commit message is

[SeeRM #1233]

with or without brackets, and definitely without the colon. That's why your commit didn't show up on Redmine.

[wchen-r7]

I typically do that with FixRM too and it works when the PR is pushed, like this:
http://dev.metasploit.com/redmine/issues/8134

[jvazquez-r7]

On windows 7 SP1 after switching on all the public access settings xD I get this (just set rhosts and run). Notice the error: "[-] Login Failed: The server refused our NetBIOS session request"

msf auxiliary(smb_enumshares) > set RHOSTS 192.168.172.147
RHOSTS => 192.168.172.147
msf auxiliary(smb_enumshares) > run

[-] Login Failed: The server refused our NetBIOS session request
[*] 192.168.172.147:445 - Windows 7 Professional 7601 Service Pack (Build 1) (Unknown)
[*] 192.168.172.147:445 - ADMIN$ - Remote Admin (DS), C$ - Default share (DS), IPC$ - Remote IPC (I), test -  (DS), Users -  (DS)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

When using the smb_enumshares from master any error arises (maybe because was hidden?):

msf > use auxiliary/scanner/smb/smb_enumshares 
msf auxiliary(smb_enumshares) > set rhosts 192.168.172.147
rhosts => 192.168.172.147
msf auxiliary(smb_enumshares) > run

[*] 192.168.172.147:445 ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK), IPC$ - Remote IPC (IPC), test -  (DISK), Users -  (DISK)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_enumshares) > 

Sorry for the lack of details, just doing dumb testing.... let me know if I you want me to share any information about my test.

[wchen-r7]

Juan, the original one actually hits a LoginError too. However, instead of telling you about it, it quietly runs "next", that's why you're not seeing it. By default, it'll probably always try twice on Win 7 because port 139 will always refuse your session request.

[wchen-r7]

Just finished running against my test network with some Win XPs, Vista, Win 7 and Win2k3. Didn't hit errors. Also tried multiple threads and USE_SRVSVC_ONLY, all worked fine.

[jvazquez-r7]

Test on Windows XPSP3, guest access allowed:

msf > use auxiliary/scanner/smb/smb_enumshares 
msf auxiliary(smb_enumshares) > show options

Module options (auxiliary/scanner/smb/smb_enumshares):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   DIR_SHARE        false            yes       Show all the folders and files
   RHOSTS                            yes       The target address range or CIDR identifier
   SMBDomain        WORKGROUP        no        The Windows domain to use for authentication
   SMBPass                           no        The password for the specified username
   SMBUser                           no        The username to authenticate as
   THREADS          1                yes       The number of concurrent threads
   USE_SRVSVC_ONLY  false            yes       List shares only with SRVSVC

msf auxiliary(smb_enumshares) > set RHOSTS 192.168.172.244
RHOSTS => 192.168.172.244
msf auxiliary(smb_enumshares) > run

[*] 192.168.172.244:139 - Windows XP Service Pack 3 (English)
[*] 192.168.172.244:139 - IPC$ - Remote IPC (IPC), test -  (DISK), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_enumshares) > set DIR_SHARE true
DIR_SHARE => true
msf auxiliary(smb_enumshares) > run

[*] 192.168.172.244:139 - Windows XP Service Pack 3 (English)
[*] 192.168.172.244:139 - IPC$ - Remote IPC (IPC), test -  (DISK), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
[+] 192.168.172.244:139 \\JUAN-C0DE875735\JUAN-C0DE875735\test (DISK) Readable
==========================================================================

 Type  Name  Created              Accessed             Written              Changed              Size
 ----  ----  -------              --------             -------              -------              ----
 ARC   msf   07-11-2013 13:07:29  07-11-2013 13:07:29  07-11-2013 13:07:29  07-11-2013 13:07:32  0

[+] test info saved in: /Users/juan/.msf4/loot/20130711181016_default_192.168.172.244_smb.shares_111763.bin
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_enumshares) > 

Test on Windows 7 SP1, guest access allowed:

msf auxiliary(smb_enumshares) > run

[-] 192.168.172.147:139 - Login Failed: The server refused our NetBIOS session request
[*] 192.168.172.147:445 - Windows 7 Professional 7601 Service Pack (Build 1) (Unknown)
[*] 192.168.172.147:445 - ADMIN$ - Remote Admin (DS), C$ - Default share (DS), IPC$ - Remote IPC (I), test -  (DS), Users -  (DS)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Test on Windows 2003 SP2, Spanish, Domain, sharing file names with spanish characters

