{"id":13840895,"url":"https://github.com/punk-security/smbeagle","last_synced_at":"2025-05-15T08:10:54.222Z","repository":{"id":37464716,"uuid":"372613297","full_name":"punk-security/smbeagle","owner":"punk-security","description":"SMBeagle - Fileshare auditing tool.","archived":false,"fork":false,"pushed_at":"2025-01-21T22:34:00.000Z","size":305,"stargazers_count":711,"open_issues_count":12,"forks_count":80,"subscribers_count":13,"default_branch":"main","last_synced_at":"2025-04-10T06:36:26.630Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/punk-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-05-31T19:46:57.000Z","updated_at":"2025-03-27T17:08:18.000Z","dependencies_parsed_at":"2025-01-15T15:11:53.217Z","dependency_job_id":"dc06dcf4-a6fc-4e6a-b040-0a54711693c9","html_url":"https://github.com/punk-security/smbeagle","commit_stats":{"total_commits":88,"total_committers":7,"mean_commits":"12.571428571428571","dds":"0.23863636363636365","last_synced_commit":"46992974dc82f1b1e4b5f1d54179029d750c0ab4"},"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punk-security%2Fsmbeagle","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punk-security%2Fsmbeagle/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punk-security%2Fsmbeagle/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/punk-security%2Fsmbeagle/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/punk-security","download_url":"https://codeload.github.com/punk-security/smbeagle/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254301432,"owners_count":22047904,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:00:59.057Z","updated_at":"2025-05-15T08:10:54.176Z","avatar_url":"https://github.com/punk-security.png","language":"C#","funding_links":[],"categories":["C# #"],"sub_categories":[],"readme":"[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://GitHub.com/punk-security/pwnspoof/graphs/commit-activity)\n[![Maintaner](https://img.shields.io/badge/maintainer-PunkSecurity-blue)](https://www.punksecurity.co.uk)\n[![Docker Pulls](https://img.shields.io/docker/pulls/punksecurity/smbeagle)](https://hub.docker.com/r/punksecurity/smbeagle)\n[![Lines of Code](https://sonarcloud.io/api/project_badges/measure?project=punk-security_smbeagle\u0026metric=ncloc)](https://sonarcloud.io/summary/new_code?id=punk-security_smbeagle)\n[![Bugs](https://sonarcloud.io/api/project_badges/measure?project=punk-security_smbeagle\u0026metric=bugs)](https://sonarcloud.io/summary/new_code?id=punk-security_smbeagle)\n[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=punk-security_smbeagle\u0026metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=punk-security_smbeagle)\n\n```\n ____ __ _____ _ __ \n / __ \\__ ______ / /__/ ___/___ _______ _______(_) /___ __\n / /_/ / / / / __ \\/ //_/\\__ \\/ _ \\/ ___/ / / / ___/ / __/ / / /\n / ____/ /_/ / / / / ,\u003c ___/ / __/ /__/ /_/ / / / / /_/ /_/ / \n/_/ \\__,_/_/ /_/_/|_|/____/\\___/\\___/\\__,_/_/ /_/\\__/\\__, / \n PRESENTS /____/ \n``` \n \n# SMBeagle\n\nSMBeagle is a cross-platform (SMB) fileshare auditing tool that hunts out all files it can see in the network \nand reports if the file can be read and/or written. All these findings are streamed out to either\na CSV file or an elasticsearch host, or both!? 🚀\n\nWhen running on Windows, with no credentials provided, SMBeagle will make use of the win32 APIs for maximum speed, and integrated auth.\n\nWhen running on Linux, or when credentials are provided, we use the cross-platform file scanning through [SMBLibrary](https://github.com/TalAloni/SMBLibrary)\n\n## No more digital signing\n\nSMBeagle up to v3 was digitally signed, but v4 adds more offensive features. Namely, it will now look for an retrieve juicy looking files. Great for pentests, but not something we want to digitally sign!\n\nIf you want the original version, without the file grabbing features, use v3 which is digitally signed.\n\nIt has 2 awesome use cases:\n\n### Cast a spotlight on weak share permissions.\nBusinesses of all sizes often have file shares with awful file permissions. \n\nLarge businesses have sprawling shares on file servers and its not uncommon to find sensitive data with misconfigured permissions. \n\nSmall businesses often have a small NAS in the corner of the office with no restrictions at all!\n\nSMBeagle crawls these shares and lists out all the files it can read and write. If it can read them, so can ransomware. \n \n### Lateral movement and privilege escalation\nSMBeagle can provide penetration testers with the less obvious routes to escalate privileges and move laterally.\n\nBy outputting directly into elasticsearch, testers can quickly find readable scripts and writeable executables.\n\nFinding watering hole attacks and unprotected passwords never felt so easy! 🐱‍👤\n\n**To make it even easier, we've added the ```-g``` flag which will now fetch files back if they look interesting!**\n\nWhat looks interesting? Well by default we look for scripts and filenames with words like password in them.