Wrapper around net view to use in internal penetration test or for any other review of available files on SMB shares in Windows domain. Enumerates files and folders in shares on all AD domain-joined computers and outputs 1 CSV file for each found share. The generated CSV files can then be reviewed to find sensitive files. It enumerates in parallel but isn't very fast.
. .\Invoke-SlowShareEnum.ps1Get-Help Invoke-SlowShareEnum -Detailed
NAME
Invoke-SlowShareEnum
SYNOPSIS
Enumerate files and folders in shares on all AD domain-joined computers, outputs in CSV format, 1 file for each share.
SYNTAX
Invoke-SlowShareEnum [[-ComputerFile] <FileInfo>] [[-SharesFile] <FileInfo>] [[-StartFrom] <String>] [[-JobCount] <Int32>] [<CommonParameters>]
DESCRIPTION
Creates folder `sseout` on current users desktop which will contain:
- Log inside `sseout\0_share_enum_log.txt` on user's desktop (appends to file)
- Found AD computers into `sseout\0_domain_computers.txt` (overwrites the file)
- Found AD shares into `sseout\0_domain_shares.txt` (overwrites the file)
- All files and folders accessible by current user in separate files for each share UNC path, e.g. \\server1\share3 will create `sseout\server1_share3.txt` (overwrites the files)
PARAMETERS
-ComputerFile <FileInfo>
Optional path to file containing one host per line to scan for available shares
-SharesFile <FileInfo>
Optional path to file containing one UNC share path per line to scan for available files
-StartFrom <String>
Optional UNC share path that allows to start enumeration from specific share in the shares list
-JobCount <Int32>
Optional number of jobs to run share enun/file listing with, default is 2
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
-------------------------- EXAMPLE 1 --------------------------
PS C:\>Invoke-SlowShareEnumExample output for one of generated CSV files:
Get-Content C:\Users\testuser\Desktop\sseout\DC01_Users.txt
"FullName","Length","LastWriteTime","Attributes"
"\\DC01\Users\Administrator",,"6/10/2019 12:24:49 PM","Directory"
"\\DC01\Users\Administrator\Documents",,"7/8/2020 4:51:01 AM","ReadOnly, Directory"
"\\DC01\Users\Administrator\Documents\adminfolder",,"7/8/2020 4:51:05 AM","Directory"
"\\DC01\Users\Administrator\Documents\adminfolder\New Text Document.txt","0","7/8/2020 4:51:05 AM","Archive"
This script is nothing new, there are others like it, e.g:
- Snaffler in C#
- ShareAudit.ps1 in PowerShell
Invoke-FileFinderand others from PowerView in PowerShell- smbspider in Python
- smbmap in Python
Spider_plusmodule from CrackMapExec in Python- nullinux in Python
- smb-enumerate-shares in Node.js
- SharpShares in C#, enumerates shares only
- SharpShares by mitchmoser in C#, enumerates shares only
- shareenum in C
- Plunder 2 in Ruby
- SoftPerfect Network Scanner commercial tool with GUI
- MAN-SPIDER in Python, searches for files by extension and also content
- SMBSR in Python, get list of computers from AD, detect shares, match by patterns
- SMBeagle in C#, detects also weak ACLs, supports export to CSV or Elasticsearch
- FindUncommonShares in Python, only finds shares, multithreaded
- Everything: freeware for Win, GUI/CLI
- searchmonkey: for all 3 OSes
- PowerHuntShares: in PowerShell. Rather then files and their content, this tool reviews ACLs
- smbcrawler in Python to crawl given shares and list/download interesting files
- SuperSharpShared in C# to find to which shares you have access and what kind of access
- ???
Paid:
- Copernic Desktop Search: for Windows, GUI, OCR, content indexing
- DocFetcher Pro: all 3 OSes, GUI, content indexing
- FileLocater Pro/Agent Ransack: for Windows, GUI, compressed file search
- Recoll: all 3 OSes, GUI
- UltraSearch Professional: for Windows, GUI
- PowerGREP: for Windows, GUI