1. No guest access allowed

msf auxiliary(smb_enumshares) > set rhosts 192.168.172.155
rhosts => 192.168.172.155
msf auxiliary(smb_enumshares) > run

[*] 192.168.172.155:139 - Windows 2003 Service Pack 2 (Unknown)
[*] 192.168.172.155:139 - No shares collected
[*] 192.168.172.155:445 - Windows 2003 Service Pack 2 (Unknown)
[*] 192.168.172.155:445 - No shares collected
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

2. Bad domain credentials provided:

msf auxiliary(smb_enumshares) > set SMBDomain SMALLBUSINESS
SMBDomain => SMALLBUSINESS
msf auxiliary(smb_enumshares) > set SMBUser juan
SMBUser => juan
msf auxiliary(smb_enumshares) > set SMBPass juan
SMBPass => juan
msf auxiliary(smb_enumshares) > run

[-] 192.168.172.155:139 - Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
[-] 192.168.172.155:445 - Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
[*] Scanned 1 of 1 hosts (100% complete)

3. Good domain credentials provided, getting the extra information:

msf auxiliary(smb_enumshares) > set SMBUser Administrador
SMBUser => Administrador
msf auxiliary(smb_enumshares) > run

[*] 192.168.172.155:139 - Windows 2003 Service Pack 2 (Unknown)
[*] 192.168.172.155:139 - C$ - Recurso predeterminado (DISK), test -  (DISK), IPC$ - IPC remota (IPC), ADMIN$ - Admin remota (DISK), SYSVOL - Recurso compartido del servidor de inicio de sesi?n  (DISK), NETLOGON - Recurso compartido del servidor de inicio de sesi?n  (DISK), test???? -  (DISK), ???????????? -  (DISK)
[+] 192.168.172.155:139 \\SMALLBUSINESS\JUAN-F76164AFE0\C$ (DISK) Readable Writable
===============================================================================

 Type     Name                    Created              Accessed             Written              Changed              Size
 ----     ----                    -------              --------             -------              -------              ----
 ARC      AUTOEXEC.BAT            07-11-2013 18:15:22  07-11-2013 18:15:22  07-11-2013 18:15:22  07-11-2013 18:26:32  0
 ARC      CONFIG.SYS              07-11-2013 18:15:22  07-11-2013 18:15:22  07-11-2013 18:15:22  07-11-2013 18:26:32  0
 DIR      Documents and Settings  07-11-2013 13:11:28  07-11-2013 18:17:14  07-11-2013 18:17:14  07-11-2013 18:17:14  0
 DIR      ????????????            07-11-2013 18:30:51  07-11-2013 18:31:27  07-11-2013 18:31:27  07-11-2013 18:31:27  0
 DIR      wmpub                   07-11-2013 18:15:30  07-11-2013 18:26:33  07-11-2013 18:15:30  07-11-2013 18:15:30  0
 DIR      test????                07-11-2013 18:30:24  07-11-2013 18:30:47  07-11-2013 18:30:47  07-11-2013 18:30:47  0
 DIR      WINDOWS                 07-11-2013 13:10:18  07-11-2013 18:29:38  07-11-2013 18:29:36  07-11-2013 18:29:36  0
 DIR      test                    07-11-2013 18:30:11  07-11-2013 18:30:11  07-11-2013 18:30:11  07-11-2013 18:30:13  0
 Unknown  Archivos de programa    07-11-2013 13:11:48  07-11-2013 18:26:32  07-11-2013 18:17:30  07-11-2013 18:17:30  0

[+] C$ info saved in: /Users/juan/.msf4/loot/20130711183307_default_192.168.172.155_smb.shares_497562.bin
[+] 192.168.172.155:139 \\SMALLBUSINESS\JUAN-F76164AFE0\test (DISK) Readable
========================================================================

 Type  Name  Created  Accessed  Written  Changed  Size
 ----  ----  -------  --------  -------  -------  ----

[+] 192.168.172.155:139 \\SMALLBUSINESS\JUAN-F76164AFE0\ADMIN$ (DISK) Readable Writable
===================================================================================

