Patrik KarlssonNMAP:SNMP-WIN32-SHARES.NSEsnmp-win32-shares NSE Script
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Attempts to enumerate Windows Shares through SNMP.
Script Arguments
creds.[service], creds.global
See the documentation for the creds library.
snmp.version
See the documentation for the snmp library.
Example Usage
nmap -sU -p 161 --script=snmp-win32-shares <target>
Script Output
| snmp-win32-shares:
| SYSVOL: C:\WINDOWS\sysvol\sysvol
| NETLOGON: C:\WINDOWS\sysvol\sysvol\inspectit-labb.local\SCRIPTS
|_ Webapps: C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\ROOT
Requires
local nmap = require "nmap"
local shortport = require "shortport"
local snmp = require "snmp"
local stdnse = require "stdnse"
description = [[
Attempts to enumerate Windows Shares through SNMP.
]]
---
-- @usage
-- nmap -sU -p 161 --script=snmp-win32-shares <target>
-- @output
-- | snmp-win32-shares:
-- | SYSVOL: C:\WINDOWS\sysvol\sysvol
-- | NETLOGON: C:\WINDOWS\sysvol\sysvol\inspectit-labb.local\SCRIPTS
-- |_ Webapps: C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\ROOT
--
-- @xmloutput
-- <elem key="SYSVOL">C:\WINDOWS\sysvol\sysvol</elem>
-- <elem key="NETLOGON">C:\WINDOWS\sysvol\sysvol\inspectit-labb.local\SCRIPTS</elem>
-- <elem key="Webapps">C:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\ROOT</elem>
author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}
dependencies = {"snmp-brute"}
-- Version 0.3
-- Created 01/15/2010 - v0.1 - created by Patrik Karlsson <[email protected]>
-- Revised 01/19/2010 - v0.2 - fixed loop that would occur if a mib did not exist
-- Revised 04/11/2010 - v0.3 - moved snmp_walk to snmp library <[email protected]>
portrule = shortport.port_or_service(161, "snmp", "udp", {"open", "open|filtered"})
--- Gets a value for the specified oid
--
-- @param tbl table containing <code>oid</code> and <code>value</code>
-- @param oid string containing the object id for which the value should be extracted
-- @return value of relevant type or nil if oid was not found
local function get_value_from_table( tbl, oid )
for _, v in ipairs( tbl ) do
if v.oid == oid then
return v.value
end
end
return nil
end
--- Processes the table and creates the script output
--
-- @param tbl table containing <code>oid</code> and <code>value</code>
-- @return an output table with (sharename, path) pairs
local function process_answer( tbl )
local share_name = "1.3.6.1.4.1.77.1.2.27.1.1"
local share_path = "1.3.6.1.4.1.77.1.2.27.1.2"
local new_tbl = stdnse.output_table()
for _, v in ipairs( tbl ) do
if ( v.oid:match("^" .. share_name) ) then
local objid = v.oid:gsub( "^" .. share_name, share_path)
local path = get_value_from_table( tbl, objid )
new_tbl[v.value] = path
end
end
return new_tbl
end
action = function(host, port)
local data, snmpoid = nil, "1.3.6.1.4.1.77.1.2.27"
local shares = {}
local status
local snmpHelper = snmp.Helper:new(host, port)
snmpHelper:connect()
status, shares = snmpHelper:walk( snmpoid )
if (not(status)) or ( shares == nil ) or ( #shares == 0 ) then
return
end
shares = process_answer( shares )
nmap.set_port_state(host, port, "open")
return shares
end
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%