SMBeagle: SMB Share Hunter

hello everybody uh thank you for coming to listen to me uh i'm going to present a open source tool that my little company has made uh punk security called sm beagle and i'm going to talk you through what it is how it works and hopefully give you a live demo so um hang on a second let's see if this uh click is working no it's not brilliant all right there we go um so what is what we're going to cover we're going to cover off uh what was the problem that we identified what our approach was how does sm beagle work give you a little demo and then show you what we're thinking of doing in the future with it as well because we built this to be a community tool and we've already had some feedback from the community already so anything that you see that you don't like or you think could be enhanced let us know and we'll add it to our backlog and let it and get it fixed so who am i my name's daniel oatsley i'm a co-founder at punk security i've been in it for over 25 years specializing in cyber security for the last 15. i put terraformer down there because i work in the devops and the devsecops space so i like automating as much as possible uh with like cyber security so i'm a very big believer in terraform i loved writing stuff in terraform and ansible and automating systems so that's that's the reason why i put that down um the other co-director is simon kearney um he's probably one of the master brains behind sm beagle which is why i put his slide up today he can't be with us today but he is an absolute geek and if you want to reach out to either of us afterwards and give us your feedback about what you think about sm beagle then that would be awesome thanks um so what was the problem that we identified well during the pandemic we had a lot of clients that were hit with ransomware attacks and we were trying to identify what why are people getting hit with ransomware when we've got so much protection out there already so we started writing a list of things which i'm pretty sure everybody will be quite familiar with so one of the main reasons that we we found that people were getting hit with ransomware is because of undocumented i.t services and technical debt so network file shares that they weren't aware of or shadow it systems that have been stood up uh their backup systems they were either failing because nobody had tested that the restores were working they got poor network segmentation so when they were getting hit with ransomware it was propagating across the networks um you know phishing attacks were also a primary reason and endpoint security on either the servers or the other other users devices was extremely poor there were a couple of instances where we'd where we'd seen ransomware running in front of some very large av vendors and when we went to go and test their configuration we actually managed to run metasploit in front of trend micro because they tuned it down that much they'd effectively made it useless so what was our approach well we had a quick think about this and we thought well we can definitely help out with undocumented i.t systems because what we thought was we would build a system to help it companies understand where their smb services were where the files are being stored what permissions do users have so that would help with it services and technical debt it would also help identify with their poor backup facilities because we're going to be identifying whether where the company's data is how it's been stored who's accessing it and give the ability for the it teams to be able to test actually restoring some of the stuff we ruled out the next two because let's be fair smb scanning is not going to help with either of those but it would help identify if users were overly permissive now i'm going to cover off because this isn't just a blue team tool any longer it's now also a red teams tool and i'll cover that off in a minute and the reason why i say it's going to be a red team as tool um we also were looking at how we would be able to affect some of like the server configurations and if we were identifying open file shares that were using like the everyone group or the ntfs permissions weren't set correctly and they weren't thinking about these kind of things it was going to help enhance being able to reduce that ability for ransomware to just run right across the company's networks so i'm going to quickly cover off why i think this is also a red teamers tool and because not only for the blue team yes it's identifying where your smb shares are but for the red teams and they've used this extensively i've i've got a member in the in the crowd already who's used it on a red team exercise it gives the red team the ability to find those it shares and be able to quickly see where like powershell scripts are where the ini files are if there's any i hidden it shares that we can uh go and drop a piece of malicious software into or how many it people put passwords in configuration files so we'd we'll quickly be able to identify how um how you know where those are so how does sm beagle work so it's important to to state this at the beginning sm beagle is run by a low privileged user on an end point there is no admin permissions there is no elevation uh we've also put a lot of effort into making sure that all of our smb beagle has also been digitally signed because we don't want a security tool being run on an endpoint that's triggering things like smart um microsoft smart screen so when you download it and you run it it's digitally signed and it's all been authenticated we've got a proper pipeline so you can go in and have a look and see what it looks like but it's it runs as a low privilege user on the on their endpoint so you pick a user out in the company you run sm beagle on on their machine in this instance i've i've got it running on a client connected on a vpn uh but it could also be on the lan and what it'll do is it will first of all it will have a look at the current network connections that that user is currently using so where the domain controllers are whether uh if they're connected to an application server uh what are the subnets are they connected to uh those kind of information uh it'll also have a look at the local interfaces and see if you're on a vpn if you're attached to a two networks at the same time and it will start generating this list of subnets that it can go off and scan uh you can also spec we need to change this slide because uh we we we don't like we don't use that white list in blacklist anymore um so we'll change that to allow and blacklist for the next presentation um so you can