 Type     Name                               Created              Accessed             Written              Changed              Size
 ----     ----                               -------              --------             -------              -------              ----
 ARC      0.log                              07-11-2013 18:17:13  07-11-2013 18:28:12  07-11-2013 18:28:12  07-11-2013 18:28:12  0
 ARC      A pescar.bmp                       07-11-2013 18:14:08  07-11-2013 18:14:08  12-06-2005 08:00:00  07-11-2013 18:26:32  20480
 ARC      Abanicos.bmp                       07-11-2013 18:14:08  07-11-2013 18:14:08  12-06-2005 08:00:00  07-11-2013 18:26:32  28672
 ARC      WMSysPr9.prx                       07-11-2013 18:15:18  07-11-2013 18:15:18  07-11-2013 18:15:18  07-11-2013 18:26:32  319488
 ARC      wmsetup.log                        07-11-2013 18:15:13  07-11-2013 18:17:24  07-11-2013 18:17:24  07-11-2013 18:26:32  4096
 ARC      wmprfESP.prx                       12-06-2005 08:00:00  07-11-2013 13:11:03  12-06-2005 08:00:00  07-11-2013 18:26:32  36864
 ARC      adfs.msp                           02-17-2007 18:21:08  07-11-2013 13:10:28  02-17-2007 18:21:08  07-11-2013 18:26:32  1011712
 ARC      winhlp32.exe                       02-17-2007 00:46:02  07-11-2013 18:16:12  02-17-2007 00:46:02  07-11-2013 18:26:32  290816
 ARC      winhelp.exe                        12-06-2005 08:00:00  07-11-2013 18:16:12  12-06-2005 08:00:00  07-11-2013 18:26:32  262144
 ARC      aspnetocm.log                      07-11-2013 13:11:50  07-11-2013 18:14:40  07-11-2013 18:14:40  07-11-2013 18:26:32  4096
 ARC      Azteca.bmp                         07-11-2013 18:14:08  07-11-2013 18:14:08  12-06-2005 08:00:00  07-11-2013 18:26:32  12288
 ARC      certocm.log                        07-11-2013 13:11:50  07-11-2013 18:16:30  07-11-2013 18:16:30  07-11-2013 18:26:32  8192
 ARC      clock.avi                          12-06-2005 08:00:00  07-11-2013 13:11:03  12-06-2005 08:00:00  07-11-2013 18:26:32  86016
 ARC      WindowsUpdate.log                  07-11-2013 18:14:51  07-11-2013 18:32:54  07-11-2013 18:32:54  07-11-2013 18:32:54  8192
 ARC      cmsetacl.log                       07-11-2013 18:13:07  07-11-2013 18:13:07  07-11-2013 18:13:07  07-11-2013 18:26:32  200
 ARC      comsetup.log                       07-11-2013 13:11:50  07-11-2013 18:16:30  07-11-2013 18:16:30  07-11-2013 18:26:32  16384
 ARC      win.ini                            12-06-2005 08:00:00  07-11-2013 18:18:26  07-11-2013 18:15:21  07-11-2013 18:26:32  480
 ARC      vmmreg32.dll                       12-06-2005 08:00:00  07-11-2013 18:16:10  12-06-2005 08:00:00  07-11-2013 18:26:32  20480
 ARC      control.ini                        07-11-2013 18:15:22  07-11-2013 18:15:22  07-11-2013 18:15:22  07-11-2013 18:26:32  0
 ARC      Viento.bmp                         07-11-2013 18:14:08  07-11-2013 18:14:08  12-06-2005 08:00:00  07-11-2013 18:26:32  69632
 ARC      vbaddin.ini                        07-11-2013 18:14:18  07-11-2013 18:14:18  07-11-2013 18:14:18  07-11-2013 18:26:32  40
 ARC      desktop.ini                        07-11-2013 18:14:46  07-11-2013 18:14:46  12-06-2005 08:00:00  07-11-2013 18:26:32  8
 ARC      DHCPUPG.LOG                        07-11-2013 18:25:44  07-11-2013 18:25:44  07-11-2013 18:25:44  07-11-2013 18:26:32  232
 ARC      dialer.exe                         02-17-2007 00:50:30  07-11-2013 18:15:39  02-17-2007 00:50:30  07-11-2013 18:26:32  61440
 ARC      vb.ini                             07-11-2013 18:14:18  07-11-2013 18:14:18  07-11-2013 18:14:18  07-11-2013 18:26:32  40
 ARC      DtcInstall.log                     07-11-2013 18:14:17  07-11-2013 18:14:17  07-11-2013 18:14:17  07-11-2013 18:26:32  4096
 ARC      explorer.exe                       02-17-2007 00:50:46  07-11-2013 18:32:52  02-17-2007 00:50:46  07-11-2013 18:32:53  1056768
 ARC      explorer.scf                       12-06-2005 08:00:00  07-11-2013 13:10:35  12-06-2005 08:00:00  07-11-2013 18:26:32  80
