PowerHuntShares：一款针对活动目录域安全的分析与审计工具

git clone https://github.com/NetSPI/PowerHuntShares.git

# 绕过执行策略限制

Set-ExecutionPolicy -Scope Process Bypass

 

# 导入存在于当前目录中的模块

Import-Module .\PowerHuntShares.psm1

 

# 降低SSL操作登记以支持与github连接

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

[Net.ServicePointManager]::SecurityProtocol =[Net.SecurityProtocolType]::Tls12

 

# 下载并将PowerHuntShares.psm1导入到内存中

IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerHuntShares/main/PowerHuntShares.psm1")

.EXAMPLE 1: 从一个域计算机运行，默认执行活动目录计算机扫描。

PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test

 

.EXAMPLE 2: 使用其他域凭据从域计算机运行，默认情况下执行活动目录计算机扫描。

PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test -Credentials domain\user

 

.EXAMPLE 3: 以当前用户身份从域计算机运行，文件中的目标主机每行设置一个。

PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test  -HostList c:\temp\hosts.txt      

 

.EXAMPLE 4: 使用凭据从非域计算机运行，默认情况下执行活动目录计算机扫描。

C:\temp\test> runas /netonly /user:domain\user PowerShell.exe

PS C:\temp\test> Import-Module PowerHuntShares.psm1

PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -RunSpaceTimeOut 10 -OutputDirectory c:\folder\ -DomainController 10.1.1.1 -Credential domain\user

 

===============================================================

PowerHuntShares

===============================================================

 This function automates the following tasks:     

 

 o Determine current computer's domain

 o Enumerate domain computers        

 o Filter for computers that respond to ping reqeusts          

 o Filter for computers that have TCP 445 open and accessible  

 o Enumerate SMB shares

 o Enumerate SMB share permissions   

 o Identify shares with potentially excessive privielges       

 o Identify shares that provide reads & write access           

 o Identify shares thare are high risk

 o Identify common share owners, names, & directory listings   

 o Generate creation, last written, & last accessed timelines

 o Generate html summary report and detailed csv files         

 

 Note: This can take hours to run in large environments.       

---------------------------------------------------------------

|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

---------------------------------------------------------------

SHARE DISCOVERY      

---------------------------------------------------------------

[*][03/01/2021 09:35] Scan Start

[*][03/01/2021 09:35] Output Directory: c:\temp\smbshares\SmbShareHunt-03012021093504

[*][03/01/2021 09:35] Successful connection to domain controller: dc1.demo.local

[*][03/01/2021 09:35] Performing LDAP query for computers associated with the demo.local domain

[*][03/01/2021 09:35] - 245 computers found

[*][03/01/2021 09:35] Pinging 245 computers

[*][03/01/2021 09:35] - 55 computers responded to ping requests.

[*][03/01/2021 09:35] Checking if TCP Port 445 is open on 55 computers

[*][03/01/2021 09:36] - 49 computers have TCP port 445 open.

[*][03/01/2021 09:36] Getting a list of SMB shares from 49 computers

[*][03/01/2021 09:36] - 217 SMB shares were found.

[*][03/01/2021 09:36] Getting share permissions from 217 SMB shares

[*][03/01/2021 09:37] - 374 share permissions were enumerated.

[*][03/01/2021 09:37] Getting directory listings from 33 SMB shares

[*][03/01/2021 09:37] - Targeting up to 3 nested directory levels

[*][03/01/2021 09:37] - 563 files and folders were enumerated.

[*][03/01/2021 09:37] Identifying potentially excessive share permissions

[*][03/01/2021 09:37] - 33 potentially excessive privileges were found across 12 systems..

[*][03/01/2021 09:37] Scan Complete

---------------------------------------------------------------

SHARE ANALYSIS      

---------------------------------------------------------------

[*][03/01/2021 09:37] Analysis Start

[*][03/01/2021 09:37] - 14 shares can be read across 12 systems.

[*][03/01/2021 09:37] - 1 shares can be written to across 1 systems.

