The script FindUncommonShares.py is a Python equivalent of PowerView's Invoke-ShareFinder.ps1 allowing to quickly find uncommon shares in vast Windows Active Directory Domains.
- Only requires a low privileges domain user account.
- Automatically gets the list of all computers from the domain controller's LDAP.
- Ignore the hidden shares (ending with
$) with--ignore-hidden-shares. - Multithreaded connections to discover SMB shares.
- Export results in JSON with IP, name, comment, flags and UNC path with
--export-json <file.json>. - Export results in XLSX with IP, name, comment, flags and UNC path with
--export-xlsx <file.xlsx>. - Export results in SQLITE3 with IP, name, comment, flags and UNC path with
--export-sqlite <file.db>. - Iterate on LDAP result pages to get every computer of the domain, no matter the size.
-
List all shares where your current user has WRITE access:
./FindUncommonShares.py -au user -ap 'Podalirius123!' -ad DOMAIN --auth-dc-ip 192.168.1.71 --writable -
Export list of shares in the domain to an Excel file for the client:
./FindUncommonShares.py -au user -ap 'Podalirius123!' -ad DOMAIN --auth-dc-ip 192.168.1.71 --export-xlsx ./examples/results.xlsx -
List all shares with access rights for your current user:
./FindUncommonShares.py -au user -ap 'Podalirius123!' -ad DOMAIN --auth-dc-ip 192.168.1.71 --check-user-access
$ ./FindUncommonShares.py -h
FindUncommonShares v3.2 - by @podalirius_
usage: FindUncommonShares.py [-h] [-v] [-q] [--debug] [-no-colors] [-t THREADS] [-ns NAMESERVER] [-tf TARGETS_FILE] [-tt TARGET] [-tu TARGET_URL]
[-tU TARGETS_URLS_FILE] [-tp TARGET_PORTS] [-ad AUTH_DOMAIN] [-ai AUTH_DC_IP] [-au AUTH_USER] [--ldaps] [--no-ldap] [--subnets]
[-tl TARGET_LDAP_QUERY] [--no-pass | -ap AUTH_PASSWORD | -ah AUTH_HASHES | --aes-key hex key] [-k] [--kdcHost AUTH_KDCHOST]
[--check-user-access] [--readable] [--writable] [-iH] [-iP] [-i IGNORED_SHARES] [-s ACCEPTED_SHARES] [--export-xlsx EXPORT_XLSX]
[--export-json EXPORT_JSON] [--export-sqlite EXPORT_SQLITE]
Find uncommon SMB shares on remote machines.
options:
-h, --help show this help message and exit
-v, --verbose Verbose mode. (default: False).
-q, --quiet Show no information at all.
--debug Debug mode. (default: False).
-no-colors Disables colored output mode.
-t THREADS, --threads THREADS
Number of threads (default: 20).
-ns NAMESERVER, --nameserver NAMESERVER
IP of the DNS server to use, instead of the --dc-ip.
Targets:
-tf TARGETS_FILE, --targets-file TARGETS_FILE
Path to file containing a line by line list of targets.
-tt TARGET, --target TARGET
Target IP, FQDN or CIDR.
-tu TARGET_URL, --target-url TARGET_URL
Target URL to the tomcat manager.
-tU TARGETS_URLS_FILE, --targets-urls-file TARGETS_URLS_FILE
Path to file containing a line by line list of target URLs.
-tp TARGET_PORTS, --target-ports TARGET_PORTS
Target ports to scan top search for Apache Tomcat servers.
-ad AUTH_DOMAIN, --auth-domain AUTH_DOMAIN
Windows domain to authenticate to.
-ai AUTH_DC_IP, --auth-dc-ip AUTH_DC_IP
IP of the domain controller.
-au AUTH_USER, --auth-user AUTH_USER
Username of the domain account.
--ldaps Use LDAPS (default: False)
--no-ldap Do not perform LDAP queries.
--subnets Get all subnets from the domain and use them as targets (default: False)
-tl TARGET_LDAP_QUERY, --target-ldap-query TARGET_LDAP_QUERY
LDAP query to use to extract computers from the domain.
Credentials:
--no-pass Don't ask for password (useful for -k)
-ap AUTH_PASSWORD, --auth-password AUTH_PASSWORD
Password of the domain account.
-ah AUTH_HASHES, --auth-hashes AUTH_HASHES
LM:NT hashes to pass the hash for this user.
--aes-key hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-k, --kerberos Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot
be found, it will use the ones specified in the command line
--kdcHost AUTH_KDCHOST
IP of the domain controller.
Shares:
--check-user-access Check if current user can access the share.
--readable Only list shares that current user has READ access to.
--writable Only list shares that current user has WRITE access to.
-iH, --ignore-hidden-shares
Ignores hidden shares (shares ending with $)
-iP, --ignore-print-queues
Ignores print queues (shares of STYPE_PRINTQ)
-i IGNORED_SHARES, --ignore-share IGNORED_SHARES
Specify shares to ignore explicitly. (e.g., --ignore-share "C$" --ignore-share "Backup")
-s ACCEPTED_SHARES, --show-share ACCEPTED_SHARES
Specify shares to show explicitly. (e.g., --show-share "C$" --show-share "Backup")
Output files:
--export-xlsx EXPORT_XLSX
Output XLSX file to store the results in.
--export-json EXPORT_JSON
Output JSON file to store the results in.
--export-sqlite EXPORT_SQLITE
Output SQLITE3 file to store the results in.
Each JSON entry looks like this:
{
"computer": {
"fqdn": "TDC01.DOMAIN.local",
"ip": "192.168.1.71"
},
"share": {
"name": "IPC$",
"comment": "Remote IPC",
"hidden": true,
"uncpath": "\\\\192.168.1.71\\IPC$\\",
"type": {
"stype_value": 2147483651,
"stype_flags": [
"STYPE_IPC",
"STYPE_TEMPORARY"
]
},
"access_rights": {
"readable": true,
"writable": false
}
}
}- Feature suggested in impacket issue #1176 by @CaledoniaProject
