SMB -JS Templates

javascript/network/smb/smb-anonymous-access.yaml

@@ -0,0 +1,39 @@
+id: smb-anonymous-access
+
+info:
+  name: SMB Anonymous Access Detection
+  author: pussycat0x
+  severity: high
+  description: |
+    Detects anonymous access to SMB shares on a remote server.
+  reference:
+    - https://wadcoms.github.io/wadcoms/SMBClient-List-Shares-Anonymous/
+  metadata:
+    verified: true
+    shodan-query: "port:445"
+  tags: js,network,smb,enum,misconfig
+
+javascript:
+  - code: |
+      var m = require("nuclei/smb");
+      var c = m.SMBClient();
+      var response = c.ListShares(Host,Port,User,Pass);
+      to_json(response);
+
+    args:
+      Host: "{{Host}}"
+      Port: "445"
+      User: " "
+      Pass: " "
+
+    matchers:
+      - type: dsl
+        dsl:
+          - success == true
+          - contains(response, "IPC$")
+        condition: and
+
+    extractors:
+      - type: json
+        json:
+          - '.[]'

javascript/network/smb/smb-shares.yaml

@@ -0,0 +1,32 @@
+id: smb-shares
+
+info:
+  name: SMB Shares - Enumeration
+  author: pussycat0x
+  severity: low
+  description: |
+    Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked.
+  reference:
+    - https://nmap.org/nsedoc/scripts/smb-enum-shares.html
+  metadata:
+    verified: true
+    shodan-query: "port:445"
+  tags: js,network,smb,enum
+
+javascript:
+  - code: |
+      var m = require("nuclei/smb");
+      var c = m.SMBClient();
+      var response = c.ListShares(Host, Port, User, Pass);
+      to_json(response);
+
+    args:
+      Host: "{{Host}}"
+      Port: "445"
+      User: "test"
+      Pass: "test"
+
+    extractors:
+      - type: json
+        json:
+          - '.[]'

javascript/network/smb/smb-signing-not-required.yaml

@@ -0,0 +1,35 @@
+id: smb-signing-not-required
+
+info:
+  name: SMB Signing Not Required
+  author: pussycat0x
+  severity: medium
+  description: |
+    Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server.
+  reference:
+    - https://www.tenable.com/plugins/nessus/57608
+    - https://nmap.org/nsedoc/scripts/smb2-security-mode.html
+  metadata:
+    verified: true
+    shodan-query: "port:445"
+  tags: js,network,smb,enum
+
+javascript:
+  - code: |
+      var m = require("nuclei/smb");
+      var c = m.SMBClient();
+      var response = c.ListSMBv2Metadata(Host, Port, User, Pass);
+      to_json(response);
+
+    args:
+      Host: "{{Host}}"
+      Port: "445"
+      User: "test"
+      Pass: "test"
+
+    matchers:
+      - type: word
+        words:
+          - '"SigningEnabled": true'
+          - '"SigningRequired": false'
+        condition: and

javascript/network/smb/smb2-capabilities.yaml

@@ -0,0 +1,29 @@
+id: smb2-capabilities
+
+info:
+  name: smb2-capabilities - Enumeration
+  author: pussycat0x
+  severity: info
+  description: |
+    Attempts to list the supported capabilities in a SMBv2 server for each enabled dialect.
+  reference:
+    - https://nmap.org/nsedoc/scripts/smb2-capabilities.html
+  metadata:
+    shodan-query: "port:445"
+
+javascript:
+  - code: |
+      var m = require("nuclei/smb");
+      var c = m.SMBClient();
+      var response = c.ConnectSMBInfoMode(Host, Port);
+      to_json(response);
+
+    args:
+      Host: "{{Host}}"
+      Port: "445"
+
+    extractors:
+      - type: json
+        part: response
+        json:
+          - '.Capabilities | with_entries(select(.value == true)) | keys'