SMB Scanner

All posts tagged SMB Scanner

Recently, I was asked to test all SMB enabled devices on a fairly large network to find any hosts that still supported SMBv1. This was about a month before Nmap released their SMB version enumeration NSE. I quickly threw together a script using Impacket from CoreImpact ( The initial script was about 10 lines including the imports, it was slow and only allowed for a single set of hardcoded input files. It was also single threaded so it was slow, about 4 seconds per address, it took almost a full day to complete for each iteration. Testing a patch program using this was untenable.

As we’re huge fans of code re-use I wrapped the script in my tried and true threading modules, re-learned argparse and created a function python program to only negotiate SMBv1 connections to a host. By only performing SMBv1 negotiation and not even including the options to enumerate others I didn’t duplicate the functionality from Nmap and don’t have to worry about false positives.

This script will generate a large amount of ARP requests during testing this is per RFC when connecting to port 139. If stealth is important reduce the threads using the -t option. Happy hunting and enjoy scanning for SMBv1.

We have added the repo to our GitHub requires netaddr, pycrypto and impacket
Install with:
 pip install pycrypto
 pip install impacket
 pip install netaddr
python [*options]
usage: smbv1 scanner [-h] [-i INPUT [INPUT ...] | -f FILE] [-t THREADS]
 [-o OUTPUT] [-v]

******* * * * * * * * Check SMB for Version 1 Support * * * * * * * *******

optional arguments:
 -h, --help show this help message and exit
 -i INPUT [INPUT ...], --input INPUT [INPUT ...]
 IP Address in CIDR Notation
 -f FILE, --file FILE file containing list of IPs to check
 -t THREADS, --threads THREADS
 Number of Threads
 -o OUTPUT, --output OUTPUT
 Output File Name
 -v, --version show program's version number and exit

******* * * * * * * * * * * * * * * * * * * * * * * * * *******

This PowerShell script, written by our friend Rafael Montoya, will allow you to scan open shares based on a list you provide or a subnet you enter. It will process hostnames or IP addresses and attempt to connect to the shares on a machine using WMI to make the connection.

Using PowerShell it will call the Get-WMIObject with the Class of Win32_ConnectionShare and it can be modified to allow more properties that can be listed. The current properties that are listed are PSComputerName, Name, Path and Description.

For use with subnets and cidr notation the GET-IPRange will currently list out the IP addresses in the subnet that was entered. For a /24 it will list out all 254 usable addresses and scan those IPs for a SMB share.

The framework is basically a simple interface to interact with both of these functions; it will ask you to provide a CIDR or file and depending on which one you pick it will run the proper command to get the shares. The script will output the results into a separate file that you have to specify and it will append and only write shares that it finds.

All the code you need is here: GitHub