Backing up data is important. Anyone who has ever lost data would agree. There is also a golden rule: “There are two kinds of people in this world—those who back up their data and those who will.”

Be smart and start doing this before you lose your data. I currently use Fedora (since

Introduction to EscapeTwo

This write-up will explore the “EscapeTwo” machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “EscapeTwo” machine from Hack The Box by achieving the following objectives:

User Flag:

The attacker explored the target machine’s network services and exploited weak access controls. Initial scans identified open ports, including SMB, enabling access to shared folders. By reviewing these files, the attacker discovered a password and identified a user account (Ryan) with elevated permissions. Using these permissions, the attacker connected remotely to the system and retrieved the user flag with a simple command.

Root Flag:

First, the attacker escalated privileges by exploiting an Active Directory misconfiguration. Next, using the Ryan account, they employed tools to identify and modify permissions, thereby gaining control over a privileged account. With this control in hand, the attacker then acquired a special certificate, subsequently authenticated as an administrator, and finally retrieved the root flag with a command.

Enumerating the EscapeTWO Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sC -sV -oN nmap_initial.txt 10.10.11.51

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/escapetwo]
└──╼ $nmap -sC -sV -oA initial -Pn 10.10.11.51
Nmap scan report for 10.10.11.51
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-16 14:15:14Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-16T14:16:37+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2025-05-16T11:51:14
|_Not valid after:  2026-05-16T11:51:14
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2025-05-16T11:51:14
|_Not valid after:  2026-05-16T11:51:14
|_ssl-date: 2025-05-16T14:16:37+00:00; 0s from scanner time.

1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   10.10.11.51:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-05-16T04:02:09
|_Not valid after:  2055-05-16T04:02:09
|_ssl-date: 2025-05-16T14:16:37+00:00; 0s from scanner time.
| ms-sql-ntlm-info: 
|   10.10.11.51:1433: 
|     Target_Name: SEQUEL
|     NetBIOS_Domain_Name: SEQUEL
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: DC01.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-16T14:16:37+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2025-05-16T11:51:14
|_Not valid after:  2026-05-16T11:51:14
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2025-05-16T11:51:14
|_Not valid after:  2026-05-16T11:51:14
|_ssl-date: 2025-05-16T14:16:37+00:00; 0s from scanner time.

Analysis:

• 53/tcp (domain): Simple DNS Plus server running, likely handling DNS requests.
• 88/tcp (kerberos-sec): Kerberos authentication service active, indicates Active Directory environment.
• 135/tcp (msrpc): Microsoft RPC service, used for remote procedure calls on Windows.
• 139/tcp (netbios-ssn): NetBIOS session service, Windows file and printer sharing over SMBv1.
• 389/tcp (ldap): LDAP service for Active Directory directory services (non-SSL).
• 445/tcp (microsoft-ds): SMB service used for Windows file sharing and Active Directory.
• 464/tcp (kpasswd5): Kerberos password change service.
• 593/tcp (ncacn_http): Microsoft RPC over HTTP, potentially used for remote management.
• 636/tcp (ssl/ldap): Secure LDAP (LDAPS) for encrypted directory access.
• 1433/tcp (ms-sql-s): Microsoft SQL Server 2019 instance accessible, possibly exploitable.
• 3268/tcp (ldap): Global Catalog LDAP for Active Directory, supports forest-wide queries.
• 3269/tcp (ssl/ldap): Secure Global Catalog LDAP over SSL.
  

Exploitation

Samba Exploration:

If successful, it then attempts to find other user accounts by brute-forcing their ID numbers, thereby helping to identify valid users for further testing.

The output is then filtered using grep SidTypeUser Only the entries that correspond to actual user accounts will be displayed, excluding groups or system accounts. This helps the tester quickly identify valid user accounts on the target machine for further analysis or access attempts.v

It connects to the target machine at the IP address 10.10.11.51 with the smbclient tool, a command-line utility similar to an FTP client but designed for accessing SMB shares.

This list shows shared folders on a computer that others on the network can access, like shared drawers in an office.

• Accounting Department: Likely holds financial or work files for the accounting team.
• ADMIN$ and C$: Hidden folders for IT admins to manage the system remotely.
• IPC$: A system tool for communication between devices, not a regular folder.
• NETLOGON and SYSVOL: Support user login and access control in the network.
• Users: Contains personal folders for different computer users.

