From bd7c8fe3b634facc2c69b6a6bf36219b857dff59 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Wed, 31 Jul 2024 11:38:03 -0500 Subject: [PATCH] Update Analyze-HuntSMBShares.ps1 Added exports on share names page. Updated a few table styles. --- Scripts/Analyze-HuntSMBShares.ps1 | 219 +++++++++++++++--------------- 1 file changed, 112 insertions(+), 107 deletions(-) diff --git a/Scripts/Analyze-HuntSMBShares.ps1 b/Scripts/Analyze-HuntSMBShares.ps1 index a14f9e3..23d4122 100644 --- a/Scripts/Analyze-HuntSMBShares.ps1 +++ b/Scripts/Analyze-HuntSMBShares.ps1 @@ -5,7 +5,7 @@ #-------------------------------------- # Author: Scott Sutherland, 2024 NetSPI # License: 3-clause BSD -# Version: v1.40 +# Version: v1.45 # References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. function Analyze-HuntSMBShares { @@ -1821,18 +1821,10 @@ function Analyze-HuntSMBShares -
-
+
$ThisFileList
-
- - - $ComputerBarF - - - $ShareBarF - + $AclBarF @@ -1899,12 +1891,11 @@ function Analyze-HuntSMBShares $MyFdListBr = $MyFdList -replace "`n", "
" $ThisFileDirList = @" - $fdcount - -
-
+ + +
+ $MyFdListBr -
"@ $ThisFileDirList @@ -2780,6 +2771,13 @@ function Analyze-HuntSMBShares If($ShareNameRiskScore -lt .80){ $RiskLevel = "$ShareNameRiskScoreP Medium"} If($ShareNameRiskScore -lt .50){ $RiskLevel = "$ShareNameRiskScoreP Low"} #> + + # ---------------------------------------------------------------------- + # Build UNC Path Lists + # ---------------------------------------------------------------------- + $GetRowUncPathsRaw = $ExcessiveSharePrivs | where ShareName -EQ "$ShareName" | Select SharePath -Unique + $GetRowUncPathsCount = $GetRowUncPathsRaw | measure | select count -ExpandProperty count + $GetRowUncPaths = $GetRowUncPathsRaw | ForEach-Object { $ASDF = $_.SharePath; "$ASDF
" } | Out-String # ---------------------------------------------------------------------- # Build Share Name Summary Page Rows @@ -2787,8 +2785,13 @@ function Analyze-HuntSMBShares # Build Rows $ThisRow = @" - - $ShareCount + + +
+ $GetRowUncPaths +
-
+
Risk Summary
@@ -2874,10 +2877,10 @@ function Analyze-HuntSMBShares + "@ $ThisRow @@ -3182,8 +3175,10 @@ $NewHtmlReport = @" .content { max-height: 0; + --max-width: 0; overflow: hidden; transition: max-height 0.2s ease-out; + transition: max-width 0.2s ease-out; } .tabs{ @@ -3757,7 +3752,7 @@ $NewHtmlReport = @" margin-top: 5px; margin-right: 5px; margin-bottom: 5px; - width: 90% + --width: 90% } .filelistparent { @@ -3770,7 +3765,7 @@ $NewHtmlReport = @" margin-top: 5px; margin-right: 5px; margin-bottom: 5px; - width: 90% + --width: 90% } .tablecolinfo { @@ -4314,7 +4309,7 @@ input[type="checkbox"]:checked::before { - + @@ -4349,10 +4344,8 @@ input[type="checkbox"]:checked::before {
- -
- -
+ Interesting File Names Found +


@@ -4361,7 +4354,7 @@ input[type="checkbox"]:checked::before {
($InterestingFilesAllFilesCountU unique file names)
-
+ @@ -4369,19 +4362,15 @@ input[type="checkbox"]:checked::before {
- + File Name Category Distribution
-
-
@@ -4625,42 +4614,34 @@ input[type="checkbox"]:checked::before {

Exposure Summary

Below is a summary of number of share ACLs by risk level and a summary of file name counts that may contain passwords, sensitive data, or result in remote code execution. Click the titles for more detail.