 ARC      FaxSetup.log                       07-11-2013 13:11:50  07-11-2013 18:14:40  07-11-2013 18:14:40  07-11-2013 18:26:32  16384
 ARC      Grano de caf?.bmp                  07-11-2013 18:14:08  07-11-2013 18:14:08  12-06-2005 08:00:00  07-11-2013 18:26:32  20480
 ARC      uddiweb.msp                        02-17-2007 18:35:00  07-11-2013 13:10:49  02-17-2007 18:35:00  07-11-2013 18:26:32  155648
 ARC      hh.exe                             02-17-2007 00:37:24  07-11-2013 18:22:29  02-17-2007 00:37:24  07-11-2013 18:26:32  12288
 ARC      iis6.log                           07-11-2013 13:11:50  07-11-2013 18:16:30  07-11-2013 18:16:30  07-11-2013 18:26:32  61440
 ARC      uddisp.exe                         02-17-2007 00:38:30  07-11-2013 18:16:09  02-17-2007 00:38:30  07-11-2013 18:26:32  36864
 ARC      imsins.log                         07-11-2013 13:11:50  07-11-2013 18:16:30  07-11-2013 18:16:30  07-11-2013 18:26:32  12288
 ARC      uddisetup.log                      07-11-2013 13:11:50  07-11-2013 18:14:40  07-11-2013 18:14:40  07-11-2013 18:26:32  8192
 ARC      uddidb.msp                         02-17-2007 18:35:00  07-11-2013 13:10:49  02-17-2007 18:35:00  07-11-2013 18:26:32  28672
 ARC      Lazo azul 16.bmp                   07-11-2013 18:14:08  07-11-2013 18:14:08  12-06-2005 08:00:00  07-11-2013 18:26:32  4096
 ARC      LicenOc.log                        07-11-2013 13:11:50  07-11-2013 18:14:40  07-11-2013 18:14:40  07-11-2013 18:26:32  4096
 ARC      uddiadm.msp                        02-17-2007 18:35:00  07-11-2013 13:10:49  02-17-2007 18:35:00  07-11-2013 18:26:32  61440
 ARC      mib.bin                            12-06-2005 08:00:00  07-11-2013 13:10:41  12-06-2005 08:00:00  07-11-2013 18:26:32  49152
 ARC      twunk_32.exe                       02-17-2007 00:38:28  07-11-2013 18:15:33  02-17-2007 00:38:28  07-11-2013 18:26:32  28672
 ARC      twunk_16.exe                       12-06-2005 08:00:00  07-11-2013 18:15:33  12-06-2005 08:00:00  07-11-2013 18:26:32  53248
 ARC      twain_32.dll                       02-17-2007 00:47:44  07-11-2013 18:16:09  02-17-2007 00:47:44  07-11-2013 18:26:32  53248
 ARC      msdfmap.ini                        12-06-2005 08:00:00  07-11-2013 13:10:42  12-06-2005 08:00:00  07-11-2013 18:26:32  4096
 ARC      msmqinst.log                       07-11-2013 13:11:50  07-11-2013 13:11:50  07-11-2013 13:11:50  07-11-2013 18:26:32  4096
 ARC      twain.dll                          12-06-2005 08:00:00  07-11-2013 18:16:09  12-06-2005 08:00:00  07-11-2013 18:26:32  98304
 ARC      netfxocm.log                       07-11-2013 13:11:50  07-11-2013 18:14:40  07-11-2013 18:14:40  07-11-2013 18:26:32  16384
 ARC      NETLOGON.CHG                       07-11-2013 18:27:31  07-11-2013 18:29:38  07-11-2013 18:29:38  07-11-2013 18:29:38  65536
 ARC      NOTEPAD.EXE                        07-11-2013 13:11:45  07-11-2013 18:22:27  02-17-2007 00:49:14  07-11-2013 18:26:32  69632
 ARC      tsoc.log                           07-11-2013 13:11:50  07-11-2013 18:16:30  07-11-2013 18:16:30  07-11-2013 18:26:32  12288
 ARC      ntdtcsetup.log                     07-11-2013 13:11:50  07-11-2013 18:16:30  07-11-2013 18:16:30  07-11-2013 18:26:32  12288
 ARC      Rododendro.bmp                     07-11-2013 18:14:08  07-11-2013 18:14:08  12-06-2005 08:00:00  07-11-2013 18:26:32  20480
 ARC      ocgen.log                          07-11-2013 13:11:50  07-11-2013 18:14:40  07-11-2013 18:14:40  07-11-2013 18:26:32  20480
 ARC      ODBCINST.INI                       07-11-2013 13:11:48  07-11-2013 18:15:12  07-11-2013 18:15:12  07-11-2013 18:26:32  8192
 ARC      OEWABLog.txt                       07-11-2013 18:15:12  07-11-2013 18:17:23  07-11-2013 18:17:23  07-11-2013 18:26:32  4096
 ARC      system.ini                         12-06-2005 08:00:00  07-11-2013 18:18:26  07-11-2013 13:11:47  07-11-2013 18:26:32  232
 ARC      setuplog.txt                       07-11-2013 13:11:29  07-11-2013 18:16:30  07-11-2013 18:16:30  07-11-2013 18:26:32  733184
 ARC      PFRO.log                           07-11-2013 18:16:45  07-11-2013 18:16:45  07-11-2013 18:16:45  07-11-2013 18:26:32  4096
