From f599e2cbe8f1b62f8d7078cd576c41e6fa8be4f6 Mon Sep 17 00:00:00 2001
From: Scott Sutherland <nullbind@users.noreply.github.com>
Date: Tue, 5 Apr 2022 20:52:08 -0500
Subject: [PATCH] Update README.md

---
 README.md | 224 +++++++++++++++++++++++++++---------------------------
 1 file changed, 112 insertions(+), 112 deletions(-)

diff --git a/README.md b/README.md
index 52e1b3d..051f9b7 100644
--- a/README.md
+++ b/README.md
@@ -14,121 +14,121 @@ Excessive SMB share ACLs are a systemic problem and an attack surface that all o
 
 # Example Commands
 <pre>
-           .EXAMPLE 1: Run from a domain computer. Performs Active Directory computer discovery by default.
-            PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test 
+.EXAMPLE 1: Run from a domain computer. Performs Active Directory computer discovery by default.
+PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test 
 
-           .EXAMPLE 2: Run from a domain computer with alternative domain credentials. Performs Active Directory computer discovery by default.
-            PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test -Credentials domain\user
-            
-           .EXAMPLE 3: Run from a domain computer as current user. Target hosts in a file. One per line.
-            PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test  -HostList c:\temp\hosts.txt      
-           
-           .EXAMPLE 4: Run from a non-domain computer with credential. Performs Active Directory computer discovery by default.
-            C:\temp\test> runas /netonly /user:domain\user PowerShell.exe
-            PS C:\temp\test> Import-Module Invoke-HuntSMBShares.ps1
-            PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -RunSpaceTimeOut 10 -OutputDirectory c:\folder\ -DomainController 10.1.1.1 -Credential domain\user 
+.EXAMPLE 2: Run from a domain computer with alternative domain credentials. Performs Active Directory computer discovery by default.
+PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test -Credentials domain\user
 
-             ---------------------------------------------------------------
-             INVOKE-HUNTSMBSHARES                                        
-             ---------------------------------------------------------------
-              This function automates the following tasks:                  
-                                                                
-              o Determine current computer's domain                         
-              o Enumerate domain computers                                  
-              o Filter for computers that respond to ping reqeusts          
-              o Filter for computers that have TCP 445 open and accessible  
-              o Enumerate SMB shares                                        
-              o Enumerate SMB share permissions                             
-              o Identify shares with potentially excessive privielges       
-              o Identify shares that provide reads & write access           
-              o Identify shares thare are high risk                         
-              o Identify common share owners, names, & directory listings   
-              o Generate last written & last accessed timelines             
-              o Generate html summary report and detailed csv files         
+.EXAMPLE 3: Run from a domain computer as current user. Target hosts in a file. One per line.
+PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\temp\test  -HostList c:\temp\hosts.txt      
 