The folder contains two Excel files: accounting_2024.xlsx and accounts.xlsx.

Transferring both files to our computer

We discovered a password stored within an XML file.

It looks much cleaner when using the Python command.

SQL enumeration on EscapeTwo machine

Since the Nmap results indicated that the MSSQL service is open, and the default MSSQL user (sa) Typically has the highest level of administrative privileges, so it’s worth attempting to use it. In this case, we try to enable and use the xp_cmdshell feature for further exploitation.

Let’s proceed with executing MSSQL commands.

Let’s initiate our listener.

The operation was successful, so we proceeded to enable xp_cmdshell and execute the shell command through it to confirm execution.

We established a reverse shell connection.

The SQL Server 2019 installation was found.

Begin by enumerating the local files, where you will find a configuration file located at C:\SQL2019\ExpressAdv_ENU.

Another password was found in the configuration file named sql-Configuration.INI.

Discovered several potential usernames.

SMB access was obtained as the user Ryan, which can be used for enumeration with BloodHound.

Bloodhound enumeration on escapetwo machine

We will gather additional information using BloodHound.

Once the collection was complete, I imported them into BloodHound. That’s when I found the ryan with CA_SVC account — one I could change the owner of.

Let’s examine Oscar’s connection.

We can see that Ryan has the WriteOwner permission on the CA_SVC account.

Using NXC, we were able to discover credentials that work with WinRM

We can read the user flag by typing “type user.txt’ command

Escalate to Root Privileges Access

Privilege Escalation:

We attempted to use the owneredit.py Script to change the object ownership, but the operation failed due to an unspecified issue.

The script executed successfully after setting PYTHONPATH=… For instance, assigning ownership of an administrator account to a user like Ryan would mean he could modify settings or permissions that are normally reserved for administrators. Moreover, this change could increase Ryan’s control over the system. Therefore, it is important to carefully manage account ownership to prevent unauthorized access.

This command is used in dacledit.py to grant the user Ryan full control (FullControl) permissions over the ca_svc account. It authenticates to the domain sequel.htb using Ryan’s credentials. The -action 'write' flag specifies that a permission change is being made.

This command allows the user Ryan to quietly gain access as another account, ca_svc, by taking advantage of a weakness in how the network handles certificates.

It uses a special code (hash) instead of a password to access the account and looks for any vulnerable settings, then shows the results on the screen.

This command uses Certipy to request a special security certificate from the network’s main server (dc01.sequel.htb) using a template named DunderMifflinAuthentication.

This command requests a certificate from the sequel-DC01-CA on the domain controller DC01.sequel.htb. It uses the ca_svc account’s NT hash for authentication and asks for a certificate based on the DunderMifflinAuthentication template.

This command uses Certipy to authenticate to the domain controller at IP 10.10.11.51 using the certificate file administrator.pfx.

We read the root flag by typing the “type root.txt” command

The post Hack The Box: EscapeTwo Machine Walkthrough – Easy Difficulty appeared first on Threatninja.net.

PowerHuntShares is design to automatically inventory, analyze, and report excessive privilege assigned to SMB shares on Active Directory domain joined computers.
It is intented to help IAM and other blue teams gain a better understand of their SMB Share attack surface and provides data insights to help naturally group related share to help stream line remediation efforts at scale.

It supports functionality to:

• Authenticate using the current user context, a credential, or clear text user/password.
• Discover accessible systems associated with an Active Directory domain automatically. It will also filter Active Directory computers based on available open ports.
• Target a single computer, list of computers, or discovered Active Directory computers (default).
• Collect SMB share ACL information from target computers using PowerShell.
• Analyze collected Share ACL data.
• Report summary reports and excessive privilege details in HTML and CSV file formats.

Excessive SMB share ACLs are a systemic problem and an attack surface that all organizations struggle with. The goal of this project is to provide a proof concept that will work towards building a better share collection and data insight engine that can help inform and priorititize remediation efforts.

Bonus Features:

• Generate directory listing dump for configurable depth
• Search for file types across discovered shares

I've also put together a short presentation outlining some of the common misconfigurations and strategies for prioritizing remediation here: https://www.slideshare.net/nullbind/into-the-abyss-evaluating-active-directory-smb-shares-on-scale-secure360-251762721

Vocabulary

PowerHuntShares will inventory SMB share ACLs configured with "excessive privileges" and highlight "high risk" ACLs. Below is how those are defined in this context.

