Josh Stone — Infosec, Pen-testing, Research

Plunder

By Josh Stone     Back to home

TL;DR → Download Plunder 2

Plunder is ALPHA

Note that Plunder 2 is very young. It is usable, but does not have all of the usability features it should have yet. I have used it on several penetration test engagements, and have received some helpful feedback from coworkers and other people in my network. However, that said, it should be considered alpha. Test it in controlled circumstances, make sure you understand what it's doing, and YMMV. The following TODO list items are known -- if you encounter issues or feel there are important improvements to be made, please contact me at yakovdk@gmail.com:

TODO

Introduction

Plunder is an SMB scanning, indexing, and auditing tool. Its primary use case is in penetration testing, when you've obtained credentials on the domain. Using other tools to scan file shares can be laborious, and naive spidering of SMB shares will generate large amounts of useless information, and get bogged down in file share "tarpits". It's difficult to effectively index a large network's accessible SMB shares &emdash; this is where Plunder comes into play.

Plunder 2 is a complete rewrite from Plunder 1. The original was written in Scala, and had some advantages. But over time, my own process changed, and began to look less and less like what Plunder 1 had been written for. In testing ever larger networks, the need to parallelize the scan, apply logic to prune filesystems to increase speed, and support for SMB protocol versions 2+, drove development of this new version. That said, Plunder 1 may still be useful in some situations, so it is still available as linked above.

Installation

You can download the latest version as a ruby gem from this site (linked above in the download link). Once it feels stable enough, you can also use the public release published on rubygems.org. Here's how to install either way:.

First, ensure that you have the necessary prerequisites installed:

Example installation:

$ apt-get install libsmbclient libsmbclient-dev
$ gem install pry
$ gem install plunder
			

Basic Use

Plunder does a few things, but the primary functionality is to rapidly index a number of SMB-accessible targets. The first step is to create a config file for a scan. I do it this way because wrangling a hundred things in command line switches is painful, and putting every feature into the config file makes it perfectly tweakable. Create a named config file as follows:

$ plunder init foo
			

This will create a config file named "foo.yaml". If you are familiar with YAML, you can edit it to your heart's content. The next step is to add credentials so that plunder can login via SMB:

$ plunder creds foo DOMAIN username password
			

This will just replace the relevant values in the config file. Next, you need to load the targets. You can do this a single IP at a time (or maybe use this in a script) as follows:

$ plunder target foo 10.0.0.1
			

More likely, though, you'll have built a list of target hosts using a port scanner, scanning with metasploit modules, etc. It is best if you are confident that these are all systems in the right domain and are currently live. Plunder will fail hard at any authentication failure (in order to safely preserve the credentials you have configured), and so any non-domain hosts in the list will halt the scan immediately. If you have your target IPs in a file named "ips.txt", this will work:

$ plunder targets foo ips.txt

If you want to edit what types of things you're looking for, feel free to edit the YAML file now. You'll want to pay attention to the following items:

Now you want to conduct your scan. Plunder uses a "breadth-first" scan process, so it will enumerate all the shares first, then list their contents, then take the next tier of directories and check those, etc. This ensures that, as the scan progresses, information is collected from the entire network. Scan to the desired depth as follows (8 plies in the example below):

$ plunder scan foo 8

Once you're done, you can inspect the files downloaded to the "mirror/" directory. Additionally, you can conduct searches in the compacted scan database as follows, or generate complete text listings (note that this can be quite large in bigger networks!):

$ plunder search foo 'credit.*card'
...
$ plunder listing foo > urls.txt
...

In all outputs, plunder will show you both the SMB URL (e.g., 'smb://10.0.0.1/c$/pagefile.sys'), as well as an index number. This number is used to refer to the file's entry in the scan database (stored in <proj>.dat). You can refer to these to do some more mirroring. So, say you found a bunch of files with 'credit.*card' in their names, and want to mirror them:

$ plunder search foo 'credit.*card'| awk '/^FILE/ { print $2 }' | ./plunder mirror foo
...