Search windows open shares with python

It’s rare during a penetration test that I actually exploit a vulnerability to gain more information. Newcomers to my filed will often use the term “network security”. I don’t care about the network, have the network for all I care. What I’m more concerned about is the information inside the network. The better way to describe it is “information security”. Performing penetration tests one has to keep that in mind, yea it’s fun to exploit some user that’s running an old version of war-ftp but if that user doesn’t yield sensitive information then who cares to some extent.

I often see that professional penetration testers will highlight an open windows share that can be read or written to by everyone. They will often highlight other shares that are accessible by a large group such as Authenticated users. I don’t want to scoff at these types of open shares as they should be investigated by the business owner that created the open shares. The main thing to consider is what information lies within those open shares. Open shares are usually created for a reason, so that users easily share information. This is not bad unless the information in those shares is secret / classified material. To check for this possible sensitive information one would have to search all the files and folders in that share. Now you can use the cute little dog search feature inside of windows explorer to look for this information but using that your hands are somewhat tied. The search feature inside windows explorer actually does a nice job but if you wanted to automate the process to look at multiple shares and search for multiple terms then you’re out of luck. Because of this I wanted to script something that would automate the process. Powershell could have been an option but because I’m already familiar with python I stuck to what I know. This means that in order to run the script you’ll have to have python installed on windows. I could have written the script to work in Linux but that would have meant using cifs to map drives which seemed like more of a headache then just using python on windows.

You’ll need to open up a windows command prompt to run the script and it’s a good idead to add Python to the windows path. So the script takes two arguments. The first argument is the file containing all the shares that you want to search. The second argument is the file that contains all the terms you want to search for. So to run the script you would issue a command similar to below, where searchShares.py is the name of the python script.

python.exe  searchShares.py  shares.txt  searchTerms.txt

Your shares.txt file should look similar to below.

\\one\two
\\three\four\five
\\six\seven\eight\nine

Your searchTerms.txt file should look similar to below.

secret
password
username

In the example above the term “secret” will be recursively searched in all three shares. Then “password” will be recursively searched in all three shares, then so on and so on. The script will output any file, file name, or folder name that matches any of the search terms. Currently the script will read each file in binary format which means if it comes across a word document file (such as document.doc) it doesn’t open / read the file like microsoft word would. The current script reads each line of the binary file looking for your search term. Reading a text file as binary seems to work fine but reading in microsoft office documents as binary have different results. One thing I’ve noticed in my testing is that generally speaking it does just fine searching through a *.doc file but has trouble searching through a *.docx file. Binary searching is not ideal but it’s my current solution. Python has the capability to open microsoft office documents in a more native format but for my first go round I haven’t implemented that solution.

Once you run the script you will see output similar to below.

C:\temp>python searchShares.py shares.txt searchTerms.txt

Walking directory \\192.168.99.184\test

Found \\192.168.99.184\testtest.txt
Found \\192.168.99.184\testTravisAltmanResume.doc
Found \\192.168.99.184\test\onewordDoc1.docx
Found \\192.168.99.184\test\one\twopasswords.txt
Found \\192.168.99.184\test\one\two\threewordDoc2.docx
Searching file \\192.168.99.184\test\test.txt for term secret

Searching file \\192.168.99.184\test\TravisAltmanResume.doc for term secret

Searching file \\192.168.99.184\test\one\wordDoc1.docx for term secret

Searching file \\192.168.99.184\test\one\two\passwords.txt for term secret

Searching file \\192.168.99.184\test\one\two\three\wordDoc2.docx for term secret

Searching file \\192.168.99.184\test\test.txt for term password

Searching file \\192.168.99.184\test\TravisAltmanResume.doc for term password

Searching file \\192.168.99.184\test\one\wordDoc1.docx for term password

Searching file \\192.168.99.184\test\one\two\passwords.txt for term password

Searching file \\192.168.99.184\test\one\two\three\wordDoc2.docx for term password

Searching file \\192.168.99.184\test\test.txt for term username
Searching file \\192.168.99.184\test\TravisAltmanResume.doc for term username
Searching file \\192.168.99.184\test\one\wordDoc1.docx for term username
Searching file \\192.168.99.184\test\one\two\passwords.txt for term username
Searching file \\192.168.99.184\test\one\two\three\wordDoc2.docx for term username

This output on the command prompt is to given as a verbose message so that you know what’s going on with the script. The output on the command prompt will not tell you if it found a search term. The results of your searching is placed in a text file called output.txt located in the current directory. The content of output.txt should look similar to the following.

