Plunder Documentation

1 Metadata

Author:Josh Stone
Contact:josh@josho.org
License:GPLv2

2 Introduction

Plunder is a security assessment tool that I've written in response to frustrations I've experienced in conducting various types of technical engagements. It is useful for examining SMB-shares, which are very common in contemporary networks. The type of analysis that can be performed is fairly flexible, which makes this tool useful in different contexts. Some sample use-cases I've encountered that served as inspiration for this tool are listed below:

  • Penetration tests – a penetration test is often accelerated the moment the tester obtains user credentials. Most places are good at killing open shares, but not so good at implementing sensible access controls for authenticated users. Plunder can be used to identify what resources are available when new credentials are obtained.
  • Security assessments – when assessing the risk of an identifiable file share, Plunder can be useful to identify high-risk areas in large shared file systems. If there are hundreds of gigabytes of content, it is laborious to manually review them. Plunder is intended to increase the efficiency of this type of assessment.
  • Audits – Plunder can easily be adapted to perform reviews of permissions structures on shared file systems, as well as assessing access to information given credentials of different privilege levels.

./sample.png

Sample output from Plunder execution

Plunder is written with an object-oriented plugin-style architecture. It should be relatively easy to adapt it to perform other tests on files encountered while spidering SMB file systems. The tool is still in its infancy, and I hope to see it become only more useful in the "real world" of security assessments.

3 Installation

Plunder is written in the Scala language, which targets the Java JVM. The benefits of using Scala are two-fold. One, it targets a multi-platform virtual machine, so that it works anywhere (I have tested on Linux, Windows, and Mac OS X systems). Two, it's not Java, so I can actually bear it (emotionally speaking).

Regarding installation and configuration, Plunder is very easy. Just download the JAR file and run as you would any other packaged Java program. Download links are here:

LinkVersionNotes
multi-platform JAR archive1.0Initial version

Plunder relies on the following libraries. No changes have been made to these libraries, and (as best as I know how), I've incorporated notice of the use of them in Plunder.

LibraryWeb SiteLicense
JCIFShttp://jcifs.samba.org/LGPL
GNU getopt - Java porthttp://urbanophile.com/arenn/hacking/download.htmlLGPL

I would run it as follows: 

java -jar plunder-1.0.jar -u <user> -p <pass> -r smb://smb.example.com/

This will give you the result of the default plugin configuration (at the time of writing, this is just to enumerate accessible shares).

4 Usage

Plunder provides a variety of command line switches to aid in adapting its functionality to a specific use. Here is the usage statement from the current version: 

--------------------------------------------------------------------------
  Plunder version v1.0, Copyright (C) 2010 Josh Stone (josh@josho.org)
  Plunder comes with ABSOLUTELY NO WARRANTY; it is licensed under the
  GNU Public License (GPL), version 2

  On the shoulders of giants (LGPL): 
    JCIFS: jcifs.samba.org
    GNU getopt - Java port: urbanophile.com/arenn/hacking/download.html
    http://www.gnu.org/licenses/lgpl-2.1.txt
--------------------------------------------------------------------------

  usage: plunder -[dfhupqrP]

    -c              Write copy of config file to ~/.plunder.xml
    -d domain       Domain name for user account
    -f file         read IPs from file for URLs as smb://<path>/
    -h              display this help screen
    -p pass         Password for authentication (default prompts)
    -q              quiet - don't prompt to run scan
    -r url          smb://host/root URL to start scanning
    -u user         Username for authentication
    -P <p1,p2,...>  plugin group to use; options:

  Plugins:

    spider exts size shares names perms mirror 

  Example:

    java -jar plunder-1.0.jar -u admin -P shares,names,size,exts -r smb://.../

Plunder will not run without receiving at least one SMB URL (the -r or -f flags). Other options will be set with defaults, such as a blank username and password. The following is a slightly more verbose treatment of the command line switches than is available in the usage statement:

  • -d – This is the domain for the desired user credentials. By default this will be "WORKGROUP", which works in a non-domain environment, as well as for anonymous binding.
  • -f – This indicates a file that will be read for a list of URLs to scan. This is useful if, for example, you have scanned a network for port 445 and want to check them all for accessible shares. The file should be formatted as indicated below: 
    smb://1.1.1.1/share/
smb://1.1.1.2/othershare/
...
smb://1.1.1.n/finalshare/
  • -p – This indicates the password that will be used for authentication. If not provided, Plunder will prompt for this value interactively.
  • -r – This is the URL that will be scanned. More than one of these can be included on the command line, if desired. Each must include all components of the URL (e.g., smb://host/share/). Also note that shares and directories must have a trailing slash.
  • -u – This is the username intended for authentication. If not included, it will not be prompted and will be assumed to be NULL ("").
  • -P – This is a comma-separated list of plugins that should be used for traversal of the SMB filesystems scanned. These affect what directories are traversed and what actions are taken for each item found. I recommend thinking carefully about which ones are selected. By default, Plunder will only enumerate accessible shares. More invasive (and time-consuming) plugins are available, which are covered below in the "Plugins" section.