-              Note: This can take hours to run in large environments.       
-             ---------------------------------------------------------------
-             |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-             ---------------------------------------------------------------
-             SHARE DISCOVERY      
-             ---------------------------------------------------------------
-             [*][03/01/2021 09:35] Scan Start
-             [*][03/01/2021 09:35] Output Directory: c:\temp\smbshares\SmbShareHunt-03012021093504
-             [*][03/01/2021 09:35] Successful connection to domain controller: dc1.demo.local
-             [*][03/01/2021 09:35] Performing LDAP query for computers associated with the demo.local domain
-             [*][03/01/2021 09:35] - 245 computers found
-             [*][03/01/2021 09:35] Pinging 245 computers
-             [*][03/01/2021 09:35] - 55 computers responded to ping requests.
-             [*][03/01/2021 09:35] Checking if TCP Port 445 is open on 55 computers
-             [*][03/01/2021 09:36] - 49 computers have TCP port 445 open.
-             [*][03/01/2021 09:36] Getting a list of SMB shares from 49 computers
-             [*][03/01/2021 09:36] - 217 SMB shares were found.
-             [*][03/01/2021 09:36] Getting share permissions from 217 SMB shares
-             [*][03/01/2021 09:37] - 374 share permissions were enumerated.
-             [*][03/01/2021 09:37] Getting directory listings from 33 SMB shares
-             [*][03/01/2021 09:37] - Targeting up to 3 nested directory levels
-             [*][03/01/2021 09:37] - 563 files and folders were enumerated.
-             [*][03/01/2021 09:37] Identifying potentially excessive share permissions
-             [*][03/01/2021 09:37] - 33 potentially excessive privileges were found across 12 systems..
-             [*][03/01/2021 09:37] Scan Complete
-             ---------------------------------------------------------------
-             SHARE ANALYSIS      
-             ---------------------------------------------------------------
-             [*][03/01/2021 09:37] Analysis Start
-             [*][03/01/2021 09:37] - 14 shares can be read across 12 systems.
-             [*][03/01/2021 09:37] - 1 shares can be written to across 1 systems.
-             [*][03/01/2021 09:37] - 46 shares are considered non-default across 32 systems.
-             [*][03/01/2021 09:37] - 0 shares are considered high risk across 0 systems
-             [*][03/01/2021 09:37] - Identified top 5 owners of excessive shares.
-             [*][03/01/2021 09:37] - Identified top 5 share groups.
-             [*][03/01/2021 09:37] - Identified top 5 share names.
-             [*][03/01/2021 09:37] - Identified shares created in last 90 days.
-             [*][03/01/2021 09:37] - Identified shares accessed in last 90 days.
-             [*][03/01/2021 09:37] - Identified shares modified in last 90 days.
-             [*][03/01/2021 09:37] Analysis Complete
-             ---------------------------------------------------------------
-             SHARE REPORT SUMMARY      
-             ---------------------------------------------------------------
-             [*][03/01/2021 09:37] Domain: demo.local
-             [*][03/01/2021 09:37] Start time: 03/01/2021 09:35:04
-             [*][03/01/2021 09:37] End time: 03/01/2021 09:37:27
-             [*][03/01/2021 09:37] Run time: 00:02:23.2759086
-             [*][03/01/2021 09:37] 
-             [*][03/01/2021 09:37] COMPUTER SUMMARY
-             [*][03/01/2021 09:37] - 245 domain computers found.
-             [*][03/01/2021 09:37] - 55 (22.45%) domain computers responded to ping.
-             [*][03/01/2021 09:37] - 49 (20.00%) domain computers had TCP port 445 accessible.
-             [*][03/01/2021 09:37] - 32 (13.06%) domain computers had shares that were non-default.
-             [*][03/01/2021 09:37] - 12 (4.90%) domain computers had shares with potentially excessive privileges.
-             [*][03/01/2021 09:37] - 12 (4.90%) domain computers had shares that allowed READ access.
-             [*][03/01/2021 09:37] - 1 (0.41%) domain computers had shares that allowed WRITE access.
