Quick article today on using PowerShell enumeration in Windows file servers with Server Message Block (SMB), Microsoft's file and print sharing protocol (among many other things).
I'm working on updating my SEC504: Hacker Tools, Techniques, and Incident Response course to embrace PowerShell meaningfully, giving people a chance to learn how to use PowerShell and put it into practice for incident response. For Windows file server interrogation over SMB, we have the powerful net.exe command, but I wanted to talk about the equivalent PowerShell commands as well.
I'm using server here to refer to the Windows server service, which can run on Windows workstation and Windows Server systems.
Here's a quick table of useful commands, both using PowerShell and using net.exe, for interrogating SMB servers:
|View Remote SMB shares||Get-WmiObject -Class win32_share -ComputerName serverip ||net view \server|
|View Local SMB Shares||Get-SMBShare||net share|
|Connect SMB share||New-SmbMapping -LocalPath X: -RemotePath \server\sharename||net use \server\sharename|
|View Inbound Connections||Get-SmbSession||net session|
|Drop Inbound Connections||Close-SmbSession||net session \server /del|
|View Outbound SMB Mapped Connections||Get-SmbMapping||net use|
|Drop Outbound SMB Mapped Connections||Remove-SmbMapping -Force||net use * /del|
NOTE: The parameter server in these examples can be an SMB server IP address or hostname. Replace the value server with your SMB server IP address or hostname. Similarly, replace sharename with the target SMB server share name.
Let's take a look at an example of how we might use some of these commands. If you learn about unauthorized access to a file share on an SMB server, you can use Get-SmbSession to identify inbound connections:
PS C:\Users\Sec504> $env:COMPUTERNAME SEC504STUDENT PS C:\> Get-SmbSession SessionId ClientComputerName ClientUserName NumOpens --------- ------------------ -------------- -------- 549755813893 10.10.75.1 SEC504STUDENT\sec504 1
NOTE: Running Get-SmbSession will require an administrative PowerShell session.
Here we see an inbound SMB connection from 10.10.75.1, logging in as the user sec504. We know this is local authentication (as opposed to domain authentication) since the local hostname precedes the username information.
This output is helpful, but it doesn't give us all of the detail we might like. We can display additional properties in the output of Get-SmbSession to identify when the connection was established, how long the session has been idle, the SMB version in use, and more:
PS C:\> Get-SmbSession | Select-Object ClientComputerName, Dialect, SecondsExists, SecondsIdle ClientComputerName Dialect SecondsExists SecondsIdle ------------------ ------- ------------- ----------- 10.10.75.1 3.1.1 8147 84
Tip: Check out the Microsoft Get-SmbSession documentation for a list of all properties available and other useful examples.
If this were indeed an incident and you decide to initiate your incident response process, you would follow your incident response playbook steps. This might include changing the password of the identified user, and disconnecting them from the server. Not a problem for PowerShell!
PS C:\> $Password = Read-Host -AsSecureString *********** PS C:\> Set-Localuser -Name sec504 -Password $Password PS C:\> Close-SmbSession -ClientComputerName 10.10.75.1 -Force
Naturally, PowerShell has powerful tools for interrogating and managing Windows SMB services. Using the built-in PowerShell help, and remembering the Verb-Noun syntax makes these commands straightforward to remember, and they offer more flexibility as well!
 Viewing SMB shares really is best done using net view \server. The PowerShell Get-WmiObject -Class win32_share command works, but only for Windows SMB servers. net.exe is the superior option here.
Return to Getting Started With PowerShell
Joshua Wright is the author of SANS SEC504: Hacker Tools, Techniques, and Incident Handling, a faculty fellow for the SANS Institute, and a senior technical director at Counter Hack.