Excessive Privileges
Excessive read and write share permissions have been defined as any network share ACL containing an explicit ACE (Access Control Entry) for the "Everyone", "Authenticated Users", "BUILTIN\Users", "Domain Users", or "Domain Computers" groups. All provide domain users access to the affected shares due to privilege inheritance issues. Note there is a parameter that allow operators to add their own target groups.
Below is some additional background:

• Everyone is a direct reference that applies to both unauthenticated and authenticated users. Typically only a null session is required to access those resources.
• BUILTIN\Users contains Authenticated Users
• Authenticated Users contains Domain Users on domain joined systems. That's why Domain Users can access a share when the share permissions have been assigned to "BUILTIN\Users".
• Domain Users is a direct reference
• Domain Users can also create up to 10 computer accounts by default that get placed in the Domain Computers group
• Domain Users that have local administrative access to a domain joined computer can also impersonate the computer account.

Please Note: Share permissions can be overruled by NTFS permissions. Also, be aware that testing excluded share names containing the following keywords:

print$, prnproc$, printer, netlogon,and sysvol

High Risk Shares
In the context of this report, high risk shares have been defined as shares that provide unauthorized remote access to a system or application. By default, that includes the shares

 wwwroot, inetpub, c$, and admin$   

Setup Commands

Below is a list of commands that can be used to load PowerHuntShares into your current PowerShell session. Please note that one of these will have to be run each time you run PowerShell is run. It is not persistent.

# Bypass execution policy restrictions
Set-ExecutionPolicy -Scope Process Bypass

# Import module that exists in the current directory
Import-Module .\PowerHuntShares.psm1

or

# Reduce SSL operating level to support connection to github
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
[Net.ServicePointManager]::SecurityProtocol =[Net.SecurityProtocolType]::Tls12

# Download and load PowerHuntShares.psm1 into memory
IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerHuntShares/main/PowerHuntShares.psm1")

Example Commands

Important Note: All commands should be run as an unprivileged domain user.

.EXAMPLE 1: Run from a domain computer. Performs Active Directory computer discovery by default.
PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test 

.EXAMPLE 2: Run from a domain computer with alternative domain credentials. Performs Active Directory computer discovery by default.
PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test -Credentials domain\user

.EXAMPLE 3: Run from a domain computer as current user. Target hosts in a file. One per line.
PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test  -HostList c:\temp\hosts.txt      

.EXAMPLE 4: Run from a non-domain computer with credential. Performs Active Directory computer discovery by default.
C:\temp\test> runas /netonly /user:domain\user PowerShell.exe
PS C:\temp\test> Import-Module Invoke-HuntSMBShares.ps1
PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -Run   SpaceTimeOut 10 -OutputDirectory c:\folder\ -DomainController 10.1.1.1 -Credential domain\user 

===============================================================
PowerHuntShares
===============================================================
 This function automates the following tasks:     

 o Determine current computer's domain
 o Enumerate domain computers        
 o Filter for computers that respond to ping reqeusts          
 o Filter for computers that have TCP 445 open and accessible  
 o Enumerate SMB shares 
 o Enumerate SMB share permissions   
 o Identify shares with potentially excessive privielges       
 o Identify shares that provide reads & write access           
 o Identify shares thare are high risk
 o Identify common share owners, names, & directory listings   
 o Generate creation, last written, & last accessed timelines
 o Generate html summary report and detailed csv files            

