smb-enum-shares
脚本使用类型:
hostrule
脚本所属分类:
discovery, intrusive
脚本下载地址: http://nmap.org/svn/scripts/smb-enum-shares.nse
Attempts to list shares using the srvsvc.NetShareEnumAll
MSRPC function and
retrieve more information about them using srvsvc.NetShareGetInfo
. If access
to those functions is denied, a list of common share names are checked.
Finding open shares is useful to a penetration tester because there may be private files shared, or, if it's writable, it could be a good place to drop a Trojan or to infect a file that's already there. Knowing where the share is could make those kinds of tests more useful, except that determiing where the share is requires administrative privileges already.
Running NetShareEnumAll
will work anonymously against Windows 2000, and
requires a user-level account on any other Windows version. Calling NetShareGetInfo
requires an administrator account on all versions of Windows up to 2003, as well as Windows Vista
and Windows 7, if UAC is turned down.
Even if NetShareEnumAll
is restricted, attempting to connect to a share will always
reveal its existence. So, if NetShareEnumAll
fails, a pre-generated list of shares,
based on a large test network, are used. If any of those succeed, they are recorded.
After a list of shares is found, the script attempts to connect to each of them anonymously, which divides them into "anonymous", for shares that the NULL user can connect to, or "restricted", for shares that require a user account.
执行格式
nmap --script smb-enum-shares.nse -p445 <host> sudo nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139 <host>
Host script results: | smb-enum-shares: | | ADMIN$ | | | Type: STYPE_DISKTREE_HIDDEN | | | Comment: Remote Admin | | | Users: 0, Max: <unlimited> | | | Path: C:\WINNT | | | Anonymous access: <none> | | |_ Current user ('administrator') access: READ/WRITE | | C$ | | | Type: STYPE_DISKTREE_HIDDEN | | | Comment: Default share | | | Users: 0, Max: <unlimited> | | | Path: C:\ | | | Anonymous access: <none> | | |_ Current user ('administrator') access: READ | | IPC$ | | | Type: STYPE_IPC_HIDDEN | | | Comment: Remote IPC | | | Users: 1, Max: <unlimited> | | | Path: | | | Anonymous access: READ <not a file share> |_ |_ |_ Current user ('administrator') access: READ <not a file share>
Author: Ron Bowes
License: VER007 整理 http://www.ver007.com