=== Directories or file names matching search criteria ===

\\192.168.99.184\test\one\two\passwords.txt

=== Files matching search criteria ===

found secret in file \\192.168.99.184\test\one\two\passwords.txt
found password in file \\192.168.99.184\test\one\two\passwords.txt

So you can see that it matches the file name as well as the contents of the file. One thing to keep in mind is that this script can take a while to run. There two factors that control how fast it runs, 1) Speed of the network and 2) Size (GB, MB, etc) of the share. It works best when your network is local and not in another city. The biggest factor is going to be the size of the share. Running this script on a major file sahre that is say 800 GB in size will take a very long time. Keep in mind you can specify specific directories, so instead of searching in the root share such as \\share\one maybe it’s a better idea to searh in \\share\one\two\three. So keep these factors in mind when running the script. Below is the script, simply cut and paste into your text editor of choice and save as searchShares.py


import os
import sys
import re

output = open('output.txt', 'a')
output.write('\n')
fileList = []
shareList = open(sys.argv[1])
eachShare = shareList.readlines();
for shares in eachShare:
    path = shares.rstrip('\r\n')
    print '\nWalking directory ' + path + '\n'
    for root, subFolders, files in os.walk(path):
        #print 'Indexing ' + root + '\n'
        for file in files:
            fileList.append(os.path.join(root,file))
            print 'Found ' + root + file
keywords = open(sys.argv[2])
searchTerm = keywords.readlines();
output.write('=== Directories or file names matching search criteria ===\n')
for term in searchTerm:
    strip = term.rstrip('\r\n')
    if any(strip in s for s in fileList):
        matching = [s for s in fileList if strip in s]
        for item in matching:
            output.write('\n' + item)
output.write('\n\n=== Files matching search criteria ===\n\n')
for term in searchTerm:
    strip = term.strip('\r\n')
    for item in fileList:
        print 'Searching file ' + item + ' for term ' + term
        searchFile = open(item, 'rb')
        for line in searchFile:
            if re.search(strip, line, re.IGNORECASE):
                output.write('found ' + strip + ' in file ' + item + '\n')
                break
    searchFile.close()
output.close()

Let me know if this works / doesn’t work and also let me know if you have any suggestions on how to make it better. One thing I might do in the future is to limit the types of files it searches to say only .txt, .doc, .xls, etc. Happy hunting for information on shares.

8 Responses to “Search windows open shares with python”

  1. Dnucna Says:

    Hi,
    Have you tried with paths exceeding 255 characters ?

    I have experienced access problems (with my actual tool “hyena”) when checking team’s shares (\\server\department\group\team) which are mounted on t:\ because this way permits to exceed 255 characters.

    By the way nice script !

  2. travis Says:

    Dnucna,

    I haven’t experienced a path of more than 255 characters. I would think that the script could handle it but I haven’t verified.

  3. Sylar Says:

    Hi

    Interesting blog.

    Can you explain a bit about what an open share is and how your script ties to it?

    I am in the learning phase ( I find it interesting to go read blogs and find out things I don’t know before.)

    I tried googling for understanding what an open share is, and what exactly are we doing here, but was unable to tie your blog up with things that I found.

    Any good explanations please?

  4. travis Says:

    Sylar,

    Sure, by open share I mean an open shared folder in windows. In windows you can right click on any folder and share the contents of that folder. Most people when sharing the contents of that folder share it with everyone. This means that they share the contents of that folder with very low permissions. Meaning that almost anyone on the network (and possibly the internet) can view the contents of that folder. My script was intended to search through known open shares, meaning your organizatio has setup shared folders intentionally to share knowledge throughout the organization. My script would already be aware of these shared folders and search for key terms in those shared folders. By allowing almost anyone and everyone read and write permissions to these shared folders has the potential for secret information to be in one of these shared folders. I wrote the script to allow anyone in an organization to search their open shares for information that shouldn’t be shared. Hopefully that answers your question, if not let me knowl. Cheers.

  5. Sylar Says:

    Yes. It does for the most part. Thanks mate 🙂

    Just one more question, as you said that script would be aware of these shared folders (and from your blog, that is coming from the shares.txt)

    Is there a method to find out openly shared folders instead of “already knowing” them?

    Because, usually one would not be aware of all existing openly shared folders otherwise. (given the number of users connected to the network is high.)

  6. Sylar Says:

    Ah..never mind. Just read your new blog entry. Answers my question. Thanks again mate 🙂

  7. travis Says:

    Sylar,

    The sysinternals tools are a great resource. There are plenty of great tools in that suite but for dealing with shares and permissions I like shareEnum to find open shares and accesschk to get granular permissions on those shares. Let me know if that helps

  8. Sylar Says:

    I didn’t get time to do a deep investigation. But I did download shareEnum and accesschk and gave them a swirl.

    They seem to do a good job.

    Thanks a lot mate. Much appreciated. 🙂

Leave a Reply