-             [*][03/01/2021 09:37] - 0 (0.00%) domain computers had shares that are HIGH RISK.
-             [*][03/01/2021 09:37] 
-             [*][03/01/2021 09:37] SHARE SUMMARY
-             [*][03/01/2021 09:37] - 217 shares were found. We expect a minimum of 98 shares
-             [*][03/01/2021 09:37]   because 49 systems had open ports and there are typically two default shares.
-             [*][03/01/2021 09:37] - 46 (21.20%) shares across 32 systems were non-default.
-             [*][03/01/2021 09:37] - 14 (6.45%) shares across 12 systems are configured with 33 potentially excessive ACLs.
-             [*][03/01/2021 09:37] - 14 (6.45%) shares across 12 systems allowed READ access.
-             [*][03/01/2021 09:37] - 1 (0.46%) shares across 1 systems allowed WRITE access.
-             [*][03/01/2021 09:37] - 0 (0.00%) shares across 0 systems are considered HIGH RISK.
-             [*][03/01/2021 09:37] 
-             [*][03/01/2021 09:37] SHARE ACL SUMMARY
-             [*][03/01/2021 09:37] - 374 ACLs were found.
-             [*][03/01/2021 09:37] - 374 (100.00%) ACLs were associated with non-default shares.
-             [*][03/01/2021 09:37] - 33 (8.82%) ACLs were found to be potentially excessive.
-             [*][03/01/2021 09:37] - 32 (8.56%) ACLs were found that allowed READ access.
-             [*][03/01/2021 09:37] - 1 (0.27%) ACLs were found that allowed WRITE access.
-             [*][03/01/2021 09:37] - 0 (0.00%) ACLs were found that are associated with HIGH RISK share names.
-             [*][03/01/2021 09:37] 
-             [*][03/01/2021 09:37] - The 5 most common share names are:
-             [*][03/01/2021 09:37] - 9 of 14 (64.29%) discovered shares are associated with the top 5 share names.
-             [*][03/01/2021 09:37]   - 4 backup
-             [*][03/01/2021 09:37]   - 2 ssms
-             [*][03/01/2021 09:37]   - 1 test2
-             [*][03/01/2021 09:37]   - 1 test1
-             [*][03/01/2021 09:37]   - 1 users
-             [*] -----------------------------------------------
+.EXAMPLE 4: Run from a non-domain computer with credential. Performs Active Directory computer discovery by default.
+C:\temp\test> runas /netonly /user:domain\user PowerShell.exe
+PS C:\temp\test> Import-Module Invoke-HuntSMBShares.ps1
+PS C:\temp\test> Invoke-HuntSMBShares -Threads 100 -RunSpaceTimeOut 10 -OutputDirectory c:\folder\ -DomainController 10.1.1.1 -Credential domain\user 
+
+---------------------------------------------------------------
+INVOKE-HUNTSMBSHARES 
+---------------------------------------------------------------
+ This function automates the following tasks:     
+
+ o Determine current computer's domain
+ o Enumerate domain computers        
+ o Filter for computers that respond to ping reqeusts          
+ o Filter for computers that have TCP 445 open and accessible  
+ o Enumerate SMB shares 
+ o Enumerate SMB share permissions   
+ o Identify shares with potentially excessive privielges       
+ o Identify shares that provide reads & write access           
+ o Identify shares thare are high risk
+ o Identify common share owners, names, & directory listings   
+ o Generate last written & last accessed timelines
+ o Generate html summary report and detailed csv files         
+
+ Note: This can take hours to run in large environments.       
+---------------------------------------------------------------
+|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+---------------------------------------------------------------
+SHARE DISCOVERY      
+---------------------------------------------------------------
+[*][03/01/2021 09:35] Scan Start
+[*][03/01/2021 09:35] Output Directory: c:\temp\smbshares\SmbShareHunt-03012021093504
+[*][03/01/2021 09:35] Successful connection to domain controller: dc1.demo.local
+[*][03/01/2021 09:35] Performing LDAP query for computers associated with the demo.local domain
+[*][03/01/2021 09:35] - 245 computers found
+[*][03/01/2021 09:35] Pinging 245 computers
+[*][03/01/2021 09:35] - 55 computers responded to ping requests.
+[*][03/01/2021 09:35] Checking if TCP Port 445 is open on 55 computers
+[*][03/01/2021 09:36] - 49 computers have TCP port 445 open.
+[*][03/01/2021 09:36] Getting a list of SMB shares from 49 computers
