Last active
July 17, 2017 02:41
-
-
Save chadfurman/4e11b6fcc6e52ffa14f6b29d104cd2d0 to your computer and use it in GitHub Desktop.
smb_enum.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| glob_pids="" | |
| hosts="" | |
| all= | |
| outdir="smb.out" | |
| trap "echo Exited!; exit 1;" SIGINT SIGTERM | |
| echo "Started SMB enumeration" | |
| echo "Reading in hosts... (press Ctrl+D to skip or pass a file via \$1)" | |
| if [ -f "$1" ]; then | |
| hosts=`cat $1` | |
| else | |
| hosts=`cat` | |
| fi | |
| num_hosts=`echo "$hosts" | wc -l` | |
| echo "$num_hosts hosts..." | |
| confirm() { | |
| local message="$1" | |
| echo -n "> $message (y/n) " | |
| while true ; do | |
| read -s -n 1 choice | |
| case "$choice" in | |
| y|Y ) echo "Y" ; return 0 ;; | |
| n|N ) echo "N" ; return 1 ;; | |
| * ) return 0 ;; | |
| esac | |
| done | |
| } | |
| fastrun() { | |
| local runme="$1" | |
| local lpids="" | |
| echo "$2" | while read item; do | |
| ($runme $item) & | |
| lpids+="$! "; | |
| done; | |
| longwait $lpids | |
| } | |
| longwait() { | |
| local waitpids="$1" | |
| for pid in $waitpids; do | |
| echo -n "waiting for nmap process $pid..." | |
| wait $pid | |
| if [ $? -eq 0 ]; then | |
| echo 'done.' | |
| else | |
| echo "(FAILED - Job $pid exited with a status of $?)" | |
| fi | |
| done | |
| } | |
| # read -p "Out directory (default: $default_outdir): " outdir || outdir=$default_outdir: | |
| if [ ! -d $outdir ]; then | |
| mkdir $outdir | |
| fi | |
| smb_discovery() { | |
| nmap -n --script smb-os-discovery.nse -p 137-139,U:445 "$1" -oG "$outdir/$1.smb_discovery" | |
| return $? | |
| } | |
| if [ $all ] || confirm "Do SMB discovery?"; then | |
| echo "SMB discovery started..." | |
| fastrun smb_discovery "$hosts" | tee $outdir/smb_discovery | |
| echo "Extracting windows hosts to $outdir/windows_hosts..." | |
| cat $outdir/*.smb_discovery | grep -Ei "Windows|Microsoft" > $outdir/windows_results | |
| cat smb.out/windows_results | grep -Ei "windows|microsoft" | cut -d ' ' -f 2 | sort -uV > $outdir/windows_hosts | |
| echo "done." | |
| fi | |
| exploit_check() { | |
| nmap -n --script "$1" -p 137-139,U:445 "$2" | tee "$outdir/$1.$2.exploit" | |
| return $? | |
| } | |
| if [ $all ] || confirm "Check for windows exploits?"; then | |
| lpids='' | |
| echo "Checking $outdir/windows_hosts for vulns with NSE..." | |
| export -f exploit_check | |
| for script in $(ls -1 /usr/share/nmap/scripts | grep smb | grep -v "brute" | grep -v "flood" ); do | |
| cat $outdir/windows_hosts | xargs -P 255 -n 1 bash -c 'exploit_check "$@"' _ "$script" | tee -a $outdir/exploit_scan_results | |
| done; | |
| cat $outdir/exploit_scan_results | grep -v 'failed' | grep -v 'ERROR' | grep vuln -B 15 | ( | |
| while read string; do | |
| if [[ $string == *"scan report for"* ]]; then | |
| echo $string | cut -d' ' -f 5; | |
| fi; | |
| if [[ $string == *"vuln"* ]]; then | |
| echo $string; | |
| fi; | |
| done; | |
| ) | tee -a $outdir/exploits | |
| echo "done. Results in $outdir/exploits and $outdir/<host>.<vuln>.exploit" | |
| fi | |
| #echo "Running (smbvulns.out/exploits)" | |
| #echo "Checking for usable exploits... ($outdir/exploits)" | |
| #echo | |
| #cat smb.vulns.out | grep -v 'ERROR' | grep -v 'false' | grep vuln -B 15 | ( while read string; do if [[ == *"scan report for"* ]]; then echo | cut -d' ' -f 5; fi; if [[ == *"vuln"* ]]; then echo ; fi; done; ) | |
| # | |
| #cat recon/smb.vulns.out | grep "^10" | xargs -n 1 enum4linux -a | tee enum.out | |
| longwait "$glob_pids" | |
| echo "Scan complete. Check $outdir for more information" | |
| exit 0; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment