Plunder Documentation

Table of Contents

1 Introduction

Author:Josh Stone
Contact:josh@josho.org
Date:2010-12-12
License:GPLv2

Plunder is a security assessment tool that I've written in response to frustrations I've experienced in conducting various types of technical engagements. It is useful for examining SMB-shares, which are very common in contemporary networks. The type of analysis that can be performed is fairly flexible, which makes this tool useful in different contexts. Some sample use-cases I've encountered that served as inspiration for this tool are listed below:

Plunder is written with an object-oriented plugin-style architecture. It should be relatively easy to adapt it to perform other tests on files encountered while spidering SMB file systems. The tool is still in its infancy, and I hope to see it become only more useful in the "real world" of security assessments.

2 Installation

Plunder is written in the Scala language, which targets the Java JVM. The benefits of using Scala are two-fold. One, it targets a multi-platform virtual machine, so that it works anywhere (I have tested on Linux, Windows, and Mac OS X systems). Two, it's not Java, so I can actually bear it (emotionally speaking).

Regarding installation and configuration, Plunder is very easy. Just download the JAR file and run as you would any other packaged Java program. Download links are here:

LinkVersionNotes
multi-platform JAR archive1.5Support more URL formats; settable timeout value
multi-platform JAR archive1.4Update with more plugins and pass-the-hash support
multi-platform JAR archive1.0Initial version

I would run it as follows:

 java -jar plunder-1.0.jar -u <user> -p <pass> -r smb://smb.example.com/

This will give you the result of the default plugin configuration (at the time of writing, this is just to enumerate accessible shares).

3 Usage

Plunder provides a variety of command line switches to aid in adapting its functionality to a specific use. Here is the usage statement from the current version:

 ------------------------------------------------------------------------
   Plunder version v1.0, Copyright (C) 2010 Josh Stone (josh@josho.org)
   Plunder comes with ABSOLUTELY NO WARRANTY; it is licensed under the
   GNU Public License (GPL), version 2
 ------------------------------------------------------------------------
 
   usage: plunder -[dfhupqrP]
 
     -d domain       Domain name for user account
     -f file         read IPs from file for URLs as smb://<path>/
     -h              display this help screen
     -p pass         Password for authentication (default prompts)
     -l <lmhash>     LM hash for pass-the-hash authentication
     -n <nthash>     NTLM hash for pass-the-hash authentication
     -q              quiet - don't prompt to run scan
     -H              use the pass-the-hash technique (password should be 'LMhash:NTLMhash')
     -P <p1,p2,...>  plugin group to use; options:
                      - spider
                      - exts
                      - size
                      - shares
                      - names
                      - perms
                      - mirror
                      - dirmap
                      - ls
                      - download
 
   Example:
 
     java -jar plunder-1.0.jar -u admin -P shares,names,size,exts -r smb://.../

Plunder will not run without receiving at least one SMB URL (the -r flag). Other options will be set with defaults, such as a blank username and password. The following is a slightly more verbose treatment of the command line switches than is available in the usage statement:

4 Plugins

Several plugins are provided, and it should be noted that new ones are easy to write. Any combination of these plugins can be configured for each run. Note that if any plugin decides to traverse a sub-directory, all other plugins will be passed items from that directory. Since each plugin performs a test unique from the others, you may find that you like certain combinations. Feedback is always appreciated with respect to issues encountered with these plugins and/or ideas for new plugins.

4.1 shares

The shares plugin identifies shares on the scanned systems. This can be very useful in a penetration test as you find more credentials or in an audit, if you want to verify that only authorized shares are configured.

4.2 spider

The spider plugin will print out all files and directories that are accessible at the scanned URLs. If you use this one for a large number of systems, it can be very helpful to redirect to a file and peruse separately. I have also found this useful in terms of retaining documentation of findings for preparing report materials after an engagement is complete.

4.3 exts

A lot of sensitive information can be identified only by looking for common file extensions. For example, XML documents, BAT files, or other interesting file types can yield credentials, confidential information, system configuration data, or other useful information. The exts module is configured with a list of high-risk extensions and will print out each "interesting" file identified.

4.4 size

Often, when presented with a list of home directories or exposed hard drives, very large files are interesting. For example, backups, ISO images, or databases will feature large files. You don't want to have to sift through a thousand little files to find the important things. This plugin will print out every file larger than 20 megabytes in size.

4.5 names

Certain filenames indicate high risk information contained within. For example, any file with passw in it is likely to be very interesting (such as users who commonly store a passwords.xls, or something similar, with all their plain-text passwords…). This plugin has a preconfigured list of risky strings to check for in filenames.

4.6 perms

For audit purposes, we often want to know what the permissions are in different areas. There are some great tools out there for getting permissions dumps (such as subinacl), but I included this plugin just to round everything out in one tool. This will print out the configured ACEs for each file and directory identified. Look for "Everyone" permissions or lots of individual user ACEs as indicators of bad permissions management.

4.7 mirror

This will create a local mirror of an SMB share. It can be annoying to copy down complex file shares, because errors pop up for each file you don't have access to, and especially file types or names that don't work on your client environment (e.g., Windows vs. Linux inconsistencies). This plugin just grabs everything it can and ignores errors. The mirror will be stored in the PlunderMirror directory.

4.8 ls

This plugin simply lists the contents of a share or directory. This is handy for those rare occasions where other tools refuse to work. E.g., some versions of smbclient do not play well with certain hardening settings on modern Windows. Plunder is based on a different SMB library, so sometimes this may be useful as another option.

4.9 download

Copy the specified file to the current directory. As with the ls plugin, this is handy for those occasions where you need another tool to access the destination server.

4.10 dirmap

I've noticed that fully enumerating the contents of a share can take a long time. For example, say you've gotten access to a bank's document imaging system, which hosts all of its files in directories on a share. If there are thousands (or 10s of thousands!) of files per directory, you will take forever to enumerate everything. This shortens the process by showing only directories. It turns out that this is significantly faster, if you're just looking for the general file layout of the share in question.

Author: Joshua Stone <jstone@ipre.pair.com>

Date: 2013/01/18 11:07:28