SmbCrawler is no-nonsense tool that takes credentials and a list of hosts and 'crawls' (or 'spiders') through those shares. Features:
- takes host names, IP addresses, IP ranges, or an nmap xml file as input
- checks permissions (check for 'write' permissions is opt-in, because it requires creating an empty directory on the share)
- crawling depth is customizable
- outputs results in machine-readable formats or as an interactive HTML report
- pass-the-hash support
- auto-download interesting files
- report potential secrets
- threaded
- pausable
- interactively skip single shares and hosts
If you require instructions on how to install a Python package, I recommend
you make sure you have pipx
installed and run pipx install smbcrawler.
When building the package from source, the pdftotext dependency will be
compiled during the installation, which requires the poppler C++ headers. On
Debian-based systems like Kali or Ubuntu, they can be installed with apt install libpoppler-cpp-dev.
Adding shell completion is highly recommended. As a Python app using the
click library, you can add tab completion to bash, zsh and fish using the usual
mechanism.
Run it like this (10 threads, maximum depth 5):
$ smbcrawler crawl -i hosts.txt -u pen.tester -p iluvb0b -d contoso.local -t 10 -D 5
SmbCrawler has undergone a major overhaul. The most significant changes are:
- We cleaned up the CLI and introduced a "profile" mechanism to steer the behavior of the crawler
- The output is now a sqlite database instead of scattered JSON files
- Permissions are now reported more granularly
The old CLI arguments regarding "interesting files", "boring shares" and so on was clunky and confusing. Instead we now use "profiles; see below for details.
Also, I realized I basically reinvented relational databases, except did so very poorly, so why not use sqlite directly? The sqlite approach enables us to produce a nice interactive HTML report with good performance. You can still export results in various formats if you need to use the data in some tool pipeline.
The old way SmbCrawler reported permissions sometimes wasn't very useful. For example, it's not uncommon that you have read permissions in the root directory of the share, but all sub directories are protected, e.g. for user profiles. SmbCrawler will now report how deep it was able to read the directory tree of a share and whether it maxed out or could have gone deeper if you had supplied a higher value for the maximum depth argument.
If you prefer the old version, it's still available on PyPI and installable
with pipx install smbcrawler==0.2.0, for example.
During run time, you can use the following keys:
p: pause the crawler and skip single hosts or shares<space>: print the current progresss: print a more detailed status update
For more information, run smbcrawler -h.
Even in medium sized networks, SmbCrawler will find tons of data. The challenge is to reduce false positives.
It's important to realize that permissions can apply on the service level and on the file system level. The remote SMB service may allow you to authenticate and your user account may have read permissions in principle, but it could lack these permissions on the file system.
SmbCrawler will report if you have permissions to:
- authenticate against a target as guest and list shares
- authenticate against a target with the user creds
- access a share as guest
- access a share with the user creds
- create a directory in the share's root directory
- the deepest directory level of a share that could be accessed (limited by the
--depthargument)
Because it is non-trivial to check permissions of SMB shares without
attempting the action in question, SmbCrawler will attempt to create a
directory on each share. Its name is smbcrawler_DELETEME_<8 random characters>
and will be deleted immediately, but be aware anyway.
Warning
Sometimes you have the permission to create directories, but not to delete them, so you will leave an empty directory there.
To decide what to do with certain shares, files or directories, SmbCrawler has a feature called "profiles". Take a look at the default profile.
Profiles are loaded from files with the *.yml extension from these
locations:
- The build-in default profile
$XDG_DATA_HOME/smbcrawler/(~/.local/share/smbcrawlerby default)- The current working directory
- The extra directory defined by
--extra-profile-file - The extra files defined by
--extra-profile-file
Profiles from each location override previous definitions.
Let's look at each section, which is always a list of dictionaries. Each of the keys of the dictionary is an arbitrary label and each of the values is again a dictionary with different properties.
comment: A helpful string describing this profileregex: A regular expression that defines which files this profile applies to. The last regex that matches is the one that counts.regex_flags: An array of flags which will be passed to the regexmatchfunctionhigh_value(default:false): If a file is "high value", its presence will be reported, but it will not necessarily be downloaded (think virtual hard drives - important, but too large to download automatically)download(default:true): Iftrue, the first 200KiBi will be downloaded (or the entire file ifhigh_value=true) and parsed for secrets
comment,regex,regex_flags: Same as abovehigh_value: its presence will be reported and crawl depth changed to infinitycrawl_depth: Crawl this share or directory up to a different depth than what is defined by the--depthargument
comment,regex_flags: Same as aboveregex: A regular expression matching the secret. The secret itself can be a named group with the namesecret.
It makes sense to first run SmbCrawler with crawling depth 0 to get an idea of
what you're dealing with. In this first run, you can enable the write check
with -w:
$ smbcrawler -C permissions_check.crwl crawl -D0 -t10 -w \
-i <INPUT FILE> -u <USER> -d <DOMAIN> -p <PASSWORD>
Afterwards, you can identify interesting and boring shares for your next run
or several runs. Some shares like SYSVOL and NETLOGON appear many times,
so you should set the crawl depth to zero on your next run and pick one host
to scan these duplicate shares in a third run. Here is an example:
$ smbcrawler -C dc_only.crwl crawl -D -1 <DC IP> \
-u <USER> -d <DOMAIN> -p <PASSWORD>
$ smbcrawler -C full.crwl crawl -D5 -t10 -i <NEW INPUT FILE> \
-u <USER> -d <DOMAIN> -p <PASSWORD> \
--extra-profile-file skip_sysvol.yml
Here, skip_sysvol.yml would be:
shares:
sysvol:
comment: "Skip sysvol and netlogon share"
regex: 'SYSVOL|NETLOGON'
crawl_depth: 0Feel free to include other shares here which you may think are not worth crawling.
The raw data is contained in an SQLite database and a directory (output.crwl and
output.crwl.d by default). The directory contains two more directories: one with
the downloaded files unique-ified by the hash content and a directory
mirroring all shares with symlinks pointing to the content files. The latter
is good for grepping through all downloaded files.
The data can be transformed to various formats. You can also simply access
the database with sqlitebrowser, for example. Or you can output JSON and
use jq to mangle the data.
If you want to display all shares that you were able to read beyond the root directory in a LaTeX table, for instance, use this query:
SELECT target_id || " & " || name || " & " || remark || " \\"
FROM share
WHERE read_level > 0
ORDER BY target_id, nameThere is also an experimental HTML output feature. It may not be entirely useful yet for large amounts of data.
If you notice a lot of false positives or false negatives in the reported secrets, please help out and let me know. Community input is important when trying to improve automatic detection. Best case scenario: provide a pull request with changes to the default profile file.
Adrian Vollmer, SySS GmbH
MIT License; see LICENSE for details.