 Note: This can take hours to run in large environments.       
---------------------------------------------------------------
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---------------------------------------------------------------
SHARE DISCOVERY      
---------------------------------------------------------------
[*][03/01/2021 09:35] Scan Start
[*][03/01/2021 09:35] Output Directory: c:\temp\smbshares\SmbShareHunt-03012021093504
[*][03/01/2021 09:35] Successful connection to domain controller: dc1.demo.local
[*][03/01/2021 09:35] Performing LDAP query for computers associated with the demo.local domain
[*][03/01/2021 09:35] - 245 computers found
[*][03/01/2021 09:35] Pinging 245 computers
[*][03/01/2021 09:35] - 55 computers responded to ping requests.
[*][03/01/2021 09:35] Checking if TCP Port 445 is open on 55 computers
[*][03/01/2021 09:36] - 49 computers have TCP port 445 open.
   [*][03/01/2021 09:36] Getting a list of SMB shares from 49 computers
[*][03/01/2021 09:36] - 217 SMB shares were found.
[*][03/01/2021 09:36] Getting share permissions from 217 SMB shares
[*][03/01/2021 09:37] - 374 share permissions were enumerated.
[*][03/01/2021 09:37] Getting directory listings from 33 SMB shares
[*][03/01/2021 09:37] - Targeting up to 3 nested directory levels
[*][03/01/2021 09:37] - 563 files and folders were enumerated.
[*][03/01/2021 09:37] Identifying potentially excessive share permissions
[*][03/01/2021 09:37] - 33 potentially excessive privileges were found across 12 systems..
[*][03/01/2021 09:37] Scan Complete
---------------------------------------------------------------
SHARE ANALYSIS      
---------------------------------------------------------------
[*][03/01/2021 09:37] Analysis Start
[*][03/01/2021 09:37] - 14 shares can be read across 12 systems.
[*][03/01/2021 09:37] - 1 shares can    be written to across 1 systems.
[*][03/01/2021 09:37] - 46 shares are considered non-default across 32 systems.
[*][03/01/2021 09:37] - 0 shares are considered high risk across 0 systems
[*][03/01/2021 09:37] - Identified top 5 owners of excessive shares.
[*][03/01/2021 09:37] - Identified top 5 share groups.
[*][03/01/2021 09:37] - Identified top 5 share names.
[*][03/01/2021 09:37] - Identified shares created in last 90 days.
[*][03/01/2021 09:37] - Identified shares accessed in last 90 days.
[*][03/01/2021 09:37] - Identified shares modified in last 90 days.
[*][03/01/2021 09:37] Analysis Complete
---------------------------------------------------------------
SHARE REPORT SUMMARY      
---------------------------------------------------------------
[*][03/01/2021 09:37] Domain: demo.local
[*][03/01/2021 09:37] Start time: 03/01/2021 09:35:04
[*][03/01/2021 09:37] End time: 03/01/2021 09:37:27
[*][03/01/2021 09:37] R   un time: 00:02:23.2759086
[*][03/01/2021 09:37] 
[*][03/01/2021 09:37] COMPUTER SUMMARY
[*][03/01/2021 09:37] - 245 domain computers found.
[*][03/01/2021 09:37] - 55 (22.45%) domain computers responded to ping.
[*][03/01/2021 09:37] - 49 (20.00%) domain computers had TCP port 445 accessible.
[*][03/01/2021 09:37] - 32 (13.06%) domain computers had shares that were non-default.
[*][03/01/2021 09:37] - 12 (4.90%) domain computers had shares with potentially excessive privileges.
[*][03/01/2021 09:37] - 12 (4.90%) domain computers had shares that allowed READ access.
[*][03/01/2021 09:37] - 1 (0.41%) domain computers had shares that allowed WRITE access.
[*][03/01/2021 09:37] - 0 (0.00%) domain computers had shares that are HIGH RISK.
[*][03/01/2021 09:37] 
[*][03/01/2021 09:37] SHARE SUMMARY
[*][03/01/2021 09:37] - 217 shares were found. We expect a minimum of 98 shares
[*][03/01/2021 09:37]   because 49 systems had open ports a   nd there are typically two default shares.
[*][03/01/2021 09:37] - 46 (21.20%) shares across 32 systems were non-default.
[*][03/01/2021 09:37] - 14 (6.45%) shares across 12 systems are configured with 33 potentially excessive ACLs.
[*][03/01/2021 09:37] - 14 (6.45%) shares across 12 systems allowed READ access.
[*][03/01/2021 09:37] - 1 (0.46%) shares across 1 systems allowed WRITE access.
[*][03/01/2021 09:37] - 0 (0.00%) shares across 0 systems are considered HIGH RISK.
[*][03/01/2021 09:37] 
[*][03/01/2021 09:37] SHARE ACL SUMMARY
[*][03/01/2021 09:37] - 374 ACLs were found.
[*][03/01/2021 09:37] - 374 (100.00%) ACLs were associated with non-default shares.
[*][03/01/2021 09:37] - 33 (8.82%) ACLs were found to be potentially excessive.
[*][03/01/2021 09:37] - 32 (8.56%) ACLs were found that allowed READ access.
[*][03/01/2021 09:37] - 1 (0.27%) ACLs were found that allowed WRITE access.
[*][03/01/2021 09:37] - 0 (0.00%) ACLs we   re found that are associated with HIGH RISK share names.
[*][03/01/2021 09:37] 
[*][03/01/2021 09:37] - The 5 most common share names are:
[*][03/01/2021 09:37] - 9 of 14 (64.29%) discovered shares are associated with the top 5 share names.
[*][03/01/2021 09:37]   - 4 backup
[*][03/01/2021 09:37]   - 2 ssms
[*][03/01/2021 09:37]   - 1 test2
[*][03/01/2021 09:37]   - 1 test1
[*][03/01/2021 09:37]   - 1 users
[*] -----------------------------------------------

