Scanning SMB Shares with SMBLS

In Carve’s internal engagement service line, we simulate an attacker on a corporate network, which is usually Windows-based. We use a variety of tools to gather information, but we were frustrated by reliability, performance and logging of tools dealing with scanning SMB shares, so we wrote a small Impacket-based tool as a replacement.

The main use-case is as follows: you have credentials for a user account and a list of hosts, and you want to find out what SMB shares are accessible for that account on each host. You might be surprised at how many shares there are on a normal corporate network. For pentesters, scanning them lets us find shares that contain secrets that shouldn’t be exposed. Is there a Users share with everyone’s files? Does a workstation have its C: drive accidentally exposed? Does someone in IT have a share with documentation and credentials for all admin accounts?

Scanning hosts with the SMB protocol can expose a bunch of other useful information too, like…

Read Full Blog


Written by:

Leave a comment