also specify networks that you want to include and want networks that you don't want to include and what that'll do is it'll give sm beagle the uh all the subnets to go off and have a little look at what it'll then do is it'll test connectivity to each of those ip addresses inside inside those network subnets and it will specifically look for on uh microsoft ds or tcp port 445 for any open smb shares if it finds it it will then add that ip address to a list of um ips to actually go and scan for smb shares once once it's finished scanning everything so it's almost like it's doing a very quick end map of those network ranges that you've just identified it will then connect to every single one of those s those ip addresses and it will take a look and have a look and see if there's any smb shares on there it will pull back hidden shares and open shares as well it will then connect as that user to those shares and second it it will then connect to every single one of those shares as that low privileged user and it will scan every it will then record all the files and folders it will record whether the user can read write or delete and it will pull back things like creation and last modified time as well now it's important that information because it we're going to use that for some of the red teaming stuff later on it will then do that for every single uh smb share that it can find and it will then output that either into directly into elastic and we built a nice cabana dashboard to be able to visualize that or it'll dump it into a csv file so then you can go pivoting around it now that's quite handy for the blue team to understand if you're a user that's in finance why are you able to access something in hr but it's also really helpful for like a red team who's run it as a low privileged user to find those hidden ite file shares and then to go and look directly at like the installs the the vbs scripts the ini files ps1 files any python files terraform scripts stuff like that um so we've we've we've also got smb google running on both windows it's also been ported onto linux so you can run it from kali linux if you really wanted to we've also put it onto an arm platform as well so you can run this on a raspberry pi or any kind of arm system that you want and we've also ported it into a docker image so if you didn't want to have the executable on your actual machine or somewhere else then you could just pull it down as a docker image and just and just run it natively so hopefully i'm going to run a little demo now uh this demo has been built up in azure we're going to connect in using this windows 11 box here and we should we're going going to see that there's a domain controller here inside this auth subnet uh i think these subnets are actually been reversed but we're going to see that there's a domain controller there it's running uh some corporate file shares and then we're going to connect to this linux server over here which is running a wordpress site and hopefully we're going to find the hidden eye t-share so demo time so we've connected in as a low privileged user and this user is bob smith and if we have a quick look we can see that he's got the usual things that you would have inside a normal corporate network you've got a profile user's profile area you've got a couple of it shares uh you know different direct er department directories and and we can we're connected to the wordpress site if we go and have a quick look in the command line we should see that we haven't we've got we're not connected to any other kind of network connections or anything like that um so let's go into downloads sm beagle can be downloaded from github in a zip format [Music] and when you extract it you get it into sm beagle and then the the relevant path and some bigger and i'm just going to run through some of these switches so obviously we've got the top little um ascii art there for ourselves uh as you come down you've got a couple of uh easy quick examples here of how to use the beagle so you've got the first one here which is showing how to be able to output the uh format in a csv file then you quickly output it uh in elastic and you can also do it in elastic and csv if you wanted to we'll probably do that today and it's got some other ones as well so we've built a quite a bit of functionality into this and we've got some more enhancements on its way so the first the most important ones in my view is minus c and minus e which is the csv in the elastic but also the minus capital l because if you don't run that it will run an enumeration against itself against the machine that you're actually on to see if you've got any uh network file shares you may well want to do that because which user doesn't create network file shares to share their music with their friends on their in in a different in the same departments uh i don't know many that would do that but we've also got this minus e here so if you want to exclude hidden files network shares like c dollar admin dollar you know d dollar those kind of things you might not want to enumerate all of those hidden file shares especially if you're running it as like a low privileged user there's no need you might want to do that as a as a privileged user at the minus then you've also got minus d minus u and minus p which is for the domain credentials that's primarily for the uh linux user uh sm beagle was written in dot core so we can port it between any of the different platforms which is the reason why we've got it running across multiple different platforms so if we just um if i just clear that screen [Music] and we'll just have a quick look at how some big uh sm beagle working so i'm just going to create a quick output.csv [Music] we'll also port this at the corporate elastic stack as well which is running on app one we're going to exclude the local shares and we're also going to exclude the um the hidden network shares because i want to run this yes yeah by all means sorry my apologies uh font is that better yeah bit more no that's fine oh i think that's gone a little bit too big doesn't it is that perfect actually all right fair enough i'll leave it to that then no problem so we'll get this to run and then we'll go back through what we'll do is we'll start there you go it's now completed running the network scans but if we have a quick look at this it's outputting the information initially of all of the different uh subnets that you can it can actually see um and also some private ip address information it's then gone through and it's discovered these are the network ranges that we want to scan so if we have a look