Month of PowerShell - Windows File Server Enumeration

#monthofpowershell

Quick article today on using PowerShell enumeration in Windows file servers with Server Message Block (SMB), Microsoft's file and print sharing protocol (among many other things).

I'm working on updating my SEC504: Hacker Tools, Techniques, and Incident Response course to embrace PowerShell meaningfully, giving people a chance to learn how to use PowerShell and put it into practice for incident response. For Windows file server interrogation over SMB, we have the powerful [code]net.exe[/code] command, but I wanted to talk about the equivalent PowerShell commands as well.

I'm using server here to refer to the Windows server service, which can run on Windows workstation and Windows Server systems.

Here's a quick table of useful commands, both using PowerShell and using [code]net.exe[/code], for interrogating SMB servers:

NOTE: The parameter server in these examples can be an SMB server IP address or hostname. Replace the value server with your SMB server IP address or hostname. Similarly, replace sharename with the target SMB server share name.

Let's take a look at an example of how we might use some of these commands. If you learn about unauthorized access to a file share on an SMB server, you can use [code]Get-SmbSession[/code] to identify inbound connections:

PS C:\Users\Sec504> $env:COMPUTERNAME
SEC504STUDENT
PS C:\> Get-SmbSession
SessionId    ClientComputerName ClientUserName       NumOpens
---------    ------------------ --------------       --------
549755813893 10.10.75.1         SEC504STUDENT\sec504 1

NOTE: Running [code]Get-SmbSession[/code] will require an administrative PowerShell session.

Here we see an inbound SMB connection from 10.10.75.1, logging in as the user sec504. We know this is local authentication (as opposed to domain authentication) since the local hostname precedes the username information.

This output is helpful, but it doesn't give us all of the detail we might like. We can display additional properties in the output of [code]Get-SmbSession[/code] to identify when the connection was established, how long the session has been idle, the SMB version in use, and more:

PS C:\> Get-SmbSession | Select-Object ClientComputerName, Dialect, SecondsExists, SecondsIdle
ClientComputerName Dialect SecondsExists SecondsIdle
------------------ ------- ------------- -----------
10.10.75.1         3.1.1            8147          84

Tip: Check out the Microsoft Get-SmbSession documentation for a list of all properties available and other useful examples.

If this were indeed an incident and you decide to initiate your incident response process, you would follow your incident response playbook steps. This might include changing the password of the identified user, and disconnecting them from the server. Not a problem for PowerShell!

PS C:\> $Password = Read-Host -AsSecureString
***********
PS C:\> Set-Localuser -Name sec504 -Password $Password
PS C:\> Close-SmbSession -ClientComputerName 10.10.75.1 -Force

Naturally, PowerShell has powerful tools for interrogating and managing Windows SMB services. Using the built-in PowerShell help, and remembering the Verb-Noun syntax makes these commands straightforward to remember, and they offer more flexibility as well!

[1] Viewing SMB shares really is best done using [code]net view \server[/code]. The PowerShell [code]Get-WmiObject -Class win32_share[/code] command works, but only for Windows SMB servers. [code]net.exe[/code] is the superior option here.

-Joshua Wright

Return to Getting Started With PowerShell

Joshua Wright is the author of SANS SEC504: Hacker Tools, Techniques, and Incident Handling, a faculty fellow for the SANS Institute, and a senior technical director at Counter Hack.