-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathwsmb
More file actions
executable file
·441 lines (415 loc) · 20.1 KB
/
wsmb
File metadata and controls
executable file
·441 lines (415 loc) · 20.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
#!/bin/bash
#Nmap Full Vuln Scan
Rand=$(( ( RANDOM % 3 ) + 1 ))
if [ "$Rand" == "1" ]; then
cat << "EndOfMessage"
█ █░ ▄▄▄ ██▓ ▓█████▄ ▒█████
▓█░ █ ░█░▒████▄ ▓██▒ ▒██▀ ██▌▒██▒ ██▒
▒█░ █ ░█ ▒██ ▀█▄ ▒██░ ░██ █▌▒██░ ██▒
░█░ █ ░█ ░██▄▄▄▄██ ▒██░ ░▓█▄ ▌▒██ ██░
░░██▒██▓ ▓█ ▓██▒░██████▒░▒████▓ ░ ████▓▒░
░ ▓░▒ ▒ ▒▒ ▓▒█░░ ▒░▓ ░ ▒▒▓ ▒ ░ ▒░▒░▒░
▒ ░ ░ ▒ ▒▒ ░░ ░ ▒ ░ ░ ▒ ▒ ░ ▒ ▒░
░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ▒
░ ░ ░ ░ ░ ░ ░ ░
██████ ███▄ ▄███▓ ▄▄▄▄ ░
▒██ ▒ ▓██▒▀█▀ ██▒▓█████▄
░ ▓██▄ ▓██ ▓██░▒██▒ ▄██
▒ ██▒▒██ ▒██ ▒██░█▀
▒██████▒▒▒██▒ ░██▒░▓█ ▀█▓
▒ ▒▓▒ ▒ ░░ ▒░ ░ ░░▒▓███▀▒
░ ░▒ ░ ░░ ░ ░▒░▒ ░
░ ░ ░ ░ ░ ░ ░
░ ░ ░
░
[*] Running wsmb!
EndOfMessage
elif [ "$Rand" == "2" ]; then
cat << "EndOfMessage"
██╗ ██╗ █████╗ ██╗ ██████╗ ██████╗
██║ ██║██╔══██╗██║ ██╔══██╗██╔═══██╗
██║ █╗ ██║███████║██║ ██║ ██║██║ ██║
██║███╗██║██╔══██║██║ ██║ ██║██║ ██║
╚███╔███╔╝██║ ██║███████╗██████╔╝╚██████╔╝
╚══╝╚══╝ ╚═╝ ╚═╝╚══════╝╚═════╝ ╚═════╝
███████╗███╗ ███╗██████╗
██╔════╝████╗ ████║██╔══██╗
███████╗██╔████╔██║██████╔╝
╚════██║██║╚██╔╝██║██╔══██╗
███████║██║ ╚═╝ ██║██████╔╝
╚══════╝╚═╝ ╚═╝╚═════╝
[*] Running wsmb!
EndOfMessage
elif [ "$Rand" == "3" ]; then
cat << "EndOfMessage"
▄▄▌ ▐ ▄▌ ▄▄▄· ▄▄▌ ·▄▄▄▄
██· █▌▐█▐█ ▀█ ██• ██▪ ██▪
██▪▐█▐▐▌▄█▀▀█ ██▪ ▐█· ▐█▌▄█▀▄
▐█▌██▐█▌▐█ ▪▐▌▐█▌▐▌██. ██▐█▌.▐▌
▀▀▀▀ ▀▪ ▀ ▀ .▀▀▀ ▀▀▀▀▀• ▀█▄▀▪
.▄▄ · • ▌ ▄ ·. ▄▄▄▄·
▐█ ▀. ·██ ▐███▪▐█ ▀█▪
▄▀▀▀█▄▐█ ▌▐▌▐█·▐█▀▀█▄
▐█▄▪▐███ ██▌▐█▌██▄▪▐█
▀▀▀▀ ▀▀ █▪▀▀▀·▀▀▀▀
[*] Running wsmb!