-
- +
+
- + Share ACL Count by Risk Level
-
-
- +
- + Exposed File Count by Category
-
-
@@ -5167,7 +5148,8 @@ This section contains a list of the most common SMB share names. In some cases, -
Loading...
+
Loading...
+

-
+
- + @@ -2894,68 +2897,68 @@ function Analyze-HuntSMBShares File Name Metrics
Final Weighted Score: : $FinalSimilarityScorePFinal Score: : $FinalSimilarityScoreP
File Name Coverage: $SimularityFileCoverageScoreP
- + - + - + - + - + - + - + - + - + - +
1 File FG Coverage  10%: $SimularityFileCoverage10FG Coverage  10%: $SimularityFileCoverage10
1 File FG Coverage  20%: $SimularityFileCoverage20FG Coverage  20%: $SimularityFileCoverage20
1 File FG Coverage  30%: $SimularityFileCoverage30FG Coverage  30%: $SimularityFileCoverage30
1 File FG Coverage  40%: $SimularityFileCoverage40FG Coverage  40%: $SimularityFileCoverage40
1 File FG Coverage  51%: $SimularityFileCoverage50FG Coverage  51%: $SimularityFileCoverage50
1 File FG Coverage  60%: $SimularityFileCoverage60FG Coverage  60%: $SimularityFileCoverage60
1 File FG Coverage  70%: $SimularityFileCoverage70FG Coverage  70%: $SimularityFileCoverage70
1 File FG Coverage  80%: $SimularityFileCoverage80FG Coverage  80%: $SimularityFileCoverage80
1 File FG Coverage  90%: $SimularityFileCoverage90FG Coverage  90%: $SimularityFileCoverage90
1 File FG Coverage 100%: $SimularityFileCoverage100FG Coverage 100%: $SimularityFileCoverage100


Folder Group Metrics
- + - + - + - + - + - + - + - + - + - +
1 FG Covers  10% of shares: $SimularityFolderGroupCoverage101 FG  10%/shares: $SimularityFolderGroupCoverage10
1 FG Covers  20% of shares: $SimularityFolderGroupCoverage201 FG  20%/shares: $SimularityFolderGroupCoverage20
1 FG Covers  30% of shares: $SimularityFolderGroupCoverage301 FG  30%/shares: $SimularityFolderGroupCoverage30
1 FG Covers  40% of shares: $SimularityFolderGroupCoverage401 FG  40%/shares: $SimularityFolderGroupCoverage40
1 FG Covers  51% of shares: $SimularityFolderGroupCoverage501 FG  51%/shares: $SimularityFolderGroupCoverage50
1 FG Covers  60% of shares: $SimularityFolderGroupCoverage601 FG  60%/shares: $SimularityFolderGroupCoverage60
1 FG Covers  70% of shares: $SimularityFolderGroupCoverage701 FG  70%/shares: $SimularityFolderGroupCoverage70
1 FG Covers  80% of shares: $SimularityFolderGroupCoverage801 FG  80%/shares: $SimularityFolderGroupCoverage80
1 FG Covers  90% of shares: $SimularityFolderGroupCoverage901 FG  90%/shares: $SimularityFolderGroupCoverage90
1 FG Covers 100% of shares: $SimularityFolderGroupCoverage1001 FG 100%/shares: $SimularityFolderGroupCoverage100
@@ -2990,49 +2993,39 @@ function Analyze-HuntSMBShares
- -
-
+ +
$ShareFolderGroupList -
-
-
- +
+
$SimularityFileCommonListTop
-
-
-
- +
-
-
- +
+
$ShareRowInterestingFileListSecrets
-
+
-
-
- +
+
$ShareRowInterestingFileListData
-
-
-
@@ -5214,7 +5196,7 @@ This section contains a list of the most common SMB share names. In some cases, iTHD/4Hv7s1i9NTblIwDvS+2PbHOBDYBVoN2/4+tu3WCeB/Bq60jr/WBOY+SW90tPARMLQNXFx3NHkPuNwBRp50yZAcyU9TKBaB9zP6pjwwfAv0r7m9tfdx+gBkqavlG+DgEIiUKHvd49193b39e6bd3w/VdnLO67/jCAAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0 SU1FB+gHDA40BpbiKy8AAAEjSURBVBjTXZAxS4JhFIWfe5XqA6NIBSvK1pak2tqjvb8Q/oUImgPnqL/R7tbYVPCtUb46iKYoSUGK3tvQK0hnu889HO49Uq1eyOXVtRby+Q1VrSBSBpaBMRDMLG2GMLi/uzV5fXvPFIvFHRE5A0qAAVMgCyjQNbN6v99vyfBzVFTVc2ArprWAHrAJbANLQNts9qCqWom JAB/u9uzuPXd/AjqRl1T1QIEyIBGuiuiJiJwCGeArcgHZy8Zn5loHcsBL5IWF3bLGOxf1DUxEZP+feazgAfAF+OOOAGuxDQB396BmloJ3F8w5EXbjOXN1zCzVZggDM68D7dhxEttJ/mZvu1u92QyDzGw25fDoeJQkK0FExiAKTIAhkJrZY2g0urXajf0CiVl4icFa+XEAAAAASUVORK5CYII=" />Interesting Files
are filenames that
may be sensitive. - + @@ -5298,16 +5280,14 @@ Folder groups are SMB shares that contain the exact same file listing. Each file
Loading...