up here we can see here it's going to scan these slash 24 networks it's then done a network probe and it's found that two hosts on these networks have actually got smb running on it and these are the two these are the two here so that one seven two one uh 1.4 here that's the domain controller and this 0.4 we weren't currently connected to that one so we'll take a quick look at it it's then identified all of the smb shares that are currently running on there so underneath 0.4 we can see we've got software share and we've got terraform share so that might be quite interesting for the red teams to go and have a look at and why a user and for blue team why users got access to that a normal standard user we can also see uh running on the domain controller we can see cis4 network we can see the departments companies file share in the user's file share area smb's then gone through and enumerated all of those those files and then outputted the information for us [Music] and i've been uh i've had a few people from the community telling me that they've run this on quite large networks and they've left it running for like three or four days and there hasn't been any issues so if you think oh well i can't you know my company's network's too big i'm not going to be able to run this and yeah you will absolutely be able to run it just leave it running for a couple of days so if we have a quick look inside the [Music] in the csv file to start with it's not gonna for the people in the back i do apologize i'll just get this zoomed in a little bit uh [Music] so what it's doing first of all is it's grabbing the name of the file then the host that it's identified that file on the file extension the user that was able to access it the host name that it was accessed from uh the unc creation time last time read write delete directory base directory type and then the base itself the reason that we put this with username and the hostname in there is so then you can run this as multiple different users from different points of the network to see whether there's anything new that that can be that can be found i mean this is um it's really useful the csv but where it comes into its own is when we get it into elastic [Music] so if we just change that to anywhere in the last year we can see that um we've got the same information here as we did it's not very easy to read [Music] see if i can try and collapse that yep brilliant anybody know how to use elastic [Music] if we only had elastic in today and so we could we we can see a couple of uh things down here that are relatively interesting so we can see we can see the uh the base unc we can see that it was an smb file share that was found we can see the the file directories and what have you and the user the same information basically that since the csv spreadsheet what we've also done is we've also got it to create indices um icon a daily basis so then you can run this over a period of time so you might want to run it every quarter you could run it every quarter and see whether there's any new directories that have been created over a period of time you can you can carve it carve the data however you see that but for our instance what we've done is we've built you a nice simple little dashboard which basically just tells you how many unique unc's were identified where these file shares were all the different file types and what have you and then as a red teamer what we could do is we could say right well we're interested in having a look at these vbs files and we can go straight down here and we can see where those vbs files are so then as a as a pen tester you could go and have a read through them see what they're doing see if there's any passwords in there if there's any sensitive information that'll help you enumerate other parts of the network uh however we could might also want to say um let's have a look at so you can also drill into these individual network shares themselves so we can see that there's a company's network share there there's also a terraform one here so i don't know maybe maybe somebody's made a mistake and left something in the minecraft terraform script that they've got written there um yeah so basically it's just a nice easy way of being able to show what's going on uh across the network and whether the user can read write or delete so one of the questions might be as a blue team why is some why is a standard user got read write and delete permissions to terraform directory so that's ssnbeagle in a nutshell i'm just going to skip over those because we've already covered those so what are the things that we're currently doing at the moment so we've got a large list of things that are currently up on our github and one of those things that we want to try and enhance is the ability for red teams to be able to identify certain file types so then they can scan through those those text files and use a regex so they can pull out things like passwords automatically rather than having to go and read them themselves maybe we might put that into a separate thread and another thing we've also been asked is to extract the full ntfs permissions so then we might be able to link in somehow to like bloodhound so you might identify that there's a certain group and if you're a member of that group well what file shares do you get access to using that using that that group we also have been asked to import things like the local dns cache as well as the net stat stuff because you may well have connected to a dns service that you might not be connected to anymore and that will give us a wider range of things but again it's it's really down to the community to figure out what you guys want us to be able to develop for you uh [Music] yeah so it it's still to be continued and i'm really sorry but i seem to have shortchanged everybody um i've been a little nervous this morning since first time i've spoken in about six months and it's i've rattled through that a little bit quicker but i'm happy to take any questions that anybody has yep no it will work with anonymous users as well so you don't need to provide any credentials and then you can identify any open file shares that are an open to everyone so the question was does it work with an uh without any credentials yes it would it would absolutely work without any credentials yep not currently but that is a very good point that's something that i will get added on to so the question was will it work if we you were to be provide you provide smb with a file hash right ntlm yeah ntlm rather than an actual username and password hadn't thought of that but yes it most certainly should be