nessuscmd Tip: Finding Open SMB File Shares
Penetration testers spend a lot of time searching for software vulnerabilities, such as buffer overflows or SQL injection. However, there are many other ways in which networks and systems can present vulnerabilities. Open SMB file shares can disclose sensitive information about an organization: I've found everything from student grades to bank account numbers using this technique. A great way to check for the presence of open SMB shares is to run a quick Nessus scan from the command line as follows:
# ./nessuscmd -U -p139,445 -V -i 10396 192.168.1.0/24
The flags used in this command perform the following functions:
| nessuscmd Option | Description |
| -U | Disable safe checks |
| -p139,445 | Limit the scan to TCP ports 139 and 445 |
| -V | Force nessuscmd to print the full plugin output |
| -i 10396 | Define the plugin ID (In this case plugin id 10396, "SMB shares access") |
This will result in the following output:
+ Results found on 192.168.10.230 : - Port netbios-ssn (139/tcp) is open - Port microsoft-ds (445/tcp) is open [!] Plugin ID 10396 | | Synopsis : | | It is possible to access a network share. | | Description : | | The remote has one or many Windows shares that can be accessed | through the network with the given credentials. | Depending on the share rights, it may allow an attacker to | read/write confidential data. | | Solution : | | To restrict access under Windows, open the explorer, do a right | click on each shares, go to the 'sharing' tab, and click on | 'permissions'. | | Risk factor : | | High / CVSS Base Score : 7.5 | (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) | | Plugin output : | | The following shares can be accessed as nessus6804946061421403042121321 | 621 : | | - backup - (readable,writable) | + Content of this share : | .. | CreditApplication_Fax.pdf | Payroll_2009.xls | Invoice10001.doc
This is a great script to run on a regular basis, or in an ad-hoc fashion, to keep tabs on what file shares are exposed in your environment and what information is available. Nessus ProfessionalFeed subscribers can also perform a sensitive data audit of files and documents located on Windows computers. Tenable offers mulitple audit polices which scan files for credit cards, adult media, financial spread sheets and much more.
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
CVE-2024-7593: Ivanti Virtual Traffic Manager Authentication Bypass Vulnerability
August 14, 2024Ivanti released a patch for a critical severity authentication bypass vulnerability and a warning that exploit code is publicly available
Microsoft’s August 2024 Patch Tuesday Addresses 88 CVEs
August 13, 2024Microsoft addresses 88 CVEs with seven critical vulnerabilities and 10 zero-day vulnerabilities, six of which were exploited in the wild.
Compromising Microsoft's AI Healthcare Chatbot Service
August 13, 2024Tenable Research discovered multiple privilege-escalation issues in the Azure Health Bot Service via a server-side request forgery (SSRF), which allowed researchers access to cross-tenant resources.
- Nessus