auxiliary/scanner/smb/smb_enumshares.md

vishalkg · vishalkg · commit 25235c8ca5dd · 2017-12-11T11:44:27.000-05:00
diff --git a/documentation/modules/auxiliary/scanner/smb/smb_enumshares.md b/documentation/modules/auxiliary/scanner/smb/smb_enumshares.md
@@ -0,0 +1,77 @@
+## Description
+
+The smb_enumshares module, as would be expected, enumerates any SMB shares that are available on a remote system.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/smb/smb2```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set THREADS [number of threads]```
+4. Do: ```run```
+
+## Scenarios
+
+**Running the scanner**
+```
+msf > use auxiliary/scanner/smb/smb_enumshares
+msf auxiliary(smb_enumshares) > show options
+
+Module options (auxiliary/scanner/smb/smb_enumshares):
+
+   Name             Current Setting  Required  Description
+   ----             ---------------  --------  -----------
+   LogSpider        3                no        0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt) (Accepted: 0, 1, 2, 3)
+   MaxDepth         999              yes       Max number of subdirectories to spider
+   RHOSTS                            yes       The target address range or CIDR identifier
+   SMBDomain        .                no        The Windows domain to use for authentication
+   SMBPass                           no        The password for the specified username
+   SMBUser                           no        The username to authenticate as
+   ShowFiles        false            yes       Show detailed information when spidering
+   SpiderProfiles   true             no        Spider only user profiles when share = C$
+   SpiderShares     false            no        Spider shares recursively
+   THREADS          1                yes       The number of concurrent threads
+   USE_SRVSVC_ONLY  false            yes       List shares only with SRVSVC
+
+msf auxiliary(smb_enumshares) > set RHOSTS 192.168.1.150-165
+RHOSTS => 192.168.1.150-165
+msf auxiliary(smb_enumshares) > set THREADS 16
+THREADS => 16
+msf auxiliary(smb_enumshares) > run
+
+[*] 192.168.1.154:139 print$ - Printer Drivers (DISK), tmp - oh noes! (DISK), opt -  (DISK), IPC$ - IPC Service (metasploitable server (Samba 3.0.20-Debian)) (IPC), ADMIN$ - IPC Service (metasploitable server (Samba 3.0.20-Debian)) (IPC)
+Error: 192.168.1.160 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
+Error: 192.168.1.160 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
+[*] 192.168.1.161:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
+Error: 192.168.1.162 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
+Error: 192.168.1.150 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
+Error: 192.168.1.150 Rex::Proto::SMB::Exceptions::ErrorCode The server responded with error: STATUS_ACCESS_DENIED (Command=37 WordCount=0)
+[*] Scanned 06 of 16 hosts (037% complete)
+[*] Scanned 09 of 16 hosts (056% complete)
+[*] Scanned 10 of 16 hosts (062% complete)
+[*] Scanned 14 of 16 hosts (087% complete)
+[*] Scanned 15 of 16 hosts (093% complete)
+[*] Scanned 16 of 16 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(smb_enumshares) >
+```
+
+As you can see, since this is an un-credentialed scan, access is denied a most of the systems that are probed. Passing user credentials to the scanner will produce much different results.
+
+```
+msf auxiliary(smb_enumshares) > set SMBPass s3cr3t
+SMBPass => s3cr3t
+msf auxiliary(smb_enumshares) > set SMBUser Administrator
+SMBUser => Administrator
+msf auxiliary(smb_enumshares) > run
+
+[*] 192.168.1.161:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
+[*] 192.168.1.160:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
+[*] 192.168.1.150:139 IPC$ - Remote IPC (IPC), ADMIN$ - Remote Admin (DISK), C$ - Default share (DISK)
+[*] Scanned 06 of 16 hosts (037% complete)
+[*] Scanned 07 of 16 hosts (043% complete)
+[*] Scanned 12 of 16 hosts (075% complete)
+[*] Scanned 15 of 16 hosts (093% complete)
+[*] Scanned 16 of 16 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(smb_enumshares) >
+```