HTML Report Examples

Credits

Author
Scott Sutherland (@_nullbind)

Open-Source Code Used
These individuals wrote open source code that was used as part of this project. A big thank you goes out them and their work!

License
BSD 3-Clause

Todos

Pending Fixes/Bugs

• Update code to avoid defender
• Fix file listing formating on data insight pages
• IPv6 addresses dont show up in subnets summary
• ACLs associated with Builtin\Users sometimes shows up as LocalSystem under undefined conditions, and as a result, doesnt show up in the Excessive Privileges export. - Thanks Sam!

Pending Features

• Add ability to specify additional groups to target
• Add directory listing to insights page.
• Add ability to grab system OS information for data insights.
• Add visualization: Visual squares with coloring mapped to share volume density by subnet or ip?.
• Add file type search. (half coded) + add to data insights. Don't forget things like *.aws, *.azure *.gcp directories that store cloud credentials.
• Add file content search.
• Add DontExcludePrintShares option
• Add auto targeting of groups that contain a large % of the user population; over 70% (make configurable). Add as option.
• Add configuration fid: netlogon and sysvol you may get access denied when using windows 10 unless the setting below is configured. Automat a check for this, and attempt to modify if privs are at correct level. gpedit.msc, go to Computer -> Administrative Templates -> Network -> Network Provider -> Hardened UNC Paths, enable the policy and click "Show" button. Enter your server name (* for all servers) into "Value name" and enter the folowing text "RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0" wihtout quotes into the "Value" field.
• Add an interesting shares based on names to data insights. example: sql, backup, password, etc.
• Add active sessions data to help identify potential owners/users of share.
• Pull spns and computer description/spn account descriptions to help identify owner/business unit.
• Create bloodhound import file / edge (highrisk share)
• Research to identify additional high risk share names based on common technology
• Add better support for IPv6
• Dynamic identification of spikes in high risk share creation/common groupings, need to better summarize supporting detail beyond just the timeline. For each of the data insights, add average number of shares created for insight grouping by year/month (for folder hash / name etc), and the increase the month/year it spikes. (attempt to provide some historical context); maybe even list the most common non default directories being used by each of those. Potentially adding "first seen date" as well.
• add showing share permissions (along with the already displayed NTFS permissions) and resultant access (most restrictive wins)

Continue readingLazySysAdmin – Vulnhub walkthrough

Continue readingdigital world.local: Vengeance Walkthrough – OSCP Way

Vulnhub Koptrix Level 1 (OSCP like machines) writeup is here for those looking to root this machine. CTFs are fun and great learning, today we are solving a very simple CTF called Koptrix Level 1, the machine can be downloaded from – This Link. As I saw the machine to be beginner level and part […]

The post Vulnhub Koptrix 1 Writeup [OSCP Like machines] appeared first on Ethical Hacking Tutorials.

TryHackMe has been awsome platform for learning Hacking/Security from the very basics. In Network Service room we have the usual culprits telnet, smb, ftp. Lets understand and solve the SMB part Network Service Room Link – https://tryhackme.com/room/networkservicesTask Associated to SMB – Task 2  Understanding SMBTask 3  Enumerating SMBTask 4  Exploiting SMB Task 3 We would use enum4linux and […]

The post TryHackMe – Network Services Walkthrough appeared first on Ethical Hacking Tutorials.

Server Message Block (SMB), also known as Common Internet File System (CIFS), is a network protocol mainly used for providing shared access to files, printers, serial ports and miscellaneous communications between nodes on a network.