EndOfMessage
fi
#First part checks to make sure we have a host or any variable given. If not, help options are displayed
if [ -z "$1" ]; then
echo "[*] SMB Scanning Tool"
echo "[*] Checks SMB for openings, no options scans against NSE scripts for vulns."
echo "[*] Usage: wsmb <target> [options]"
echo "options:"
echo "-h, --help Show Brief Help"
echo "-l List SMB NSE Scripts"
echo "-n Include NBTScan"
echo "-e Include Enum4Linux Scan"
echo "-map Enumerate with smbmap"
echo "-sh or -sh='Share' List and login to an SMB Share"
echo "-s Run a full subnet SMB Scan without Banner Grabbing"
echo "-qs Run a quick SMB Scan"
echo "-sb Run a full subnet SMB Scan with Banner Grabbing (slow scan)"
echo "-c Run scan and empty directory"
echo "-cx Empty dir without scan"
echo "-brute Brute force SMB"
echo "-i Do a full intensive scan of SMB on the machine"
echo "-v Verbose output"
echo "-vv Increase verbosity"
echo "--update Updates WSMB"
echo "--version Displays current wsmb Version and checks for updates"
exit 0
fi
#setting global variables
ABSOLUTE_PATH=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/$(basename "${BASH_SOURCE[0]}")
VERSION=3.0.3
###########################
####Setting up functions[*]
# Use `$echoLog` everywhere you print verbose logging messages to console
# By default, it is disabled and will be enabled with the `-v` or `--verbose` flags
declare echoLog='silentEcho'
function silentEcho() {
:
}
#Locates smb nse scripts on your pc
loc () {
#$echoLog "[+verbose] finding nmap/scripts/smb "
locate nmap/scripts/smb | cut -d"/" -f6 | grep "vuln" | cut -d"." -f1 | sort -r
}
#here we do a check to see if the directory this script makes already exists.
direxist () {
$echoLog "[+verbose] Checking to see if directory exists for creation."
if [ ! -d ~/Desktop/$host-SMBScan/NSE ]; then
$echoLog "[+verbose] mkdir ~/Desktop/$host-SMBScan"
mkdir ~/Desktop/$host-SMBScan
$echoLog "[+verbose] ~/Desktop/$host-SMBScan/NSE"
mkdir ~/Desktop/$host-SMBScan/NSE
fi
}
cleandirexist () {
if [ -d ~/Desktop/$host-SMBScan ]; then
echo "[*] Cleaning Directory"
rm -rf ~/Desktop/$host-SMBScan/* &
else
echo "[*] Directory Does Not Exist!"
fi
}
snapshot () {
read -p "<Take a Screenshot of window (Takes SS of terminal, enlarge to capture whole terminal)?> : y/N: " CONDITION;
if [ "$CONDITION" == "y" ] || [ "$CONDITION" == "Y" ]; then
gnome-screenshot --window -f ~/Desktop/$host-SMBScan/$1.jpg
fi
}
dependencychecks () {
$echoLog "[+verbose] Checking if $2 is installed."
if [ ! -f "$1" ]; then
read -p "< [$2] Not installed, required for full functionality. Install now?> Y/n: " CONDITION;
if [ "$CONDITION" == "Y" ] || [ "$CONDITION" == "y" ] || [ -z "$CONDITION" ]; then
sudo apt-get install "$2" -y
else
echo "[*] Must install $2 to continue."
exit 0
fi
fi
}
checkarg () {
if [ "$1" == "$2" ]; then
echo "[*] $3"
exit 0
fi
}
checkonlyarg () {
if [ -z "$4" ] || [ "$4" == "-v" ] && [ "$1" == "$2" ]; then
:
else
echo "[*] $3"
exit 0
fi
}
checkupdate () {
$echoLog "[+verbose] Checking github for version updates."
git=$(curl --silent https://github.com/waldo-irc/SMBScan/blob/master/wsmb | grep 'VERSION=' | cut -d">" -f2 | cut -d"<" -f1 | cut -d"=" -f 2)
if [ "$git" == "$VERSION" ]; then
echo "[*] Current version is latest."
