Files in the root of the shared folder is not being included in scans

[rgorme]

Hi,

I've come across the following, that i think is a bug. If i create a share on a Windows server (tested on 2019 and 2022) and place a file in the root of the folder being shared, it is not included in a scan. Tried with both visible and hidden shares, no difference in the results.

A folder in the root of the shared folder is being included in the scan as a child directory.

/Rasmus

[SimonGurney]

Thanks for raising @rgorme, let me see if I can locally reproduce

[rgorme]

Oh - I forgot to mention that the share is not included in the scan when a file only exists in the root of the shared folder

[SimonGurney]

Hi,

I've tried to reproduce this but cant. I have created a share with only one file in it, and no subfolders, and the file is detected fine and stored in the CSV.

SHARE> ---> FILE.txt

Could it be the permissions on the file are preventing SMBeagle from seeing it?

[SimonGurney]

Could you capture the output with the -v flag?

       / __ \__  ______  / /__/ ___/___  _______  _______(_) /___  __
      / /_/ / / / / __ \/ //_/\__ \/ _ \/ ___/ / / / ___/ / __/ / / /
     / ____/ /_/ / / / / ,<  ___/ /  __/ /__/ /_/ / /  / / /_/ /_/ /
    /_/    \__,_/_/ /_/_/|_|/____/\___/\___/\__,_/_/  /_/\__/\__, /
                                           PRESENTS         /____/

                         -- SMBeagle v2.1.0 --

1. Skipping network discovery due to -D switch...
2. Skipping filtering as network discovery disabled...
3. Processing manual networks and addresses...
  added network '192.168.8.0/24'
4. Probing hosts and scanning networks for SMB port 445...
  scanning is complete and we have 2 hosts with reachable SMB services
    reachable hosts:
      192.168.8.9
      192.168.8.10
5. Probing SMB services for accessible shares...
  probing is complete and we have 1 hosts with accessible shares
    reachabled hosts with accessible SMB shares:
      192.168.8.9
    accessible SMB shares:
      \\192.168.8.9\admin$\
      \\192.168.8.9\c$\
      \\192.168.8.9\test\
6. Enumerating accessible shares, this can be slow...
6a. Enumerating all subdirectories for known paths
  Enumerating all subdirectories for '\\192.168.8.9\admin$\'
  Enumerating all subdirectories for '\\192.168.8.9\c$\'
  Enumerating all subdirectories for '\\192.168.8.9\test\'
6b. Splitting large directories to optimise caching and to batch output
6c. Enumerating files in directories
Found 0 child directories and 0 files in '\\192.168.8.9\admin$\'
Found 0 child directories and 0 files in '\\192.168.8.9\c$\'
Found 0 child directories and 1 files in '\\192.168.8.9\test\'
  file enumeration complete, 1 files identified
7. Completing the writes to CSV or elasticsearch (or both)
 -- AUDIT COMPLETE --

[rgorme]

Output from a run with following command line is shown below. .\SMBeagle.exe -c C:\Temp\SMBeagle\shares.csv -D -h 10.x.x.x -verbose; Import-Csv -Path "C:\Temp\SMBeagle\shares.csv" -Delimiter ","

Content of folder shares as both Testing and Testing$ shares, is a plain text file called test.txt. As the same user running the command, i can read and edit the file using both shares.

    ____              __   _____                      _ __
   / __ \__  ______  / /__/ ___/___  _______  _______(_) /___  __
  / /_/ / / / / __ \/ //_/\__ \/ _ \/ ___/ / / / ___/ / __/ / / /
 / ____/ /_/ / / / / ,<  ___/ /  __/ /__/ /_/ / /  / / /_/ /_/ /
/_/    \__,_/_/ /_/_/|_|/____/\___/\___/\__,_/_/  /_/\__/\__, /
                                       PRESENTS         /____/

                     -- SMBeagle v2.1.0 --

1. Skipping network discovery due to -D switch...
2. Skipping filtering as network discovery disabled...
3. Processing manual networks and addresses... added host '10.x.x.x'
4. Probing hosts and scanning networks for SMB port 445... scanning is complete and we have 1 hosts with reachable SMB services reachable hosts: 10.x.x.x
5. Probing SMB services for accessible shares... probing is complete and we have 1 hosts with accessible shares reachabled hosts with accessible SMB shares: 10.x.x.x accessible SMB shares: \10.x.x.x\admin$\ \10.x.x.x\c$\ \10.x.x.x\h$\ \10.x.x.x\ipc$\ \10.x.x.x\testing\ \10.x.x.x\testing$\
6. Enumerating accessible shares, this can be slow... 6a. Enumerating all subdirectories for known paths Enumerating all subdirectories for '\10.x.x.x\admin$\' Enumerating all subdirectories for '\10.x.x.x\c$\' Enumerating all subdirectories for '\10.x.x.x\h$\' Enumerating all subdirectories for '\10.x.x.x\ipc$\' Enumerating all subdirectories for '\10.x.x.x\testing\' Enumerating all subdirectories for '\10.x.x.x\testing$\' 6b. Splitting large directories to optimise caching and to batch output 6c. Enumerating files in directories Found 0 child directories and 0 files in '\10.x.x.x\admin$\' Found 0 child directories and 0 files in '\10.x.x.x\c$\' Found 0 child directories and 0 files in '\10.x.x.x\h$\' Found 0 child directories and 0 files in '\10.x.x.x\ipc$\' Found 0 child directories and 0 files in '\10.x.x.x\testing\' Found 0 child directories and 0 files in '\10.x.x.x\testing$\' file enumeration complete, 0 files identified
7. Completing the writes to CSV or elasticsearch (or both) -- AUDIT COMPLETE --

[SimonGurney]

Thanks for the output. I'm still trying to reproduce here.

Could you try providing the username and password with -u and -p (and -d for domain if you need it). This switches to a different module for SMB enumeration.

I'll try and reproduce what you are seeing with the windows native SMB support you are using.

[SimonGurney]

Okay I've reproduced this now and will dig into it. It does look to only apply on the windows native scans, so providing a -u and -p should help for now :)

[rgorme]

Great :-) I will give it a try using -u and -p.

[SimonGurney]

Hi, this is should now be fixed in the latest release.

Can you test? No -u/-p needed.

https://github.com/punk-security/SMBeagle/releases/tag/2.2.1

[SimonGurney]

Hey @rgorme, can we close this out?

[rgorme]

Hi,

I'm only able to test on friday this week. I will get back to you.

Rasmus

[rgorme]

Hi @SimonGurney,

I've just tested and it works perfectly! Thx alot :-)

Rasmus