Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows SMB Shares Access

🗓️ 09 May 2000 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 641 Views

Remote Windows shares can be accessed, leading to potential data exposure risks.

Code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
 script_id(10396);
 script_version("1.83");
 script_set_attribute(attribute:"plugin_modification_date", value:"2021/10/04");

 script_name(english:"Microsoft Windows SMB Shares Access");
 script_summary(english:"List of up to 100 remotely accessible shares");

 script_set_attribute(attribute:"synopsis", value:"It is possible to access a network share.");
 script_set_attribute(attribute:"description", value:
"The remote has one or more Windows shares that can be accessed through
the network with the given credentials.

Depending on the share rights, it may allow an attacker to read /
write confidential data.");
 script_set_attribute(attribute:"solution", value:
"To restrict access under Windows, open Explorer, do a right click on
each share, go to the 'sharing' tab, and click on 'permissions'.");
 script_set_attribute(attribute:"risk_factor", value:"None");

 script_set_attribute(attribute:"plugin_publication_date", value:"2000/05/09");

 script_set_attribute(attribute:"plugin_type", value:"combined");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2000-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_family(english:"Windows");

 script_dependencies("netbios_name_get.nasl",
         "smb_login.nasl", "smb_enum_shares.nasl",
         "smb_login_as_users.nasl", "smb_sid2user.nasl",
         "smb_sid2localuser.nasl", "smb_samr_user_enum.nasl");
 script_require_ports(139, 445);
 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("smb_func.inc");


function accessible_share (share)
{
  local_var ret, handle, readable, writeable, access, files;
  ret = NetUseAdd (share:share);
  if (ret == 1)
  {
    # Open current directory in read mode
    handle = CreateFile (file:"", desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_DIRECTORY,
                         share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
    if ( ! isnull (handle) )
    {
      readable = 1;
      CloseFile (handle:handle);
    }
    else
      readable = 0;

    # Open current directory in write mode
    handle = CreateFile (file:"", desired_access:GENERIC_WRITE, file_attributes:FILE_ATTRIBUTE_DIRECTORY,
                       share_mode:FILE_SHARE_READ | FILE_SHARE_WRITE, create_disposition:OPEN_EXISTING);
    if ( ! isnull (handle) )
    {
      writeable = 1;
      CloseFile (handle:handle);
    }
    else
      writeable = 0;

    # We only care about shares that we have read and/or write perms for
    if (readable == 0 && writeable == 0) return FALSE;
    # Access mode -> string
    access = " - (";
    if (readable == 1)
      access += "readable";
    if (writeable == 1)
    {
      if (readable == 1)
        access += ",";
      access += "writable";
    }
    access += ")";

    if (readable == 1)
    {
      files = NULL;

      handle = FindFirstFile (pattern:"\*");
      while (!isnull(handle) && (strlen (files) < 1000))
      {
        handle = FindNextFile (handle:handle);
        if (!isnull(handle))
          files += handle[1] + '\n';
      }
    }

    NetUseDel (close:FALSE);

    if ( ! isnull(files) )
      access += '\n  + Content of this share :\n' + files;

    return access;
  }
  return FALSE;
}


#
# Here we go
#


port = kb_smb_transport();
login = kb_smb_login();
pass =  kb_smb_password();

report_auth_failure = TRUE;
if (empty_or_null(login))
{
  login = "";
  report_auth_failure = FALSE;
}
if (empty_or_null(pass)) pass = "";
dom = kb_smb_domain();

if (!smb_session_init(report_access_trouble:FALSE, report_auth_failure:report_auth_failure))
  audit(AUDIT_FN_FAIL, 'smb_session_init');

r = NetUseAdd(login:login, password:pass, domain:dom);
if ( r != 1 )
{
  audit(AUDIT_FN_FAIL, "NetUseAdd");
}

count = 1;

shares = get_kb_list("SMB/shares");
if(isnull(shares))shares = make_list();

shares = make_list(shares);
addme = make_list();

foreach s (make_list("WINNT$", "C$", "D$", "ADMIN$", "ROOT"))
{
  flag = 0;
  foreach t (shares)
  {
    if ( t == s ) {
      flag = 1;
      break;
    }
  }

  if ( flag == 0 ) addme = make_list(addme, s);
}


shares = make_list(shares, addme);


run = 1;


while(1)
{
  vuln = "";
  accs = "";

  foreach share (shares)
  {
    lshare = tolower(share);
    if (lshare != "ipc$" && lshare != "print$")
    {
      accs = accessible_share(share:share);
      if(accs)
      {
        vuln += "- " + share + " " + accs + '\n';
        set_kb_item(name:"SMB/accessible_share", value:share);
      }
    }
  }

  NetUseDel ();

  if(strlen(vuln) > 0)
  {
    kb_item = "SMB/accessible_shares/" + count;
    set_kb_item(name:kb_item, value:pgrep(pattern:"^-", string:vuln));

    # not considered a hole in agent/NSX mode
    if(get_kb_item("nessus/product/local"))
    {
      hole = 0;
      t = NULL;
    }
    else
    {
      if(!strlen(login))t = "using a NULL session ";
      else t = "as " + login;

      hole = 1;
      if (strlen(login))
      {
        admin = get_kb_item("SMB/AdminName");
        local = get_kb_item("SMB/LocalAdminName");

        if (strlen(admin) == 0 && strlen(local) == 0) hole = 0;
        else if (
         (strlen(admin) && admin >< login) ||
         (strlen(local) && local >< login) ||
         ("ADMIN$" >< vuln)
        ) hole = 0;
      }
    }


    rep = '\nThe following shares can be accessed ' + t + ' :\n\n'
        + vuln;

    if ( hole )
    {
      set_kb_item(name: "/tmp/10396/report", value: rep);
      set_kb_item(name: "/tmp/10396/port", value: port);
    }
    else
    {
      security_note(port:port, extra:rep);
    }
  }

  if(get_kb_item("SMB/any_login"))exit(0);

  a = "SMB/ValidUsers/" + count + "/Login";
  b = "/tmp/SMB/ValidUsers/" + count + "/Password";
  login = string(get_kb_item(a));
  pass  = string(get_kb_item(b));
  count = count + 1;
  if(!strlen(login) && !strlen(pass))exit(0);

  if(! smb_session_init(report_access_trouble:FALSE, report_auth_failure:report_auth_failure))
    audit(AUDIT_FN_FAIL, "smb_session_init");

  r = NetUseAdd(login:login, password:pass, domain:dom);
  if ( r != 1 ) exit(1);
}

NetUseDel();

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Oct 2021 00:00Current
5.6Medium risk
Vulners AI Score5.6
windows shares accessdata exposurenetwork permissionsaccess rights limitations.
641