else
echo "[****] Update Available"
echo "[****] Version update from $VERSION to $git"
echo "[****] Read Changelog for more info. https://github.com/waldo-irc/SMBScan/blob/master/README.md"
update="1"
fi
}
####End Functions[*]
####################
#store our final octet for final naming into $host
$echoLog "[+verbose] Grepping Host for foldername creation."
if [[ $1 == *[/]* ]]; then
hostl=$(echo $1 | cut -d"." -f4 | cut -d"/" -f2)
host="sub$hostl"
elif echo "$1" | grep '[0-9]' >/dev/null; then
host=$(echo $1 | cut -d"." -f4)
elif echo "$1" | grep '*' >/dev/null; then
host="SubScan"
else
host=$1
fi
#These arguments need to run very first as they must run alone.
for arg; do
case $arg in
-l) checkonlyarg "$1" "-l" "Error, -l must be the only argument" "$2" ;;
-i) checkonlyarg "$2" "-i" "Error, -i cannot be run with anything else." "$3" ;;
--update) checkonlyarg "$1" "--update" "Error, --update cannot be run with anything else." "$2" ;;
esac
done
#These arguments need to run next.
for arg; do
case $arg in
-v) checkarg $1 -v "Error, must specify a target"
echoLog='echo'; ;;
-vv) checkarg $1 -vv "Error, must specify a target"
set -x;;
-c) checkarg $1 -c "Error, must specifiy which directory to clear with target name Ex: wsmb 192.168.1.25 -c"
cleandirexist;;
-cx) checkarg $1 -cx "Error, must specifiy which directory to clear with target name Ex: wsmb 192.168.1.25 -cx"
if [ "$3" ]; then
echo "[!!!] No other arguments can be used with '-cx'."
exit 0
else
cleandirexist
fi
exit 0;;
esac
done
#update Locate DB
$echoLog "[+verbose] Running updatedb."
updatedb
#checking for dependencies. There are lines like these at the beggining of any argument that requires such a dependency.
dependencychecks /usr/bin/nmap nmap
#Here we set up our options and arguments
for arg in "$@"; do
case $arg in
-v) echo "[/*\]"
$echoLog "[+verbose] Running in Verbose Mode" ;;
-i) echo "[*] Running Intensive Scan Against Target"
dependencychecks /usr/bin/enum4linux enum4linux
dependencychecks /usr/bin/nbtscan nbtscan
dependencychecks /usr/bin/smbclient smbclient
direxist
checkarg $1 -i "Error, must specify a target"
$echoLog "[+verbose] Running NBTScan"
nbtscan $1 > ~/Desktop/$host-SMBScan/nbtscan.txt &
$echoLog "[+verbose] Enumerating Shares"
smbclient -L $1 -N > ~/Desktop/$host-SMBScan/shares.txt
grep -i "disk" ~/Desktop/$host-SMBScan/shares.txt
wait
$echoLog "[+verbose] Running Enum4Linux (this scan takes the longest)"
enum4linux $1 > ~/Desktop/$host-SMBScan/enum4linux.txt &
wait
grep -i os= ~/Desktop/$host-SMBScan/enum4linux.txt
wait ;;
-l) echo "[*] Following SMB NSE scripts are available on your computer: "
$echoLog "[+verbose] Running Locate on nmap/scripts"
loc
echo "[*] End"
exit 0;;
-n) echo "[*] Running NBTScan Against Target"
dependencychecks /usr/bin/nbtscan nbtscan
direxist
checkarg $1 -n "Error, must specify a target"
$echoLog "[+verbose] Running NBTScans"
nbtscan $1 > ~/Desktop/$host-SMBScan/nbtscan.txt &
wait ;;
-map) echo "[*] Mapping Shares with SMBMap"
dependencychecks /usr/bin/smbmap smbmap
checkarg $1 -map "Error, must specify a target Ex: wsmb 192.168.1.25 -map"
smbmap -H $1
exit 0;;
-e) echo "[*] Running Enum4Linux Against Target - This could take a while."