 ARC      Plumas.bmp                         07-11-2013 18:14:08  07-11-2013 18:14:08  12-06-2005 08:00:00  07-11-2013 18:26:32  20480
 ARC      Pompas.bmp                         07-11-2013 18:14:08  07-11-2013 18:14:08  12-06-2005 08:00:00  07-11-2013 18:26:32  69632
 ARC      pop3oc.log                         07-11-2013 13:11:50  07-11-2013 18:14:40  07-11-2013 18:14:40  07-11-2013 18:26:32  4096
 ARC      setuperr.log                       07-11-2013 13:11:31  07-11-2013 13:11:31  07-11-2013 13:11:31  07-11-2013 18:26:32  0
 ARC      setupapi.log                       07-11-2013 13:11:31  07-11-2013 18:26:36  07-11-2013 18:26:36  07-11-2013 18:26:36  290816
 ARC      regedit.exe                        02-17-2007 18:33:02  07-11-2013 18:16:01  02-17-2007 18:33:02  07-11-2013 18:26:32  155648
 ARC      setupact.log                       07-11-2013 13:11:31  07-11-2013 18:17:44  07-11-2013 18:17:44  07-11-2013 18:26:32  176128
 ARC      regopt.log                         07-11-2013 13:11:46  07-11-2013 13:11:47  07-11-2013 13:11:47  07-11-2013 18:26:32  4096
 ARC      sessmgr.setup.log                  07-11-2013 18:14:40  07-11-2013 18:14:40  07-11-2013 18:14:40  07-11-2013 18:26:32  4096
 ARC      Santa Fe.bmp                       07-11-2013 18:14:08  07-11-2013 18:14:08  12-06-2005 08:00:00  07-11-2013 18:26:32  69632
 ARC      Roca verde.bmp                     07-11-2013 18:14:08  07-11-2013 18:14:08  12-06-2005 08:00:00  07-11-2013 18:26:32  28672
 ARC      _default.pif                       12-06-2005 08:00:00  07-11-2013 13:10:28  12-06-2005 08:00:00  07-11-2013 18:26:32  712
 DIR      Resources                          07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 13:10:18  07-11-2013 13:10:18  0
 DIR      SchCache                           07-11-2013 18:29:36  07-11-2013 18:29:36  07-11-2013 18:29:36  07-11-2013 18:29:36  0
 DIR      security                           07-11-2013 13:10:18  07-11-2013 18:28:19  07-11-2013 18:28:19  07-11-2013 18:28:19  0
 DIR      repair                             07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 18:15:27  07-11-2013 18:15:27  0
 DIR      system32                           07-11-2013 13:10:18  07-11-2013 18:32:02  07-11-2013 18:32:02  07-11-2013 18:32:02  0
 DIR      ADAM                               07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 13:10:18  07-11-2013 13:10:18  0
 DIR      addins                             07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 13:10:18  07-11-2013 13:10:18  0
 DIR      ADFS                               07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 13:10:18  07-11-2013 13:10:18  0
 DIR      WinSxS                             07-11-2013 13:10:18  07-11-2013 18:26:33  07-11-2013 18:17:26  07-11-2013 18:17:26  0
 DIR      Application Compatibility Scripts  07-11-2013 18:14:07  07-11-2013 18:26:32  07-11-2013 18:14:07  07-11-2013 18:14:07  0
 DIR      AppPatch                           07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 13:10:42  07-11-2013 13:10:42  0
 DIR      Registration                       07-11-2013 18:14:18  07-11-2013 18:28:12  07-11-2013 18:28:12  07-11-2013 18:28:12  0
 DIR      Provisioning                       07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 13:10:18  07-11-2013 13:10:18  0
 DIR      Cluster                            07-11-2013 18:14:04  07-11-2013 18:26:32  07-11-2013 18:14:08  07-11-2013 18:14:08  0
 DIR      PCHealth                           07-11-2013 18:14:43  07-11-2013 18:26:32  07-11-2013 18:14:43  07-11-2013 18:14:43  0
 DIR      SoftwareDistribution               07-11-2013 18:17:06  07-11-2013 18:17:58  07-11-2013 18:17:58  07-11-2013 18:17:58  0
 DIR      srchasst                           07-11-2013 18:14:44  07-11-2013 18:14:48  07-11-2013 18:14:48  07-11-2013 18:14:48  0
 DIR      system                             07-11-2013 13:10:18  07-11-2013 18:15:12  07-11-2013 13:11:45  07-11-2013 13:11:45  0
