nessuscmd Tip: Finding Open SMB File Shares

Penetration testers spend a lot of time searching for software vulnerabilities, such as buffer overflows or SQL injection. However, there are many other ways in which networks and systems can present vulnerabilities. Open SMB file shares can disclose sensitive information about an organization: I've found everything from student grades to bank account numbers using this technique. A great way to check for the presence of open SMB shares is to run a quick Nessus scan from the command line as follows:

# ./nessuscmd -U -p139,445 -V -i 10396 192.168.1.0/24

The flags used in this command perform the following functions:

nessuscmd Option Description
-U Disable safe checks
-p139,445 Limit the scan to TCP ports 139 and 445
-V Force nessuscmd to print the full plugin output
-i 10396 Define the plugin ID (In this case plugin id 10396, "SMB shares access")

This will result in the following output:

+ Results found on 192.168.10.230 :
- Port netbios-ssn (139/tcp) is open
- Port microsoft-ds (445/tcp) is open
[!] Plugin ID 10396
|
| Synopsis :
|
| It is possible to access a network share.
|
| Description :
|
| The remote has one or many Windows shares that can be accessed
| through the network with the given credentials.
| Depending on the share rights, it may allow an attacker to
| read/write confidential data.
|
| Solution :
|
| To restrict access under Windows, open the explorer, do a right
| click on each shares, go to the 'sharing' tab, and click on
| 'permissions'.
|
| Risk factor :
|
| High / CVSS Base Score : 7.5
| (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
|
| Plugin output :
|
| The following shares can be accessed as nessus6804946061421403042121321
| 621 :
|
| - backup  - (readable,writable)
|   + Content of this share :
| ..
| CreditApplication_Fax.pdf
| Payroll_2009.xls
| Invoice10001.doc

This is a great script to run on a regular basis, or in an ad-hoc fashion, to keep tabs on what file shares are exposed in your environment and what information is available. Nessus ProfessionalFeed subscribers can also perform a sensitive data audit of files and documents located on Windows computers. Tenable offers mulitple audit polices which scan files for credit cards, adult media, financial spread sheets and much more.