Versions of Windows SMB
CIFS: The old

PowerHuntShares is design to automatically inventory, analyze, and report excessive privilege assigned to SMB shares on Active Directory domain joined computers.
It is intented to help IAM and other blue teams gain a better understand of their SMB Share attack surface and provides data insights to help naturally group related share to help stream line remediation efforts at scale.

It supports functionality to:

• Authenticate using the current user context, a credential, or clear text user/password.
• Discover accessible systems associated with an Active Directory domain automatically. It will also filter Active Directory computers based on available open ports.
• Target a single computer, list of computers, or discovered Active Directory computers (default).
• Collect SMB share ACL information from target computers using PowerShell.
• Analyze collected Share ACL data.
• Report summary reports and excessive privilege details in HTML and CSV file formats.

Excessive SMB share ACLs are a systemic problem and an attack surface that all organizations struggle with. The goal of this project is to provide a proof concept that will work towards building a better share collection and data insight engine that can help inform and priorititize remediation efforts.

Bonus Features:

• Generate directory listing dump for configurable depth
• Search for file types across discovered shares

I've also put together a short presentation outlining some of the common misconfigurations and strategies for prioritizing remediation here: https://www.slideshare.net/nullbind/into-the-abyss-evaluating-active-directory-smb-shares-on-scale-secure360-251762721

Vocabulary

PowerHuntShares will inventory SMB share ACLs configured with "excessive privileges" and highlight "high risk" ACLs. Below is how those are defined in this context.

Excessive Privileges
Excessive read and write share permissions have been defined as any network share ACL containing an explicit ACE (Access Control Entry) for the "Everyone", "Authenticated Users", "BUILTIN\Users", "Domain Users", or "Domain Computers" groups. All provide domain users access to the affected shares due to privilege inheritance issues. Note there is a parameter that allow operators to add their own target groups.
Below is some additional background:

• Everyone is a direct reference that applies to both unauthenticated and authenticated users. Typically only a null session is required to access those resources.
• BUILTIN\Users contains Authenticated Users
• Authenticated Users contains Domain Users on domain joined systems. That's why Domain Users can access a share when the share permissions have been assigned to "BUILTIN\Users".
• Domain Users is a direct reference
• Domain Users can also create up to 10 computer accounts by default that get placed in the Domain Computers group
• Domain Users that have local administrative access to a domain joined computer can also impersonate the computer account.

Please Note: Share permissions can be overruled by NTFS permissions. Also, be aware that testing excluded share names containing the following keywords:

print$, prnproc$, printer, netlogon,and sysvol

High Risk Shares
In the context of this report, high risk shares have been defined as shares that provide unauthorized remote access to a system or application. By default, that includes the shares

 wwwroot, inetpub, c$, and admin$   

Setup Commands

Below is a list of commands that can be used to load PowerHuntShares into your current PowerShell session. Please note that one of these will have to be run each time you run PowerShell is run. It is not persistent.

# Bypass execution policy restrictions
Set-ExecutionPolicy -Scope Process Bypass

# Import module that exists in the current directory
Import-Module .\PowerHuntShares.psm1

or

# Reduce SSL operating level to support connection to github
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
[Net.ServicePointManager]::SecurityProtocol =[Net.SecurityProtocolType]::Tls12

# Download and load PowerHuntShares.psm1 into memory
IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerHuntShares/main/PowerHuntShares.psm1")

Example Commands

Important Note: All commands should be run as an unprivileged domain user.

.EXAMPLE 1: Run from a domain computer. Performs Active Directory computer discovery by default.
PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test 

.EXAMPLE 2: Run from a domain computer with alternative domain credentials. Performs Active Directory computer discovery by default.
PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test -Credentials domain\user

.EXAMPLE 3: Run from a domain computer as current user. Target hosts in a file. One per line.
PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test  -HostList c:\temp\hosts.txt      

.EXAMPLE 4: Run from a non-domain computer with credential. Performs Active Directory computer discovery by default.
C:\temp\test> runas /netonly /user:domain\user PowerShell.exe
PS C:\temp\test> Import-Module Invoke-HuntSMBShares.ps1
PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -Run   SpaceTimeOut 10 -OutputDirectory c:\folder\ -DomainController 10.1.1.1 -Credential domain\user 

===============================================================
PowerHuntShares
===============================================================
 This function automates the following tasks:     

 o Determine current computer's domain
 o Enumerate domain computers        
 o Filter for computers that respond to ping reqeusts          
 o Filter for computers that have TCP 445 open and accessible  
 o Enumerate SMB shares 
 o Enumerate SMB share permissions   
 o Identify shares with potentially excessive privielges       
 o Identify shares that provide reads & write access           
 o Identify shares thare are high risk
 o Identify common share owners, names, & directory listings   
 o Generate creation, last written, & last accessed timelines
 o Generate html summary report and detailed csv files            

 Note: This can take hours to run in large environments.       
---------------------------------------------------------------
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---------------------------------------------------------------
SHARE DISCOVERY      
---------------------------------------------------------------
[*][03/01/2021 09:35] Scan Start
[*][03/01/2021 09:35] Output Directory: c:\temp\smbshares\SmbShareHunt-03012021093504
[*][03/01/2021 09:35] Successful connection to domain controller: dc1.demo.local
[*][03/01/2021 09:35] Performing LDAP query for computers associated with the demo.local domain
[*][03/01/2021 09:35] - 245 computers found
[*][03/01/2021 09:35] Pinging 245 computers
[*][03/01/2021 09:35] - 55 computers responded to ping requests.
[*][03/01/2021 09:35] Checking if TCP Port 445 is open on 55 computers
[*][03/01/2021 09:36] - 49 computers have TCP port 445 open.
   [*][03/01/2021 09:36] Getting a list of SMB shares from 49 computers
[*][03/01/2021 09:36] - 217 SMB shares were found.
[*][03/01/2021 09:36] Getting share permissions from 217 SMB shares
[*][03/01/2021 09:37] - 374 share permissions were enumerated.
[*][03/01/2021 09:37] Getting directory listings from 33 SMB shares
[*][03/01/2021 09:37] - Targeting up to 3 nested directory levels
[*][03/01/2021 09:37] - 563 files and folders were enumerated.
[*][03/01/2021 09:37] Identifying potentially excessive share permissions
[*][03/01/2021 09:37] - 33 potentially excessive privileges were found across 12 systems..
[*][03/01/2021 09:37] Scan Complete
---------------------------------------------------------------
SHARE ANALYSIS      
---------------------------------------------------------------
[*][03/01/2021 09:37] Analysis Start
[*][03/01/2021 09:37] - 14 shares can be read across 12 systems.
[*][03/01/2021 09:37] - 1 shares can    be written to across 1 systems.
[*][03/01/2021 09:37] - 46 shares are considered non-default across 32 systems.
[*][03/01/2021 09:37] - 0 shares are considered high risk across 0 systems
[*][03/01/2021 09:37] - Identified top 5 owners of excessive shares.
[*][03/01/2021 09:37] - Identified top 5 share groups.
[*][03/01/2021 09:37] - Identified top 5 share names.
[*][03/01/2021 09:37] - Identified shares created in last 90 days.
[*][03/01/2021 09:37] - Identified shares accessed in last 90 days.
[*][03/01/2021 09:37] - Identified shares modified in last 90 days.
[*][03/01/2021 09:37] Analysis Complete
---------------------------------------------------------------
SHARE REPORT SUMMARY      
---------------------------------------------------------------
[*][03/01/2021 09:37] Domain: demo.local
[*][03/01/2021 09:37] Start time: 03/01/2021 09:35:04
[*][03/01/2021 09:37] End time: 03/01/2021 09:37:27
[*][03/01/2021 09:37] R   un time: 00:02:23.2759086
[*][03/01/2021 09:37] 
[*][03/01/2021 09:37] COMPUTER SUMMARY
[*][03/01/2021 09:37] - 245 domain computers found.
[*][03/01/2021 09:37] - 55 (22.45%) domain computers responded to ping.
[*][03/01/2021 09:37] - 49 (20.00%) domain computers had TCP port 445 accessible.
[*][03/01/2021 09:37] - 32 (13.06%) domain computers had shares that were non-default.
[*][03/01/2021 09:37] - 12 (4.90%) domain computers had shares with potentially excessive privileges.
[*][03/01/2021 09:37] - 12 (4.90%) domain computers had shares that allowed READ access.
[*][03/01/2021 09:37] - 1 (0.41%) domain computers had shares that allowed WRITE access.
[*][03/01/2021 09:37] - 0 (0.00%) domain computers had shares that are HIGH RISK.
[*][03/01/2021 09:37] 
[*][03/01/2021 09:37] SHARE SUMMARY
[*][03/01/2021 09:37] - 217 shares were found. We expect a minimum of 98 shares
[*][03/01/2021 09:37]   because 49 systems had open ports a   nd there are typically two default shares.
[*][03/01/2021 09:37] - 46 (21.20%) shares across 32 systems were non-default.
[*][03/01/2021 09:37] - 14 (6.45%) shares across 12 systems are configured with 33 potentially excessive ACLs.
[*][03/01/2021 09:37] - 14 (6.45%) shares across 12 systems allowed READ access.
[*][03/01/2021 09:37] - 1 (0.46%) shares across 1 systems allowed WRITE access.
[*][03/01/2021 09:37] - 0 (0.00%) shares across 0 systems are considered HIGH RISK.
[*][03/01/2021 09:37] 
[*][03/01/2021 09:37] SHARE ACL SUMMARY
[*][03/01/2021 09:37] - 374 ACLs were found.
[*][03/01/2021 09:37] - 374 (100.00%) ACLs were associated with non-default shares.
[*][03/01/2021 09:37] - 33 (8.82%) ACLs were found to be potentially excessive.
[*][03/01/2021 09:37] - 32 (8.56%) ACLs were found that allowed READ access.
[*][03/01/2021 09:37] - 1 (0.27%) ACLs were found that allowed WRITE access.
[*][03/01/2021 09:37] - 0 (0.00%) ACLs we   re found that are associated with HIGH RISK share names.
[*][03/01/2021 09:37] 
[*][03/01/2021 09:37] - The 5 most common share names are:
[*][03/01/2021 09:37] - 9 of 14 (64.29%) discovered shares are associated with the top 5 share names.
[*][03/01/2021 09:37]   - 4 backup
[*][03/01/2021 09:37]   - 2 ssms
[*][03/01/2021 09:37]   - 1 test2
[*][03/01/2021 09:37]   - 1 test1
[*][03/01/2021 09:37]   - 1 users
[*] -----------------------------------------------