 DIR      Config                             07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 13:10:18  07-11-2013 13:10:18  0
 DIR      ntfrs                              07-11-2013 18:26:24  07-11-2013 18:28:00  07-11-2013 18:26:24  07-11-2013 18:26:24  0
 DIR      sysvol                             07-11-2013 18:26:17  07-11-2013 18:26:33  07-11-2013 18:26:22  07-11-2013 18:26:22  0
 DIR      TAPI                               07-11-2013 13:10:18  07-11-2013 18:26:33  07-11-2013 13:11:49  07-11-2013 13:11:49  0
 DIR      Temp                               07-11-2013 13:10:18  07-11-2013 18:28:00  07-11-2013 18:28:00  07-11-2013 18:28:00  0
 DIR      ntds                               07-11-2013 18:26:17  07-11-2013 18:28:12  07-11-2013 18:27:58  07-11-2013 18:27:58  0
 DIR      Connection Wizard                  07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 13:10:18  07-11-2013 13:10:18  0
 DIR      twain_32                           07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 13:10:57  07-11-2013 13:10:57  0
 DIR      msapps                             07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 13:10:18  07-11-2013 13:10:18  0
 DIR      msagent                            07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 13:10:42  07-11-2013 13:10:42  0
 DIR      Microsoft.NET                      07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 18:14:05  07-11-2013 18:14:05  0
 DIR      Media                              07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 13:11:02  07-11-2013 13:11:02  0
 DIR      java                               07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 13:10:18  07-11-2013 13:10:18  0
 DIR      inf                                07-11-2013 13:10:18  07-11-2013 18:26:30  07-11-2013 18:17:46  07-11-2013 18:17:46  0
 DIR      ime                                07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 18:15:30  07-11-2013 18:15:30  0
 DIR      Help                               07-11-2013 13:10:18  07-11-2013 18:14:45  07-11-2013 18:14:45  07-11-2013 18:14:45  0
 DIR      Driver Cache                       07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 13:10:18  07-11-2013 13:10:18  0
 DIR      Debug                              07-11-2013 13:10:18  07-11-2013 18:29:39  07-11-2013 18:29:39  07-11-2013 18:29:39  0
 DIR      Cursors                            07-11-2013 13:10:18  07-11-2013 18:14:09  07-11-2013 18:14:09  07-11-2013 18:14:09  0
 DIR      mui                                07-11-2013 13:10:18  07-11-2013 18:26:32  07-11-2013 13:10:18  07-11-2013 13:10:18  0
 Unknown  Web                                07-11-2013 13:10:18  07-11-2013 18:26:33  07-11-2013 18:14:54  07-11-2013 18:14:54  0
 Unknown  Offline Web Pages                  07-11-2013 18:14:54  07-11-2013 18:14:54  07-11-2013 18:14:54  07-11-2013 18:14:54  0
 Unknown  WindowsShell.Manifest              07-11-2013 18:14:52  07-11-2013 18:26:08  07-11-2013 18:14:52  07-11-2013 18:26:32  4096
 Unknown  Prefetch                           07-11-2013 18:16:48  07-11-2013 18:26:32  07-11-2013 18:21:09  07-11-2013 18:27:31  0
 Unknown  SET8.tmp                           07-11-2013 13:11:40  07-11-2013 13:11:40  02-17-2007 18:28:20  07-11-2013 18:26:32  16384
 Unknown  SET7.tmp                           07-11-2013 13:11:40  07-11-2013 13:11:40  02-17-2007 18:28:14  07-11-2013 18:26:32  16384
 Unknown  SET4.tmp                           07-11-2013 13:11:40  07-11-2013 13:11:40  02-17-2007 18:32:08  07-11-2013 18:26:32  1110016
 Unknown  SET3.tmp                           07-11-2013 13:11:39  07-11-2013 13:11:40  02-17-2007 18:39:24  07-11-2013 18:26:32  1318912
 Unknown  SET13.tmp                          07-11-2013 13:11:40  07-11-2013 13:11:40  02-17-2007 18:31:02  07-11-2013 18:26:32  77824
 Unknown  SET12.tmp                          07-11-2013 13:11:40  07-11-2013 13:11:40  02-17-2007 18:33:26  07-11-2013 18:26:32  32768
 Unknown  SET11.tmp                          07-11-2013 13:11:40  07-11-2013 13:11:40  02-17-2007 18:35:00  07-11-2013 18:26:32  114688