[*][03/01/2021 09:37] - 46 shares are considered non-default across 32 systems.

[*][03/01/2021 09:37] - 0 shares are considered high risk across 0 systems

[*][03/01/2021 09:37] - Identified top 5 owners of excessive shares.

[*][03/01/2021 09:37] - Identified top 5 share groups.

[*][03/01/2021 09:37] - Identified top 5 share names.

[*][03/01/2021 09:37] - Identified shares created in last 90 days.

[*][03/01/2021 09:37] - Identified shares accessed in last 90 days.

[*][03/01/2021 09:37] - Identified shares modified in last 90 days.

[*][03/01/2021 09:37] Analysis Complete

---------------------------------------------------------------

SHARE REPORT SUMMARY      

---------------------------------------------------------------

[*][03/01/2021 09:37] Domain: demo.local

[*][03/01/2021 09:37] Start time: 03/01/2021 09:35:04

[*][03/01/2021 09:37] End time: 03/01/2021 09:37:27

[*][03/01/2021 09:37] Run time: 00:02:23.2759086

[*][03/01/2021 09:37]

[*][03/01/2021 09:37] COMPUTER SUMMARY

[*][03/01/2021 09:37] - 245 domain computers found.

[*][03/01/2021 09:37] - 55 (22.45%) domain computers responded to ping.

[*][03/01/2021 09:37] - 49 (20.00%) domain computers had TCP port 445 accessible.

[*][03/01/2021 09:37] - 32 (13.06%) domain computers had shares that were non-default.

[*][03/01/2021 09:37] - 12 (4.90%) domain computers had shares with potentially excessive privileges.

[*][03/01/2021 09:37] - 12 (4.90%) domain computers had shares that allowed READ access.

[*][03/01/2021 09:37] - 1 (0.41%) domain computers had shares that allowed WRITE access.

[*][03/01/2021 09:37] - 0 (0.00%) domain computers had shares that are HIGH RISK.

[*][03/01/2021 09:37]

[*][03/01/2021 09:37] SHARE SUMMARY

[*][03/01/2021 09:37] - 217 shares were found. We expect a minimum of 98 shares

[*][03/01/2021 09:37]   because 49 systems had open ports and there are typically two default shares.

[*][03/01/2021 09:37] - 46 (21.20%) shares across 32 systems were non-default.

[*][03/01/2021 09:37] - 14 (6.45%) shares across 12 systems are configured with 33 potentially excessive ACLs.

[*][03/01/2021 09:37] - 14 (6.45%) shares across 12 systems allowed READ access.

[*][03/01/2021 09:37] - 1 (0.46%) shares across 1 systems allowed WRITE access.

[*][03/01/2021 09:37] - 0 (0.00%) shares across 0 systems are considered HIGH RISK.

[*][03/01/2021 09:37]

[*][03/01/2021 09:37] SHARE ACL SUMMARY

[*][03/01/2021 09:37] - 374 ACLs were found.

[*][03/01/2021 09:37] - 374 (100.00%) ACLs were associated with non-default shares.

[*][03/01/2021 09:37] - 33 (8.82%) ACLs were found to be potentially excessive.

[*][03/01/2021 09:37] - 32 (8.56%) ACLs were found that allowed READ access.

[*][03/01/2021 09:37] - 1 (0.27%) ACLs were found that allowed WRITE access.

[*][03/01/2021 09:37] - 0 (0.00%) ACLs were found that are associated with HIGH RISK share names.

[*][03/01/2021 09:37]

[*][03/01/2021 09:37] - The 5 most common share names are:

[*][03/01/2021 09:37] - 9 of 14 (64.29%) discovered shares are associated with the top 5 share names.

[*][03/01/2021 09:37]   - 4 backup

[*][03/01/2021 09:37]   - 2 ssms

[*][03/01/2021 09:37]   - 1 test2

[*][03/01/2021 09:37]   - 1 test1

[*][03/01/2021 09:37]   - 1 users

[*] ----------------------------------------------