I’m sure this has been done many times before but not by me. Many companies have Data Loss Prevention (DLP) tools that they can run on open file shares to check for specific file names or file types (and file contents too). For example, database backup files, private key file extensions or files names like password.txt !!
This is just a quick script to do a high level file search on open shares on a network. It may be useful for smaller companies that don’t have the budget for DLP. I ran this as a regular user to see what normal uses can see on the network.
If an attacker gets a foothold on a network they might do something like this. Attackers have no need to use tools if passwords (and other sensitive info) are available on open file shares. Why would an attacker try to hack into a server if the password for it is listed on a file share somewhere?
I’m sure I missed some edge cases, my personal lab only has 5 machines in my Active Directory so please don’t complain about the free code if it doesn’t work perfectly.
Initially I wrote this to use the new powershell 7 preview 3 parallel feature but that would mean someone would have to install the powershell 7 preview 3 and the .net core version required by powershell 7 preview 3 to use the code, so I just wrote it without using the new feature.
I’m using some initial search terms that immediately came to mind but you can change the $SearchTerm line (highlighted below) to search for whatever file names you want. The highlighted line below are the filenames I’m searching for. In this case, SQL Server database backups, Password files, config files that may contain passwords and private key file extensions. Modify as you see fit. On lines 6 through 8, this is listing the computers in AD.
The next bit of code is used to list the file shares on each computer. I’m just looping through each computer and seeing what shares might be accessible. I found the highlighted code I needed to list file shares here: (https://www.itprotoday.com/powershell/view-all-shares-remote-machine-powershell). I modified it slightly to not give output on access errors. Then I put the file path in UNC format (\\Computername\sharename) into a list.
Below, I’m just looping through each folder (checking if it accessible) and recursively looking for the filenames I specified in $SearchTerm. Please note, in the highlighted values below, I chose to explicitly exclude root folders in the files shares that contain “Windows”, “Program Files” and “Admin$”. Those folders slow down the script a lot. You can modify it if you like, however it will be so much slower.
Finally, I output the matching files and the open shares in C:\Temp\MatchingFiles.txt and C:\Temp\OpenFileShares.txt
Here is the output from my personal lab. I put a few files there intentionally for testing.
The output is stored in C:\Temp
The code is here:
I hope this is helpful to someone. Feel free to follow me on Twitter https://twitter.com/_markmo_
Don’t run this or any other code on systems you don’t have permission to run them on. Use at your own risk.