dependencychecks /usr/bin/enum4linux enum4linux
direxist
checkarg $1 -e "Error, must specify a target"
enum4linux $1 > ~/Desktop/$host-SMBScan/enum4linux.txt &
wait
grep -i os= ~/Desktop/$host-SMBScan/enum4linux.txt ;;
-c) echo "[/*\]";;
-sb) echo "[*] Checking for All SMB Servers in subnet with banner grabbing (slower scan):"
checkarg $1 -sb "Error! Must be used with a target IP, Scanner will search for ALL IPS in subnet range of target Ex: wsmb 192.168.25.1 -sb"
echo "[*]Open SMB Servers" > ~/Desktop/SMBScan.txt
for a in $(seq 0 254); do
b=$(echo $1 | cut -d"." -f1,2,3)
c=$(nmap -p139,445 $b.$a --open | grep "for" | cut -d" " -f5,6)
$echoLog "[*] Scanning $b.$a"
if [ -z "$c" ]; then
:
else
d=$(nmap -p139,445 -sV $b.$a --open | grep "139/tcp" | cut -d' ' -f5,6 )
e=$(host $c | cut -d" " -f5)
echo "$c $e [+$d]" >> ~/Desktop/SMBScan.txt
echo "$c $e [+$d]"
fi
done
echo "[*]End" >> ~/Desktop/SMBScan.txt
exit 0;;
-s) echo "[*] Checking for All SMB Servers in subnet:"
checkarg $1 -s "Error! Must be used with a target IP, Scanner will search for ALL IPS in subnet range of target Ex: wsmb 192.168.25.1 -s"
echo "[*]Open SMB Servers" > ~/Desktop/SMBScan.txt
for a in $(seq 0 254); do
b=$(echo $1 | cut -d"." -f1,2,3)
c=$(nmap -p139,445 $b.$a --open | grep "for" | cut -d" " -f5,6)
$echoLog "[*] Scanning $b.$a"
if [ -z "$c" ]; then
:
else
d=$(host $c | cut -d" " -f5)
echo "$c $d" >> ~/Desktop/SMBScan.txt
echo "$c $d"
fi
done
echo "[*]End" >> ~/Desktop/SMBScan.txt
exit 0;;
-qs) echo "[*] Checking for SMB Servers:"
checkarg $1 -qs "Error! Must be used with a target IP, Scanner will search for ALL IPS in subnet range of target Ex: wsmb 192.168.25.* -qs"
a=$(echo $1 | cut -d"." -f4 | cut -d"/" -f1)
if [[ "$a" != "*" ]] && [[ "$a" != "0" ]]; then
smb=$(nmap -p139,445 $1 --open | grep "for" | cut -d" " -f5,6)
echo "$smb [+OPEN]"
else
smb=$(nmap -p139,445 $1 --open | grep "for" | cut -d" " -f5,6)
echo "$smb"
echo "[*]Scan Finished"
fi
exit 0;;
-sh=*|-sh) echo "[*] Listing SMB Shares"
dependencychecks /usr/bin/smbclient smbclient
checkarg $1 -sh "Error! Must be used with a target host or IP! Usage: wsmb <host> -sh"
$echoLog "[+verbose] Running SMBClient to check shares."
SHARE="${arg#*=}"
if [ -z "$SHARE" ] || [ "$SHARE" == "-sh" ]; then
smbclient -L $1 -N
read -p "[*] Would you like to access smb share? (Y/n): " answer;
else
answer=Y
fi
if [ "$answer" == y ] || [ "$answer" == Y ] || [ -z "$answer" ]; then
if [ -z "$SHARE" ] || [ "$SHARE" == "-sh" ]; then
read -p "[*] Choose an SMB share to access: " smb;
else
smb="$SHARE"
fi
read -p "[*] Choose a user to login with (leave blank for anon): " user;
read -p "[*] Enter user password (leave blank for anon): " pass;
smbclient //"$1"/"$smb" -U "$user"%"$pass"
else
exit
fi
shift
exit 0;;
-brute) echo "[*] Running SMB Brute Force Attack"
dependencychecks /usr/bin/acccheck acccheck
direxist
checkarg $1 -brute "Error! Must specify a target EX: wsmb 192.168.5.5 -brute"
$echoLog "[+verbose] Checking to see if directory exists for creation."
