Plunder

By Josh Stone     Back to home

TL;DR → Download Plunder 2

Plunder is ALPHA

Note that Plunder 2 is very young. It is usable, but does not have all of the usability features it should have yet. I have used it on several penetration test engagements, and have received some helpful feedback from coworkers and other people in my network. However, that said, it should be considered alpha. Test it in controlled circumstances, make sure you understand what it's doing, and YMMV. The following TODO list items are known -- if you encounter issues or feel there are important improvements to be made, please contact me at yakovdk@gmail.com:

TODO

• Track slow-performing targets and allow interactive pruning of the target list
• Allow early termination and resuming of a previous scan
• Implement max-size limits for auto-mirroring

Introduction

Plunder is an SMB scanning, indexing, and auditing tool. Its primary use case is in penetration testing, when you've obtained credentials on the domain. Using other tools to scan file shares can be laborious, and naive spidering of SMB shares will generate large amounts of useless information, and get bogged down in file share "tarpits". It's difficult to effectively index a large network's accessible SMB shares &emdash; this is where Plunder comes into play.

Plunder 2 is a complete rewrite from Plunder 1. The original was written in Scala, and had some advantages. But over time, my own process changed, and began to look less and less like what Plunder 1 had been written for. In testing ever larger networks, the need to parallelize the scan, apply logic to prune filesystems to increase speed, and support for SMB protocol versions 2+, drove development of this new version. That said, Plunder 1 may still be useful in some situations, so it is still available as linked above.

Installation

You can download the latest version as a ruby gem from this site (linked above in the download link). Once it feels stable enough, you can also use the public release published on rubygems.org. Here's how to install either way:.

First, ensure that you have the necessary prerequisites installed:

• ruby -- you should have a Ruby interpreter, probably version 2.3+
• libsmbclient -- must be built on Samba 4+. In most distributions, it'll be in a package repository as "libsmbclient"
• libsmbclient-dev -- you also need the C headers for compiling against libsmbclient; should typically be called "libsmbclient-dev" or "libsmbclient-devel".
• pry -- not required, but suggested if you want to use the 'debug' command. Just a 'gem install pry' away.

Example installation:

$ apt-get install libsmbclient libsmbclient-dev
$ gem install pry
$ gem install plunder
			

Basic Use

Plunder does a few things, but the primary functionality is to rapidly index a number of SMB-accessible targets. The first step is to create a config file for a scan. I do it this way because wrangling a hundred things in command line switches is painful, and putting every feature into the config file makes it perfectly tweakable. Create a named config file as follows:

$ plunder init foo
			

This will create a config file named "foo.yaml". If you are familiar with YAML, you can edit it to your heart's content. The next step is to add credentials so that plunder can login via SMB:

$ plunder creds foo DOMAIN username password
			

This will just replace the relevant values in the config file. Next, you need to load the targets. You can do this a single IP at a time (or maybe use this in a script) as follows:

$ plunder target foo 10.0.0.1
			

More likely, though, you'll have built a list of target hosts using a port scanner, scanning with metasploit modules, etc. It is best if you are confident that these are all systems in the right domain and are currently live. Plunder will fail hard at any authentication failure (in order to safely preserve the credentials you have configured), and so any non-domain hosts in the list will halt the scan immediately. If you have your target IPs in a file named "ips.txt", this will work:

$ plunder targets foo ips.txt

If you want to edit what types of things you're looking for, feel free to edit the YAML file now. You'll want to pay attention to the following items:

• threads: defaults to 8; this is how many scanning agents will be managed during the scan. Obviously more will make the scan faster. Note that Plunder will not use more than one agent to scan one server at the same time, since some servers don't like that.
• blacklist: directory names or share names to skip in scanning. I find that "C$" shares and "print$", etc., are pretty uninteresting. You can change this here, or add additional blacklists if you like.
• tarpit: any directory containing more than this number of subdirectories will be truncated. This does throw data away, but oftentimes this is preferable to bogging down forever on one share.
• mirror: use with care -- this feature will download files or paths that match the configured criteria automatically. This is useful for files that are very likely to contain high-value information (e.g., "web.config" files). The number associated with each match is a not-yet-implemented feature to cap the maximum size that will be downloaded.
• alert: configure filename matches or file extensions that should be listed in the output log file. It will not be printed to the screen, since that obscures other more important messages. You may want to see these as they come out (e.g., by "tail"ing the log file), rather than waiting for the end of the scan to process the scan DB.

Now you want to conduct your scan. Plunder uses a "breadth-first" scan process, so it will enumerate all the shares first, then list their contents, then take the next tier of directories and check those, etc. This ensures that, as the scan progresses, information is collected from the entire network. Scan to the desired depth as follows (8 plies in the example below):

$ plunder scan foo 8

Once you're done, you can inspect the files downloaded to the "mirror/" directory. Additionally, you can conduct searches in the compacted scan database as follows, or generate complete text listings (note that this can be quite large in bigger networks!):

$ plunder search foo 'credit.*card'
...
$ plunder listing foo > urls.txt
...

In all outputs, plunder will show you both the SMB URL (e.g., 'smb://10.0.0.1/c$/pagefile.sys'), as well as an index number. This number is used to refer to the file's entry in the scan database (stored in <proj>.dat). You can refer to these to do some more mirroring. So, say you found a bunch of files with 'credit.*card' in their names, and want to mirror them:

$ plunder search foo 'credit.*card'| awk '/^FILE/ { print $2 }' | ./plunder mirror foo
...