The Wonderful World of SMB/AFP Shares

I was recently involved in a 3-Day Vulnerability Assessment where I had quite literally no idea where to start. I suppose that's to be expected when you're the new guy and thrown into something, but I honestly wasn't sure what to even look for. I fell onto my past knowledge and decided to just wreck anything Windows related (my previous job was a Windows-only environment). I got a few corporate IP-ranges, and I set off... I quite literally nmap'd anything in that corporate IP-range (woops...).

The Recurring Theme

Non-windows boxes had SSH open but locked down enough that I didn't care to dig further. Developers had random HTTP ports open but most were the default Apache page.

 That page mocked me for all 3 days of the event...

But of course, that has nothing to do with the post title, so that can't be why I'm writing this. Look at you, astute reader. Port 445 and 548 were the recurring theme, better yet, an intense nmap scan will even point out that it detected an SMB/AFP share with its associated permissions. How nice! As you can imagine, this was the beginning of the wild ride of internal incident reports and vulnerability findings.

Abusing Open SMB/AFP Shares

The next obvious question is the usual So What? Well, let's jump into some potential pivot tactics one can take with an open SMB/AFP share.

Placing malicious files onto an individual's machine

This should be obvious, but if you have write access to an SMB/AFP share, you can place files onto that person's or server's hard drive. Depending on what files are being shared, you can attempt to swap out binaries that are typically run by Windows/Mac OSX with a meterpreter payload, swap out common programs a user would run with a meterpreter payload, or place an innocuous file on their desktop. The last option would require some social engineering to get the user to run the payload but no doubt still possible.

DOS-ing via hard drive space consumption

Interested in truly ruining someone's day? Well, an open SMB/AFP share with write access gives you the opportunity to fill their hard drive with cat memes until they can't meme no more...

Sensitive information disclosure

Log files, hidden metadata files, and others are juicy even when the SMB/AFP share doesn't have write access. Make copies of any dotfiles or other log files and sift through them later. I'm not going to confirm that I obtained a private key during this exercise, but I will say that they are one of the things you find with this method.

It Gets Even Better

Now that you know a few things you can do with an open SMB/AFP share, let's talk about why this is even worth mentioning. I mean, aren't most SMB/AFP shares on your internal network? Why even worry? Well, glad you asked... Over 90% of the open SMB/AFP shares I found weren't on servers, they were on employee's personal laptops. This means when Jane Smith, employee of Acme Inc., takes their laptop to Starbucks on Sunday that same SMB/AFP share will be hanging out on the network. And we all know that no one at Starbucks is malicious...

The typical Starbucks WiFi user. Kind, fluffy, and obviously not out to steal your dataz.

Wrapping Up

SMB/AFP shares can expose sensitive internal information to the whole wide world when an employee decides to share a folder off their laptop. Also, those internal network shares are only an Ethernet connection away from being stolen as well, so always be sure to lock down open SMB/AFP shares on your internal network. And of course, writable SMB/AFP shares are the definition of asking to be pwned. Creating a system to monitor for file shares is a great mitigation strategy. Using Windows AD/Group Policy to not allow user's to create shares from their laptop is another strategy. General awareness that this is something worth monitoring is really the big takeaway here, so I hope you consider this in your next red team engagement. I'm hoping to put together a tool that allows for efficient scanning of SMB/AFP shares on your network and spewing out a list of open shares with associated permissions. Keep an eye out for that in the coming weeks.