[+] ADMIN$ info saved in: /Users/juan/.msf4/loot/20130711183307_default_192.168.172.155_smb.shares_832385.bin
[+] 192.168.172.155:139 \\SMALLBUSINESS\JUAN-F76164AFE0\SYSVOL (DISK) Readable Writable
===================================================================================

 Type     Name                 Created              Accessed             Written              Changed              Size
 ----     ----                 -------              --------             -------              -------              ----
 Unknown  smallbusiness.local  07-11-2013 18:26:22  07-11-2013 18:26:22  07-11-2013 18:26:22  07-11-2013 18:26:22  0

[+] SYSVOL info saved in: /Users/juan/.msf4/loot/20130711183307_default_192.168.172.155_smb.shares_236496.bin
[+] 192.168.172.155:139 \\SMALLBUSINESS\JUAN-F76164AFE0\NETLOGON (DISK) Readable Writable
=====================================================================================

 Type  Name  Created  Accessed  Written  Changed  Size
 ----  ----  -------  --------  -------  -------  ----

[+] 192.168.172.155:139 \\SMALLBUSINESS\JUAN-F76164AFE0\test???? (DISK) Readable
============================================================================

 Type  Name       Created              Accessed             Written              Changed              Size
 ----  ----       -------              --------             -------              -------              ----
 ARC   test1.txt  07-11-2013 18:30:45  07-11-2013 18:30:45  07-11-2013 18:30:45  07-11-2013 18:30:47  0

[+] test???? info saved in: /Users/juan/.msf4/loot/20130711183307_default_192.168.172.155_smb.shares_005356.bin
[+] 192.168.172.155:139 \\SMALLBUSINESS\JUAN-F76164AFE0\???????????? (DISK) Readable
================================================================================