+[*][03/01/2021 09:36] - 217 SMB shares were found.
+[*][03/01/2021 09:36] Getting share permissions from 217 SMB shares
+[*][03/01/2021 09:37] - 374 share permissions were enumerated.
+[*][03/01/2021 09:37] Getting directory listings from 33 SMB shares
+[*][03/01/2021 09:37] - Targeting up to 3 nested directory levels
+[*][03/01/2021 09:37] - 563 files and folders were enumerated.
+[*][03/01/2021 09:37] Identifying potentially excessive share permissions
+[*][03/01/2021 09:37] - 33 potentially excessive privileges were found across 12 systems..
+[*][03/01/2021 09:37] Scan Complete
+---------------------------------------------------------------
+SHARE ANALYSIS      
+---------------------------------------------------------------
+[*][03/01/2021 09:37] Analysis Start
+[*][03/01/2021 09:37] - 14 shares can be read across 12 systems.
+[*][03/01/2021 09:37] - 1 shares can be written to across 1 systems.
+[*][03/01/2021 09:37] - 46 shares are considered non-default across 32 systems.
+[*][03/01/2021 09:37] - 0 shares are considered high risk across 0 systems
+[*][03/01/2021 09:37] - Identified top 5 owners of excessive shares.
+[*][03/01/2021 09:37] - Identified top 5 share groups.
+[*][03/01/2021 09:37] - Identified top 5 share names.
+[*][03/01/2021 09:37] - Identified shares created in last 90 days.
+[*][03/01/2021 09:37] - Identified shares accessed in last 90 days.
+[*][03/01/2021 09:37] - Identified shares modified in last 90 days.
+[*][03/01/2021 09:37] Analysis Complete
+---------------------------------------------------------------
+SHARE REPORT SUMMARY      
+---------------------------------------------------------------
+[*][03/01/2021 09:37] Domain: demo.local
+[*][03/01/2021 09:37] Start time: 03/01/2021 09:35:04
+[*][03/01/2021 09:37] End time: 03/01/2021 09:37:27
+[*][03/01/2021 09:37] Run time: 00:02:23.2759086
+[*][03/01/2021 09:37] 
+[*][03/01/2021 09:37] COMPUTER SUMMARY
+[*][03/01/2021 09:37] - 245 domain computers found.
+[*][03/01/2021 09:37] - 55 (22.45%) domain computers responded to ping.
+[*][03/01/2021 09:37] - 49 (20.00%) domain computers had TCP port 445 accessible.
+[*][03/01/2021 09:37] - 32 (13.06%) domain computers had shares that were non-default.
+[*][03/01/2021 09:37] - 12 (4.90%) domain computers had shares with potentially excessive privileges.
+[*][03/01/2021 09:37] - 12 (4.90%) domain computers had shares that allowed READ access.
+[*][03/01/2021 09:37] - 1 (0.41%) domain computers had shares that allowed WRITE access.
+[*][03/01/2021 09:37] - 0 (0.00%) domain computers had shares that are HIGH RISK.
+[*][03/01/2021 09:37] 
+[*][03/01/2021 09:37] SHARE SUMMARY
+[*][03/01/2021 09:37] - 217 shares were found. We expect a minimum of 98 shares
+[*][03/01/2021 09:37]   because 49 systems had open ports and there are typically two default shares.
+[*][03/01/2021 09:37] - 46 (21.20%) shares across 32 systems were non-default.
+[*][03/01/2021 09:37] - 14 (6.45%) shares across 12 systems are configured with 33 potentially excessive ACLs.
+[*][03/01/2021 09:37] - 14 (6.45%) shares across 12 systems allowed READ access.
+[*][03/01/2021 09:37] - 1 (0.46%) shares across 1 systems allowed WRITE access.
+[*][03/01/2021 09:37] - 0 (0.00%) shares across 0 systems are considered HIGH RISK.
+[*][03/01/2021 09:37] 
+[*][03/01/2021 09:37] SHARE ACL SUMMARY
+[*][03/01/2021 09:37] - 374 ACLs were found.
+[*][03/01/2021 09:37] - 374 (100.00%) ACLs were associated with non-default shares.
+[*][03/01/2021 09:37] - 33 (8.82%) ACLs were found to be potentially excessive.
+[*][03/01/2021 09:37] - 32 (8.56%) ACLs were found that allowed READ access.
+[*][03/01/2021 09:37] - 1 (0.27%) ACLs were found that allowed WRITE access.
+[*][03/01/2021 09:37] - 0 (0.00%) ACLs were found that are associated with HIGH RISK share names.
+[*][03/01/2021 09:37] 
+[*][03/01/2021 09:37] - The 5 most common share names are:
+[*][03/01/2021 09:37] - 9 of 14 (64.29%) discovered shares are associated with the top 5 share names.
+[*][03/01/2021 09:37]   - 4 backup
+[*][03/01/2021 09:37]   - 2 ssms
+[*][03/01/2021 09:37]   - 1 test2
+[*][03/01/2021 09:37]   - 1 test1
+[*][03/01/2021 09:37]   - 1 users
+[*] -----------------------------------------------
 
 </pre>