-
+
- - + + - - - + @@ -5871,6 +5851,7 @@ const ChartDashboardRiskOptions = { const ChartDashboardRisk = new ApexCharts(document.querySelector("#ChartDashboardRisk"), ChartDashboardRiskOptions); ChartDashboardRisk.render(); + // -------------------------- // Function to support collapsing and expanding sections // -------------------------- @@ -5882,10 +5863,18 @@ for (i = 0; i < coll.length; i++) { this.classList.toggle("active"); var content = this.nextElementSibling; if (content.style.maxHeight){ + content.style.maxHeight = null; + + // Adjust width + content.style.width = 0; + } else { content.style.Height = content.scrollHeight + "px"; content.style.maxHeight = "100%"; + + // Adjust width + content.style.width = "auto"; } }); } @@ -5893,9 +5882,10 @@ for (i = 0; i < coll.length; i++) { function toggleDiv(TargetObjectId) { var content = document.getElementById(TargetObjectId); if (content.style.display === "none") { - content.style.display = "block"; + content.style.display = "block"; } else { - content.style.display = "none"; + content.style.display = "none"; + content.style.width = 0; } } @@ -5975,7 +5965,7 @@ const chartOptions = { }, plotOptions: { bar: { - borderRadius: 4, + borderRadius: 0, horizontal: false, colors: { ranges: [{ @@ -6239,24 +6229,38 @@ applyFiltersAndSort('InterestingFileTable', 'filterInputIF', 'filterCounterIF', // CSV export function function extractAndDownloadCSV(tableId, columnIndex) { - const regex = /\\\\[^\s\\]+\\[^\s\\]+\\[^\s\\]+/g; // UNC path regex + // Regex to match \\server\share, \\server\share folder, and \\server\share\file.ext formats, allowing spaces + const regex = /\\\\[^\\\s]+\\[^\\]+(?:\\[^\\]*)*/g; const uncPaths = []; - // Loop through each filtered row - currentFilteredRows.forEach(row => { + // Get the table element by ID + const table = document.getElementById(tableId); + + // Determine rows to process: filtered rows or all rows if no filter is applied + const rowsToProcess = currentFilteredRows.length > 0 ? currentFilteredRows : Array.from(table.rows); + + // Loop through each row to process + rowsToProcess.forEach(row => { const cells = row.getElementsByTagName('td'); if (cells[columnIndex]) { - const cellValue = cells[columnIndex].innerText; - const matches = cellValue.match(regex); - if (matches) { - uncPaths.push(...matches); + // Get the div with class 'content' inside the cell + const contentDiv = cells[columnIndex].querySelector('.content'); + if (contentDiv) { + const cellValue = contentDiv.innerText; + const matches = cellValue.match(regex); + if (matches) { + uncPaths.push(...matches); + } } } }); + // Remove empty or whitespace-only entries + const cleanUncPaths = uncPaths.map(path => path.trim()).filter(path => path.length > 0); + // Generate CSV content let csvContent = 'data:text/csv;charset=utf-8,'; - csvContent += uncPaths.join('\n'); + csvContent += cleanUncPaths.join('\n'); // Create a link to download the CSV file const encodedUri = encodeURI(csvContent); @@ -6291,6 +6295,7 @@ function extractAndDownloadCSV(tableId, columnIndex) { "@ $NewHtmlReport | Out-File "$OutputDirectory\Summary-Report-$TargetDomain.html" +$Time = Get-Date -UFormat "%m/%d/%Y %R" Write-Output " [*][$Time] - Done." Write-Output "" Write-Output ""
Unique Share Name CountAffected Share CountUnique Share NamesShare Count File Group File CountAffected ComputersAffected SharesAffected ACLsAffected ACLs