5 Configuration

Plunder includes a default configuration file in the downloadable JAR file. This is an XML document that encodes various settings for the various plugins. You may want to make changes to the config file to alter settings for your own use. Plunder supports maintaining your own local version of the config file, located at: 

~/.plunder.xml

This file, if it exists, will override the packaged default config file. You can generate this file easily by passing the -c flag to plunder. This will cause it to write out a copy of plunder.xml in the location listed above for you to edit. E.g.: 

$ java -jar plunder-1.0.jar -c

--------------------------------------------------------------------------
  Plunder version v1.0, Copyright (C) 2010 Josh Stone (josh@josho.org)
  Plunder comes with ABSOLUTELY NO WARRANTY; it is licensed under the
  GNU Public License (GPL), version 2

  On the shoulders of giants (LGPL): 
    JCIFS: jcifs.samba.org
    GNU getopt - Java port: urbanophile.com/arenn/hacking/download.html
    http://www.gnu.org/licenses/lgpl-2.1.txt
--------------------------------------------------------------------------

Writing config file to ~/.plunder.xml...
Exiting.

6 Plugins

Several plugins are provided, and it should be noted that new ones are easy to write. Any combination of these plugins can be configured for each run. Note that if any plugin decides to traverse a sub-directory, all other plugins will be passed items from that directory. Since each plugin performs a test unique from the others, you may find that you like certain combinations. Feedback is always appreciated with respect to issues encountered with these plugins and/or ideas for new plugins.

6.1 shares

The shares plugin identifies shares on the scanned systems. This can be very useful in a penetration test as you find more credentials or in an audit, if you want to verify that only authorized shares are configured.

6.2 spider

The spider plugin will print out all files and directories that are accessible at the scanned URLs. If you use this one for a large number of systems, it can be very helpful to redirect to a file and peruse separately. I have also found this useful in terms of retaining documentation of findings for preparing report materials after an engagement is complete.

6.3 exts

A lot of sensitive information can be identified only by looking for common file extensions. For example, XML documents, BAT files, or other interesting file types can yield credentials, confidential information, system configuration data, or other useful information. The exts module is configured with a list of high-risk extensions and will print out each "interesting" file identified.

Extensions that are considered interesting by this plugin can be configured in the config file. Each entry is the extension, without the . prepended. These are actually converted to case-insensitive regular expressions (with a string-end ($) delimiter on the end), so you may be able to get creative here. E.g.: 

    . . .
    <plugin name="exts">
      <extensions>
        <ext>bat</ext>
        <ext>asp</ext>
        <ext>aspx</ext>
        <ext>php</ext>
        <ext>vbs</ext>
        <ext>c</ext>
        <ext>xml</ext>
        <ext>conf</ext>
        <ext>config</ext>
        <ext>sql</ext>
        <ext>prn</ext>
      </extensions>
    </plugin>
    . . .

6.4 size

Often, when presented with a list of home directories or exposed hard drives, very large files are interesting. For example, backups, ISO images, or databases will feature large files. You don't want to have to sift through a thousand little files to find the important things. This plugin will print out every file larger than 20 megabytes in size.

The minimum size to be considered interesting by this plugin is configured in the Plunder config file. The default is 20 megabytes, but can be changed in the following section of the XML file: 

    <plugin name="size">
      <min>20</min>
    </plugin>

The "min" object is the size, in megabytes, that serves as the cutoff point for identifying "big" files.

6.5 names

Certain filenames indicate high risk information contained within. For example, any file with passw in it is likely to be very interesting (such as users who commonly store a passwords.xls, or something similar, with all their plain-text passwords…). This plugin has a preconfigured list of risky strings to check for in filenames.

Substrings that are considered interesting by this plugin can be configured in the config file. Each entry is a regular expression. E.g.: 

    <plugin name="names">
      <expr>(?i)passw</expr>
      <expr>(?i)ssn</expr>
      <expr>(?i)datab</expr>
      <expr>(?i)loan</expr>
      <expr>(?i)dump</expr>
      <expr>(?i)shares</expr>
      <expr>(?i)htaccess</expr>
    </plugin>

6.6 perms

For audit purposes, we often want to know what the permissions are in different areas. There are some great tools out there for getting permissions dumps (such as subinacl), but I included this plugin just to round everything out in one tool. This will print out the configured ACEs for each file and directory identified. Look for "Everyone" permissions or lots of individual user ACEs as indicators of bad permissions management.

6.7 mirror

This will create a local mirror of an SMB share. It can be annoying to copy down complex file shares, because errors pop up for each file you don't have access to, and especially file types or names that don't work on your client environment (e.g., Windows vs. Linux inconsistencies). This plugin just grabs everything it can and ignores errors. The mirror will be stored in the PlunderMirror directory.

Author: Joshua Stone <josh@atlantis>

Date: 2010-12-12 20:26:27 CST

HTML generated by org-mode 6.30c in emacs 23