[feature request] Invoke-ShareFinder equivalent in impacket

Question

[feature request] Invoke-ShareFinder equivalent in impacket

CaledoniaProject opened this issue 3 years ago · 7 comments

CaledoniaProject commented 3 years ago

Is anyone interested in creating an equivalent of this Invoke-ShareFinder script? Looks quite useful to me.

P.S: please consider add a Feature Request to your bug report template.

Answer 1 · 2021-10-06T12:59:25.000Z

@CaledoniaProject I just implemented it: https://github.com/p0dalirius/FindUncommonShares

Best regards,
Podalirius

Answer 2 · 2021-10-06T13:42:11.000Z

@p0dalirius Hi there!

Invoke-ShareFinder is capable to find all shares in a domain, but FindUncommonShares targets specific computer only.

Invoke-ShareFinder first launches LDAP query to find all computers, then enumerate all the shares on the target computer, can you add this logic?

Answer 3 · 2021-10-06T14:57:31.000Z

@CaledoniaProject Yes i can :) I'll add this in the next days :)

Answer 4 · 2021-10-06T15:52:45.000Z

@CaledoniaProject It's done now :)

Answer 5 · 2021-10-07T00:54:25.000Z

Environment:

Linux CentOS 7 with Python 3.6 and installed impacket with pip(not github)
Windows 2016 DC (10.10.10.20)
Windows 2016 Exchange (10.10.10.21)
Windows 2016 SRV1 (10.10.10.22)
Windows 2016 SRV2 (10.10.10.23), TESTNET\lowpriv is in local administrator group

On Linux it got stuck, and no result available:

[root@XXX FindUncommonShares-main]# time python3 FindUncommonShares.py --dc-ip 10.10.10.20 -u lowpriv -p XXX -d testnet.com -debug
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[+] Impacket Library Installation Path: /usr/local/lib/python3.6/site-packages/impacket
[>] Extracting all computers ...
[+] Found 4 computers.
[>] Enumerating shares ...

real	4m1.491s
user	0m0.573s
sys	0m0.148s

On Windows the result is instantly available:

PS C:\Users\lowpriv\Desktop> Invoke-ShareFinder
\\Exchange.testnet.com\address  -
\\Exchange.testnet.com\ADMIN$   - Remote Admin
\\Exchange.testnet.com\C$       - Default share
\\Exchange.testnet.com\IPC$     - Remote IPC
\\SRV1.testnet.com\ADMIN$       - Remote Admin
\\SRV1.testnet.com\C$   - Default share
\\SRV1.testnet.com\CertEnroll   - Active Directory Certificate Services share
\\SRV1.testnet.com\IPC$         - Remote IPC
\\SRV1.testnet.com\share        -
\\DC-01.testnet.com\ADMIN$      - Remote Admin
\\DC-01.testnet.com\C$  - Default share
\\DC-01.testnet.com\IPC$        - Remote IPC
\\DC-01.testnet.com\NETLOGON    - Logon server share
\\DC-01.testnet.com\SYSVOL      - Logon server share
\\SRV2.testnet.com\ADMIN$       - Remote Admin
\\SRV2.testnet.com\C$   - Default share
\\SRV2.testnet.com\IPC$         - Remote IPC
PS C:\Users\lowpriv\Desktop>

Answer 6 · 2021-10-07T08:55:09.000Z

@CaledoniaProject you can open an issue in my project if you want.

I think it was a DNS issue in your case. My latest commit should solve the problem since I perform DNS lookups directly from the domain controller in the script.

Answer 7 · 2021-10-07T09:31:43.000Z

I confirm this issue is resolved, I will report further problems in your repo instead, thanks p0dalirius!