HTML Report Examples

Credits

Author
Scott Sutherland (@_nullbind)

Open-Source Code Used
These individuals wrote open source code that was used as part of this project. A big thank you goes out them and their work!

License
BSD 3-Clause

Todos

Pending Fixes/Bugs

• Update code to avoid defender
• Fix file listing formating on data insight pages
• IPv6 addresses dont show up in subnets summary
• ACLs associated with Builtin\Users sometimes shows up as LocalSystem under undefined conditions, and as a result, doesnt show up in the Excessive Privileges export. - Thanks Sam!

Pending Features

• Add ability to specify additional groups to target
• Add directory listing to insights page.
• Add ability to grab system OS information for data insights.
• Add visualization: Visual squares with coloring mapped to share volume density by subnet or ip?.
• Add file type search. (half coded) + add to data insights. Don't forget things like *.aws, *.azure *.gcp directories that store cloud credentials.
• Add file content search.
• Add DontExcludePrintShares option
• Add auto targeting of groups that contain a large % of the user population; over 70% (make configurable). Add as option.
• Add configuration fid: netlogon and sysvol you may get access denied when using windows 10 unless the setting below is configured. Automat a check for this, and attempt to modify if privs are at correct level. gpedit.msc, go to Computer -> Administrative Templates -> Network -> Network Provider -> Hardened UNC Paths, enable the policy and click "Show" button. Enter your server name (* for all servers) into "Value name" and enter the folowing text "RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0" wihtout quotes into the "Value" field.
• Add an interesting shares based on names to data insights. example: sql, backup, password, etc.
• Add active sessions data to help identify potential owners/users of share.
• Pull spns and computer description/spn account descriptions to help identify owner/business unit.
• Create bloodhound import file / edge (highrisk share)
• Research to identify additional high risk share names based on common technology
• Add better support for IPv6
• Dynamic identification of spikes in high risk share creation/common groupings, need to better summarize supporting detail beyond just the timeline. For each of the data insights, add average number of shares created for insight grouping by year/month (for folder hash / name etc), and the increase the month/year it spikes. (attempt to provide some historical context); maybe even list the most common non default directories being used by each of those. Potentially adding "first seen date" as well.
• add showing share permissions (along with the already displayed NTFS permissions) and resultant access (most restrictive wins)