Invoke-SMBScanner - Empire Module
This page contains detailed information about how to use the powershell/situational_awareness/network/smbscanner Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-SMBScanner
Module: powershell/situational_awareness/network/smbscanner
Source code [1]: empire/server/modules/powershell/situational_awareness/network/smbscanner.yaml
Source code [2]: empire/server/data/module_source/situational_awareness/network/Invoke-SmbScanner.ps1
MITRE ATT&CK:
T1135, T1187
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes
The smbscanner module tests usernames/password combination across a number of machines.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the smbscanner module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the smbscanner module:
Agent
Agent to run module on.
Password
Password to test.
Usernames
Username(s) to use. Comma separated. Example: kclark,Administrator,sqlsvc.
Additional Module Options
This is a list of additional options that are supported by the smbscanner module:
ComputerName
Comma-separated hostnames to try username/password combinations against. Otherwise enumerate the domain for machines.
CredID
CredID from the store to use.
Domain
Domain to use. Defaults to local authentication.
NoPing
Switch. Don't ping hosts before enumeration.
Smbscanner Example Usage
Here's an example of how to use the smbscanner module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/situational_awareness/network/smbscanner
Author @obscuresec
@harmj0y
@kevin
Background True
Comments https://gist.github.com/obscuresec/df5f652c7e7088e2412c
Description Tests usernames/password combination across a number of machines.
Language powershell
Name powershell/situational_awareness/network/smbscanner
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1135
http://attack.mitre.org/techniques/T1187
,Record Optionsw-------,----------,----------------------------------,
| Name | Value | Required | Description |
|--------------|-------|----------|----------------------------------|
| Agent | | True | Agent to run module on. |
|--------------|-------|----------|----------------------------------|
| ComputerName | | False | Comma-separated hostnames to try |
| | | | username/password combinations |
| | | | against. Otherwise enumerate the |
| | | | domain for machines. |
|--------------|-------|----------|----------------------------------|
| CredID | | False | CredID from the store to use. |
|--------------|-------|----------|----------------------------------|
| Domain | . | False | Domain to use. Defaults to local |
| | | | authentication |
|--------------|-------|----------|----------------------------------|
| NoPing | | False | Switch. Don't ping hosts before |
| | | | enumeration. |
|--------------|-------|----------|----------------------------------|
| Password | | True | Password to test. |
|--------------|-------|----------|----------------------------------|
| Usernames | | True | Username(s) to use. Comma |
| | | | separated. Example: |
| | | | kclark,Administrator,sqlsvc |
'--------------'-------'----------'----------------------------------'
(Empire: usemodule/powershell/situational_awareness/network/smbscanner) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/situational_awareness/network/smbscanner) > set Password Password123
[*] Set Password to Password123
(Empire: usemodule/powershell/situational_awareness/network/smbscanner) > set Usernames value
[*] Set Usernames to value
(Empire: usemodule/powershell/situational_awareness/network/smbscanner) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/network/smbscanner.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/situational_awareness/network/Invoke-SmbScanner.ps1
- https://gist.github.com/obscuresec/df5f652c7e7088e2412c
- http://attack.mitre.org/techniques/T1135
- http://attack.mitre.org/techniques/T1187
See Also
Check also the following modules related to this module:
- powershell/situational_awareness/network/bloodhound3
- powershell/situational_awareness/network/arpscan
- powershell/situational_awareness/network/reverse_dns
- powershell/situational_awareness/network/get_sql_server_info
- powershell/situational_awareness/network/bloodhound
- powershell/situational_awareness/network/get_kerberos_service_ticket
- powershell/situational_awareness/network/portscan
- powershell/situational_awareness/network/get_sql_instance_domain
- powershell/situational_awareness/network/smblogin
- powershell/situational_awareness/network/smbautobrute
- powershell/situational_awareness/network/get_spn
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.