Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexplained behavior #1

Open
init5-SF opened this issue Jan 21, 2025 · 4 comments
Open

Unexplained behavior #1

init5-SF opened this issue Jan 21, 2025 · 4 comments
Assignees
@dcollaoa

Comments

@init5-SF
Copy link

hey, thanks for the great tool.

I tested the tool in my home lab, worked great.
tested it again on HTB Academy and it acted different, check the below output:

smbmap and netexec are showing normal results, smbspider for some reason can't find readable shares.
Not sure if that means anything, but I am pivoting to 172.16.5.5 through Ligolo tunnel (which should be transparent to all tools)

python smbspider.py --ip 172.16.5.5 --username 'htb-student' --domain INLANEFREIGHT.LOCAL --password 'Academy_student_AD!' --tree-interactive                                        1 ⨯


   ▄▄▄▄▄   █▀▄▀█ ███      ▄▄▄▄▄   █ ▄▄  ▄█ ██▄   ▄███▄   █▄▄▄▄ 
  █     ▀▄ █ █ █ █  █    █     ▀▄ █   █ ██ █  █  █▀   ▀  █  ▄▀ 
▄  ▀▀▀▀▄   █ ▄ █ █ ▀ ▄ ▄  ▀▀▀▀▄   █▀▀▀  ██ █   █ ██▄▄    █▀▀▌  
 ▀▄▄▄▄▀    █   █ █  ▄▀  ▀▄▄▄▄▀    █     ▐█ █  █  █▄   ▄▀ █  █  
              █  ███               █     ▐ ███▀  ▀███▀     █   
             ▀                      ▀                     ▀   v1.3 | @3ky_sec 

Connecting to SMB server...
Connected successfully on attempt 1.
Connected successfully.
No share specified. Enumerating accessible shares...
No accessible shares found with read permissions.
Closing SMB connection.
Closed local SQLite database connection.
Summary saved to download_summary.json.
                                                                                                                                                                                             
┌──(root ⚡️kali)-[/opt/smbspider]
└─# smbmap -H 172.16.5.5 -u htb-student -p 'Academy_student_AD!'                                                                                                                         1 ⨯

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - [email protected]
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                          
                                                                                                                             
[+] IP: 172.16.5.5:445	Name: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	Department Shares                                 	READ ONLY	
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	SYSVOL                                            	READ ONLY	Logon server share 
	User Shares                                       	READ ONLY	
	ZZZ_archive                                       	READ ONLY	
[*] Closed 1 connections 

┌──(root ⚡️kali)-[/opt/smbspider]
└─# netexec smb 172.16.5.5 -u htb-student -p 'Academy_student_AD!' --shares                                                                                                              1 ⨯
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [*] Windows 10 / Server 2019 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] INLANEFREIGHT.LOCAL\htb-student:Academy_student_AD! 
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [*] Enumerated shares
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Share           Permissions     Remark
SMB         172.16.5.5      445    ACADEMY-EA-DC01  -----           -----------     ------
SMB         172.16.5.5      445    ACADEMY-EA-DC01  ADMIN$                          Remote Admin
SMB         172.16.5.5      445    ACADEMY-EA-DC01  C$                              Default share
SMB         172.16.5.5      445    ACADEMY-EA-DC01  Department Shares READ            
SMB         172.16.5.5      445    ACADEMY-EA-DC01  IPC$            READ            Remote IPC
SMB         172.16.5.5      445    ACADEMY-EA-DC01  NETLOGON        READ            Logon server share 
SMB         172.16.5.5      445    ACADEMY-EA-DC01  SYSVOL          READ            Logon server share 
SMB         172.16.5.5      445    ACADEMY-EA-DC01  User Shares     READ            
SMB         172.16.5.5      445    ACADEMY-EA-DC01  ZZZ_archive     READ
@dcollaoa dcollaoa self-assigned this Jan 21, 2025
@dcollaoa
Copy link
Owner

Hey there! The issue stems from how the tool determines “read permissions” for each share. Right now, it tries listPath(share_name, "/") on the share root and, if that fails (e.g. “Access Denied”), it assumes no read access at all. However, some shares block listing their root folder yet still allow reading subfolders. So we end up marking a share as “not readable” even though you can actually read inside certain directories.

By adding a fallback to listPath(share_name, "") or handling the “Access Denied” error more gracefully, the tool won’t prematurely conclude there’s no read access just because the root listing fails.

I would like to test this closely, can you contact me on Discord?

@dcollaoa
Copy link
Owner

Hey again! I released v1.4 fixing the way how the tool determines "read permissiones", so if you can try it again it will be helpful for me. Thanks again :)

@init5-SF
Copy link
Author

Hello, thanks for the quick update!
I did a git pull and used the latest version, unfortunately I'm still getting the same error.
Give me your discord alias, I can contact you there if you want to perform more testing.

Image

@dcollaoa
Copy link
Owner

Oh! my discord is on the ASCII_ART (@3ky_sec). Add me and we can take a look together, thanks for the feedback again!

@dcollaoa dcollaoa reopened this Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dcollaoa dcollaoa

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@init5-SF @dcollaoa