\n\n... You can provide your own regexes with the ```--file-pattern``` flag.\n\n## Kibana Dashboard\nPlease see [Kibana readme](Kibana/README.md) for detailed instructions on installing and using the Kibana dashboards which\nprovide management visuals and makes data pivoting all the easier.\n\n## Installation\n\n### Docker\n* ```docker pull punksecurity/smbeagle```\n\n### Linux\n* Go to the latest release https://github.com/punk-security/smbeagle/releases/latest\n* Download the linux_amd64.zip or linux_arm64.zip\n* Unzip the download and run smbeagle from the terminal\n\n### Windows\n* Go to the latest release https://github.com/punk-security/smbeagle/releases/latest\n* Download the win_x64.zip (only 64bit is supported at the moment)\n* Unzip the download and run SMBeagle.exe from a command prompt or powershell terminal\n\n## Usage\n\nThe only mandatory parameter is to set an output, which should be either an elasticsearch hosts IP address or a csv file.\n\nA good starting point is to enable fast mode and output to csv, but this CSV could get huge depending on how many files it finds.\n\n```\n./SMBeagle.exe -c out.csv -f\n```\n\n### Public IP scanning\n\nThe scanning of discovered public hosts and networks is disabled by default as SMBeagle discovers networks from netstat which \nincludes all current connections such as web browser sessions etc.\n\nTo scan a public network, declare it manually with something like `-n 1.0.0.1/32` or `-n 1.0.0.0/24`\n\n### Docker usage\nPunk security provides a linux docker image of SMBeagle.\n\nTo get findings out, you will need to mount a folder into the container and tell SMBeagle to save its output to that mount (or use elasticsearch)\n\nA good starter example is:\n\n`docker run -v \"$(pwd)/output:/tmp/output\" punksecurity/smbeagle -c /tmp/output/results.csv -n 10.10.10.0/24`\n\nNote that network discovery is disabled when running in docker, so make sure you pass the ranges that\nyou wish to scan with the `-n` command line switch, or hosts will the `-h` switch.\n\n### Full Usage\n\n```\nUSAGE:\nOutput to a CSV file:\n SMBeagle -c out.csv\nOutput to elasticsearch (Preferred):\n SMBeagle -e 127.0.0.1\nOutput to elasticsearch and CSV:\n SMBeagle -c out.csv -e 127.0.0.1\nDisable network discovery and provide manual networks:\n SMBeagle -D -e 127.0.0.1 -n 192.168.12.0./23 192.168.15.0/24\nDo not enumerate ACLs (FASTER):\n SMBeagle -A -e 127.0.0.1\n\n -c, --csv-file (Group: output) Output results to a CSV\n file by providing filepath\n -e, --elasticsearch-host (Group: output) Output results to\n elasticsearch by providing elasticsearch\n hostname (default port is 9200 , but can be\n overridden)\n --elasticsearch-port (Default: 9200) Define the elasticsearch\n custom port if required\n -f, --fast Enumerate only one files permissions per\n directory\n -l, --scan-local-shares Scan the local shares on this machine\n -D, --disable-network-discovery Disable network discovery\n -n, --network Manually add network to scan (multiple\n accepted)\n -N, --exclude-network Exclude a network from scanning (multiple\n accepted)\n -h, --host Manually add host to scan\n -H, --exclude-host Exclude a host from scanning\n -q, --quiet Disable unneccessary output\n -S, --exclude-share Do not scan shares with this name (multiple\n accepted)\n -s, --share Only scan shares with this name (multiple\n accepted)\n --file-pattern Only fetch files matching these regexes\n patterns\n -g, --grab-files Grab files and store them locally\n --loot (Default: loot) Path to store grabbed files\n -E, --exclude-hidden-shares Exclude shares ending in $\n -v, --verbose Give more output\n -m, --max-network-cidr-size (Default: 20) Maximum network size to scan\n for SMB Hosts\n -A, --dont-enumerate-acls (Default: false) Skip enumeration of file\n ACLs\n -d, --domain (Default: ) Domain for connecting to SMB\n -u, --username Username for connecting to SMB - mandatory\n on linux\n -p, --password Password for connecting to SMB - mandatory\n on linux\n --help Display this help screen.\n --version Display version information.\n\n```\n\n## Architecture\n\nSMBeagle does a lot of work, which is broken down into loosely coupled modules which hand off to each other.\nThis keeps the design simple and allows us to extend each module easily.\n\nIn summary it:\n\n* Looks at your local machine for network connections and adapters\n* Takes all those private adaptors and connections and builds a list of private network candidates\n* Scans those networks for TCP port 445\n* Scans all detected SMB servers for accessible shares\n* Inventories all those shares for files and checks Read, Write, Delete permissions\n\n![Schematic](Docs/schematic.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpunk-security%2Fsmbeagle","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpunk-security%2Fsmbeagle","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpunk-security%2Fsmbeagle/lists"}