smbshell is a pre-compiled NASL script which can be used as a standalone tool to do the following tasks :
Navigate thru the remote SMB shares and download files or obtain their version number
Read/Enumerate the remote SMB registry
Query/Start/Stop/Pause remote services
Obtain an interactive shell (cmd.exe) on the remote host
This tool can be used by Windows administrators / Security auditors / Pen-testers to interact with a remote Windows system.
This tool does not exploit any vulnerability in Windows and therefore requires an administrator login and password.
Demo
Installation
smbshell is a pre-compiled NASL script - therefore, you need to install Nessus 3 first.
To run smbshell, download it and run it thru the 'nasl' command-line utility :
$ /opt/nessus/bin/nasl -t TargetIP smbshell.nbin
Under Windows, you need to copy it under C:\Program Files\Tenable\Nessus\Plugins\Scripts\. Then you can do :
C:\> Program Files\Tenable\Nessus\nasl.exe -t TargetIP smbshell.nbin
Usage
smbshell contains the following modules :
ftp (file transfer)
This module can be used to download arbitrary files from the remote host, as well as to gather their version (and other resources info).
The following commands are recognized :
dir
List the remote files in the current working directory
version 'filename'
Query version information about the remote file 'filename'
pwd
Display the current working directory
cd 'dir'
Switch the working directory to 'dir'
get 'filename'
Download the file 'filename' and saves it on the local system
put 'filename'
Upload the local file 'filename' to the remote working directory
quit
Quit the FTP sub-module
reg (registry)
This module can be used to read the remote registry keys and their values, as well as to recursively travel through a given registry hive.
The following commands are recognized :
enum_keys 'key'
Enumerate a key subkeys
enum_values 'key'
Enumerate a key values
renum 'key'
Recursively enumerate key values and subkeys
quit
Quit this sub module
users (User Management)
This module can be used to obtain information about the users of the remote host.
The following commands are recognized :
list_members 'group'
List group members
user_info 'user'
Display user information
quit
Quit this sub module
services (Service Management)
This module can be used to obtain information about the remote services, as well as to start and stop them.
The following commands are recognized :
enum
Enumerate services
info 'service'
Display service information
start 'service'
Start service
stop 'service'
Stop service
pause 'service'
Pause service
continue 'service'
Restore service
quit
Quit this sub module
shell (secure interactive shell)
This module gives you interactive access to the remote host, through cmd.exe over port 445. The shell session is ciphered, so that nobody can eavesdrop commands sent to the remote host. This feature is considered as being experimental and tempers with the remote host, since it uploads and execute a service.
To start an interactive session, type "shell". To exit from it, type "exit". Any other command typed is directly sent to a remote instance of cmd.exe.
