In my last post – When blogs don’t work – I was a little frustrated at there being no way for you to enumerate certain bits of information via RPCClient.
Shortly after creating that blog post, I had a notion for trying Wireshark. All SMB data requests run over the wire right? so why not try it.
As a test I ran wireshark with the filter “tcp.port==445” I then opened a file share on my PC and the packets started flooding in. A massive amount of information in a few seconds. This was great.
I right clicked on an entry “Create Response File: filename_of the file.something” and followed TCP stream. A whole load of mixed garbage appeared. You’d be foolish for closing this down without sifting through it.
I copied this into Notepad++ and started removing all the dots. This is cleaning up nicely. I started removing extra spaces with Find and Replace. Excellent! Some data that is readable. I must add that converting the output to ASCII before you copy it into Notepad++ helps.
You’d be surprised. I only accessed one file. All of a sudden I have more information from one capture file than anything I could glean from RPCClient.
- Server names
- Server default shares
- Server working directory shares
- Username of user who accessed the information
This is useful stuff.
Searching under the protocols “SMB & SMB2” pulls out a lot of data especially when pointed to the server IP collected from the first capture.
I’m sure there is other information in the capture file that would be of use. At this moment I’d have to investigate what is transferred over a network when network shares are accessed. I’m assuming at this point credentials would have to be shared due to file and folder permissions. However, I don’t think this would be as straightforward as collecting hashes.