Enumerating/Listing Shares on Amazon FSX shares does not work?

[Script-Nomad]

Configuration

impacket version: 0.11.0.dev Python version: 3.12.4 Target OS: Amazon FSX Share (not sure)

So this is a bit of a weird one. I'm working on simulating a ransomware attack on a clients' FSX share by accessing the FSX via impacket's SMBConnection class and adding my own functionality to it.

The SMBConnection class has a self.listShares() function that yields a nmbSharesEnum response containing share information.

The problem is that when I try this on an Amazon FSX, it doesn't list all of the shares, and I'm not sure why. This seems to likely be due to an underlying bug in the dcev5 structs for Impacket, which may not account for an edge-case for identifying shares on an Amazon FSX.

I'm certain the permissions I'm using to authenticate to the shares is good, and I can see the shares listed in Windows Explorer when I access them via smb:\mytarget.example.com\, but I do not see them listed with the SMBConnection.listShares() method.

Note: I tested this against a Linux Samba server and a windows SMB share, and both worked fine. No problems listing all my shares.

Any ideas?

Here is the relevant code that I used to overload SMBConnection and try this out. The plan is to submit this code to a PR request for Impacket to make it trivial to do SMB Share scanning on a network, if that gives you guys any incentive to check this out.

Thanks.

#!/usr/bin/env python3

import logging
import os
import stat

from getpass import getpass

import smbclient

from impacket import version as impacket_version
from impacket.smbconnection import SMBConnection
from impacket.dcerpc.v5 import samr, transport, srvs
from impacket.dcerpc.v5.dtypes import NULL
from impacket.examples import utils
from impacket.examples import smbclient as imp_smbclient

log = logging.Logger("fsxecutioner")

# Create a file handler
file_handler = logging.FileHandler("fsxecutioner.log")
stream_handler = logging.StreamHandler(sys.stdout)
log.addHandler(stream_handler)

# Create a formatter and add it to the handler
formatter = logging.Formatter("%(asctime)s - %(name)s - %(levelname)s - %(message)s")
file_handler.setFormatter(formatter)

# Add the handler to the logger
log.addHandler(file_handler)

# Set the log level
log.setLevel(logging.INFO)

class SMBConnection(SMBConnection):
    def __init__(self, remote_name, target_ip, port=445):
        self._shares = []
        super().__init__(remote_name, target_ip, sess_port=port)

    def print_shares(self):
        log.info("Shares:\n")
        for s in self.listShares():
            log.info("[+] " + s["shi1_netname"][:-1])
            if log.level == logging.DEBUG:
                print(type(s))
                attrs = vars(s)
                print(', '.join("%s: %s" % item for item in attrs.items()))

    def scan_shares(self):
        """enumerates all shares on the server and adds them to the shares list"""
        log.debug(f"[.] Listing Shares on {self.getRemoteName()}")
        shares = self.listShares()

        for share in shares:
            share_name = share["shi1_netname"][:-1]
            share_path = os.path.join(self.getRemoteName(), share_name)
            log.debug(f"[.] Share: {share_name} -> {share_path}")

            try:
                self.add_share(
                    SMBShare(share_name, share_path, connection=self, recurse=False)
                )

            except Exception as e:
                log.error(f"Error adding share: {share_name} -> {share_path}")
                log.debug(f"{e}")

[Script-Nomad]

I went and repeated the process of connecting to the share via smbclient.py and got the same result. Interestingly enough, if I explicitly attach to a valid share, I can connect to it and parse it just fine.

Something within the def SMBConnection.listShare() method simply isn't finding and listing all of the shares available.

Seems like a legitimate bug, but it only appears to affect Amazon FSX shares. Don't know what's unique about them but this is a brain teaser. 😂