diff --git a/javascript/network/smb/smb-anonymous-access.yaml b/javascript/network/smb/smb-anonymous-access.yaml new file mode 100644 index 00000000000..e06a3d76577 --- /dev/null +++ b/javascript/network/smb/smb-anonymous-access.yaml @@ -0,0 +1,39 @@ +id: smb-anonymous-access + +info: + name: SMB Anonymous Access Detection + author: pussycat0x + severity: high + description: | + Detects anonymous access to SMB shares on a remote server. + reference: + - https://wadcoms.github.io/wadcoms/SMBClient-List-Shares-Anonymous/ + metadata: + verified: true + shodan-query: "port:445" + tags: js,network,smb,enum,misconfig + +javascript: + - code: | + var m = require("nuclei/smb"); + var c = m.SMBClient(); + var response = c.ListShares(Host,Port,User,Pass); + to_json(response); + + args: + Host: "{{Host}}" + Port: "445" + User: " " + Pass: " " + + matchers: + - type: dsl + dsl: + - success == true + - contains(response, "IPC$") + condition: and + + extractors: + - type: json + json: + - '.[]' \ No newline at end of file diff --git a/javascript/network/smb/smb-shares.yaml b/javascript/network/smb/smb-shares.yaml new file mode 100644 index 00000000000..6efcc33004b --- /dev/null +++ b/javascript/network/smb/smb-shares.yaml @@ -0,0 +1,32 @@ +id: smb-shares + +info: + name: SMB Shares - Enumeration + author: pussycat0x + severity: low + description: | + Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked. + reference: + - https://nmap.org/nsedoc/scripts/smb-enum-shares.html + metadata: + verified: true + shodan-query: "port:445" + tags: js,network,smb,enum + +javascript: + - code: | + var m = require("nuclei/smb"); + var c = m.SMBClient(); + var response = c.ListShares(Host, Port, User, Pass); + to_json(response); + + args: + Host: "{{Host}}" + Port: "445" + User: "test" + Pass: "test" + + extractors: + - type: json + json: + - '.[]' \ No newline at end of file diff --git a/javascript/network/smb/smb-signing-not-required.yaml b/javascript/network/smb/smb-signing-not-required.yaml new file mode 100644 index 00000000000..a65ec04dac5 --- /dev/null +++ b/javascript/network/smb/smb-signing-not-required.yaml @@ -0,0 +1,35 @@ +id: smb-signing-not-required + +info: + name: SMB Signing Not Required + author: pussycat0x + severity: medium + description: | + Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server. + reference: + - https://www.tenable.com/plugins/nessus/57608 + - https://nmap.org/nsedoc/scripts/smb2-security-mode.html + metadata: + verified: true + shodan-query: "port:445" + tags: js,network,smb,enum + +javascript: + - code: | + var m = require("nuclei/smb"); + var c = m.SMBClient(); + var response = c.ListSMBv2Metadata(Host, Port, User, Pass); + to_json(response); + + args: + Host: "{{Host}}" + Port: "445" + User: "test" + Pass: "test" + + matchers: + - type: word + words: + - '"SigningEnabled": true' + - '"SigningRequired": false' + condition: and diff --git a/javascript/network/smb/smb2-capabilities.yaml b/javascript/network/smb/smb2-capabilities.yaml new file mode 100644 index 00000000000..f0ec19bf3a2 --- /dev/null +++ b/javascript/network/smb/smb2-capabilities.yaml @@ -0,0 +1,29 @@ +id: smb2-capabilities + +info: + name: smb2-capabilities - Enumeration + author: pussycat0x + severity: info + description: | + Attempts to list the supported capabilities in a SMBv2 server for each enabled dialect. + reference: + - https://nmap.org/nsedoc/scripts/smb2-capabilities.html + metadata: + shodan-query: "port:445" + +javascript: + - code: | + var m = require("nuclei/smb"); + var c = m.SMBClient(); + var response = c.ConnectSMBInfoMode(Host, Port); + to_json(response); + + args: + Host: "{{Host}}" + Port: "445" + + extractors: + - type: json + part: response + json: + - '.Capabilities | with_entries(select(.value == true)) | keys' \ No newline at end of file