 Type  Name                     Created              Accessed             Written              Changed              Size
 ----  ----                     -------              --------             -------              -------              ----
 ARC   test3??asdf?fs??sfd???  07-11-2013 18:31:21  07-11-2013 18:31:21  07-11-2013 18:31:21  07-11-2013 18:31:27  0

[+] ???????????? info saved in: /Users/juan/.msf4/loot/20130711183307_default_192.168.172.155_smb.shares_106422.bin

and the same, but with Basic information :

msf auxiliary(smb_enumshares) > set DIR_SHARE false
DIR_SHARE => false
msf auxiliary(smb_enumshares) > run

[*] 192.168.172.155:139 - Windows 2003 Service Pack 2 (Unknown)
[*] 192.168.172.155:139 - C$ - Recurso predeterminado (DISK), test -  (DISK), IPC$ - IPC remota (IPC), ADMIN$ - Admin remota (DISK), SYSVOL - Recurso compartido del servidor de inicio de sesi?n  (DISK), NETLOGON - Recurso compartido del servidor de inicio de sesi?n  (DISK), test???? -  (DISK), ???????????? -  (DISK)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Looks good for me, since there have not been other complains, landing!

[mubix]

So this is supposed to only work < Vista even with good authentication?

[jvazquez-r7]

I guess should work also >Vista, isn't it?

[wchen-r7]

Starting with Win 7, when the module sends a netshareenum request, Win 7 will throw a STATUS_NOT_SUPPORTED (0xC00000BB) back to you. So the module falls back to SRVSVC to at least get basic info like what shares it has, comments, etc. With bad authentication, you won't get any info except for a STATUS_LOGON_FAILURE error.

[mubix]

All I'm saying is that this:

nmap 192.168.100.115 --script=smb-enum-shares --script-args=smbuser=Administrator,smbpass=ASDqwe123

Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-13 10:31 EDT
Nmap scan report for 192.168.100.115
Host is up (0.00042s latency).
Not shown: 990 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1026/tcp open  LSA-or-nterm
1027/tcp open  IIS
1028/tcp open  unknown
1030/tcp open  iad1
1033/tcp open  netinfo
5357/tcp open  wsdapi

Host script results:
| smb-enum-shares: 
|   ADMIN$
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Remote Admin
|     Users: 0, Max: <unlimited>
|     Path: C:\Windows
|     Anonymous access: <none>
|     Current user ('Administrator') access: READ/WRITE
|   C$
|     Type: STYPE_DISKTREE_HIDDEN
|     Comment: Default share
|     Users: 0, Max: <unlimited>
|     Path: C:\
|     Anonymous access: <none>
|     Current user ('Administrator') access: READ/WRITE
|   IPC$
|     Type: STYPE_IPC_HIDDEN
|     Comment: Remote IPC
|     Users: 2, Max: <unlimited>
|     Path: 
|     Anonymous access: READ <not a file share>
|     Current user ('Administrator') access: READ <not a file share>
|   Users
|     Type: STYPE_DISKTREE
|     Comment: Blah
|     Users: 0, Max: 1
|     Path: C:\Users
|     Anonymous access: <none>
|     Current user ('Administrator') access: READ/WRITE
|   p2exe
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 1, Max: <unlimited>
|     Path: C:\p2exe
|     Anonymous access: <none>
|     Current user ('Administrator') access: READ/WRITE
|   temp
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0, Max: <unlimited>
|     Path: C:\temp
|     Anonymous access: <none>
|_    Current user ('Administrator') access: READ/WRITE

Nmap done: 1 IP address (1 host up) scanned in 2.00 seconds

(With the READ/WRITE status), is incredibly more useful and succinct for me than a listing of files only on "old" systems. Ultimately if I just had:

[*] 192.168.172.155:139 - C$ - Recurso predeterminado (DISK), test -  (DISK), IPC$ - IPC remota (IPC), ADMIN$ - Admin remota (DISK), SYSVOL - Recurso compartido del servidor de inicio de sesi?n  (DISK), NETLOGON - Recurso compartido del servidor de inicio de sesi?n  (DISK), test???? -  (DISK), ???????????? -  (DISK)
[+] 192.168.172.155:139 \\SMALLBUSINESS\JUAN-F76164AFE0\C$ (DISK) Readable Writable

That second line makes me happy.