read -p "[->] Enter a user to brute force or a .txt file: " BRUTEUSER;
read -p "[->] Enter a password to brute force with or a .txt file: " BRUTEPASS;
CHECK1=$(echo $BRUTEUSER | cut -d'.' -f2)
CHECK2=$(echo $BRUTEPASS | cut -d'.' -f2)
$echoLog "[+verbose] Checking to see if any files are .txt or not for brute forcing"
if [ "$CHECK1" == "txt" ]; then
u="U"
elif [ "$CHECK1" != "txt" ]; then
u="u"
elif [ "$CHECK2" == "txt" ]; then
p="P"
elif [ "$CHECK2" != "txt" ]; then
p="p"
fi
$echoLog "[+verbose] Running acccheck using creds user:$BRUTEUSER pass:$BRUTEPASS"
acccheck -t $1 -$p $BRUTEPASS -$u $BRUTEUSER
snapshot "smbbrute"
exit 0;;
--update) echo "[*] wsmb Version $VERSION"
echo "[*] Updating WSMB"
checkupdate
echo "$git Git Version"
echo "$VERSION Installed Version"
#Uncomment below for debugging
#echo "$ABSOLUTE_PATH"
if [ "$update" != "1" ]; then
exit 0;
else
echo "[*] Needs an update!"
read -p "[*] Update script? Y/n: " CONDITION;
if [ "$CONDITION" == "Y" ] || [ "$CONDITION" == "y" ] || [ -z "$CONDITION" ]; then
git clone https://github.com/waldo-irc/SMBScan.git
echo "[*] Installing to $ABSOLUTE_PATH"
mv SMBScan/wsmb $ABSOLUTE_PATH
echo "[*] Cleaning up"
wait
rm -R SMBScan
echo "[*] Installed Version updated to $git"
else
echo "[*] Exiting, not updating from $VERSION"
fi
fi
exit 0;;
--version) checkupdate
echo "[*] Version $VERSION"
echo "[*] Exiting"
exit 0;;
-*) $echoLog "[+verbose] Running Help Menu"
echo "[*] SMB Scanning Tool"
echo "[*] Checks SMB for openings, no options scans against NSE scripts for vulns."
echo "[*] Usage: wsmb <domain name> -options"
echo "options:"
echo "-h, --help show brief help"
echo "-l list SMB NSE Scripts"
echo "-n Include NBTScan"
echo "-e Include Enum4Linux Scan"
echo "-map Enumerate with smbmap"
echo "-sh or -sh='Share' List and login to an SMB Share"
echo "-s Run a full subnet SMB Scan without Banner Grabbing"
echo "-qs Run a quick SMB Scan"
echo "-sb Run a full subnet SMB Scan with Banner Grabbing (slow scan)"
echo "-c Run scan and empty directory"
echo "-cx Empty dir without scan"
echo "-brute Brute force SMB"
echo "-i Do a full intensive scan of SMB on the machine"
echo "-v Verbose output"
echo "-vv Increase verbosity"
echo "--update Updates WSMB"
echo "--version Displays current wsmb Version and checks for updates"
exit 0;;
*) dir=$arg ;; #This line is required to pass the target when given. Gives anything given as an argument without a slash and passes it through to be used for the program.
esac
done
direxist
$echoLog "[+verbose] Running NMap NSE Scripts against target [<-]"
#Finally, we take the IP here and run it against every SMB NSE Vuln script found on your host machine and output it into a file in our folder and grep to see if we found a vuln
for a in $(loc); do
nmap -p139,445 -script $a $1 --open > ~/Desktop/$host-SMBScan/NSE/$a.txt &
$echoLog "[*] Running $a"
wait
if grep -q "VULNERABLE" ~/Desktop/$host-SMBScan/NSE/$a.txt; then
echo "[!!] $1 Seems Vulnerable to $a!"
fi
done
echo "[*] Executed Successfully! Check folder in ~/Desktop/$host-SMBScan for results"