Search for open network resources and their access rights
Shared network resources in an Active Directory domain are used to simplify and centralize access to files, folders, printers, and other resources on a corporate network. This can lead to a violation of one of the foundations of information security – confidentiality
Security professionals need to scan shared network folders in a domain for the following reasons:
Threat detection and monitoring
Folder scanning helps identify unauthorized access to data and files. This helps to detect potential security threats early and prevent leakage of sensitive information resources.
Access control
Scanning can help determine who has access to data and files. This allows information security professionals to ensure that only employees with appropriate rights have access to sensitive information.
Compliance with standards
Many industry and government regulators require compliance with data protection and privacy regulations. Scanning helps ensure that an organization is meeting requirements for access and control over data.
Security audit
Scanning network shares can be included in security audit processes, allowing you to assess your security posture and identify potential weaknesses.
Security audit
Scanning network shares can be included in security audit processes, allowing you to assess your security posture and identify potential weaknesses.
Current products for searching open network resources
There are similar programs on the Internet that have much more functionality than I plan to describe.
As an example, the program “SoftPerfect Network Scanner”
Or a program like “advanced ip scanner”
These programs allow you to scan subnets within a company and provide information about open network folders, and even what files they contain.
You can also use Windows' built-in tools to search and view open network resources on the same file server. And the question arises – why invent something new?
Answer: I don’t know, I just wanted to try to do something of my own.
Description of the program
Initially, I tried to do everything only in PowerShell, make a script, then a batch file, but decided that it was somehow simple.
The script looks like this:
# Установка английского языка для корректной работы
$prevCulture = [System.Threading.Thread]::CurrentThread.CurrentCulture
[System.Threading.Thread]::CurrentThread.CurrentThread.CurrentCulture="en-US"
# Получаем IP машины
$ipAddress = (Test-Connection -ComputerName $env:COMPUTERNAME -Count 1).IPV4Address.IPAddressToString
# Получаем имя компьютера
$computerName = $env:COMPUTERNAME
# Генерируем рандомное число
$randomNumber = Get-Random -Minimum 1 -Maximum 10000
# Создадим локальный файл в Temp
$localFolderPath = "C:\\Temp"
$fileName = "$($randomNumber)_$($ipAddress)_$($computerName)_$(Get-Date -Format 'yyyy-MM-dd_HH-mm-ss').txt"
$localFilePath = "$localFolderPath\$fileName"
# Отладочная информация
Write-Host "File will be created at $localFilePath"
# Функция для получения прав доступа и замена на читабельные данные
function Get-AccessRights {
param($path)
$accessRights = & icacls $path | Out-String
$accessRights = $accessRights -replace '\(OI\)', '/Owner' # Owner object
$accessRights = $accessRights -replace '\(CI\)', '/Container' # Container
$accessRights = $accessRights -replace '\(F\)', '/Full access' # Full access
accessRights = $accessRights -replace '\(RX\)', '/Read and execute' # Read and execute
return $accessRights
}
# Получаем список общих сетевых папок на текущем компьютере
$networkFolders = Get-WmiObject -Class Win32_Share | Where-Object { $_.Path -ne $null -and $_.Type -eq 0 }
# Если есть открытые сетевые папки, записываем информацию в файл
if ($networkFolders) {
$outputData = @()
$outputData += "$ipAddress \ $computerName \ `"Number of open folders:`" $($networkFolders.Count)"
$outputData += "Path to folders:"
foreach ($folder in $networkFolders) {
folderPath = $folder.Path
$outputData += "$folderPath"
# Получаем информацию о правах доступа и сам процесс для записи в файл
$accessRights = Get-AccessRights -path $folderPath
$outputData += $accessRights
}
$outputData | Out-File -FilePath $localFilePath -Encoding UTF8
} else {
# Если открытых сетевых папок нет, выводим сообщение об этом
IP Address: $ipAddress `nComputer Name: $computerName `nNetwork folders not found." | Out-File -FilePath $localFilePath -Encoding UTF8
}
# Выводим сообщение об успешном выполнении задачи
Write-Host "Information gathered and saved to $localFilePath."
# Восстановить предыдущую настройку кодировки
[System.Threading.Thread]::CurrentThread.CurrentCulture = $prevCultureThis script creates a file with the results in the C:\Temp folder and assigns it a randomly generated number for further searching.
To run locally, you can replace the line with some other path:
# Создадим локальный файл в Temp
$localFolderPath = "C:\\Temp"But there is a question of centralized verification. That is, from one computer or server, you can immediately run this script on all devices.
So I decided to write a Python program for direct use on a computer (and make everything 1000 times more complicated)
import subprocess
import os
import datetime
import shutil
import re
import tkinter as tk
from tkinter import messagebox, scrolledtext
# Функция для обновления лога в текстовом окне
def log_message(log_window, message):
log_window.insert(tk.END, message + '\n')
log_window.see(tk.END)
log_window.update_idletasks()
# Функция для отображения окна с сообщением об ошибке
def show_error_message(error_message):
messagebox.showerror("Error", error_message)
# Функция для отображения окна с успешным сообщением
def show_success_message(file_path, file_name):
messagebox.showinfo("Success", f"File created successfully!\n\nFile name: {file_name}\nNetwork path: {file_path}")
# Основной код программы
def main_program(log_window):
try:
# Путь к сетевой папке и учетные данные (замените на реальные данные в рабочей среде)
network_folder_path = r'\\путь\' # Замените на реальный сетевой путь
username="логин" # Замените на реальное имя пользователя домена
password = 'пароль' # Замените на реальный пароль
# Логирование подключения к сетевой папке
log_message(log_window, "Attempting to disconnect old network connection...")
disconnect_command = f"net use {network_folder_path} /delete"
subprocess.run(disconnect_command, shell=True)
log_message(log_window, "Attempting to connect to network folder...")
net_use_command = f"net use {network_folder_path} /user:{username} {password}"
result = subprocess.run(net_use_command, shell=True, capture_output=True, text=True, encoding='cp866')
if result.returncode == 0:
log_message(log_window, f"Successfully connected to the network folder: {network_folder_path}")
else:
error_message = result.stderr
raise Exception(f"Error connecting to the network folder: {error_message}")
# Генерация текущей даты и времени для именования файлов
current_datetime = datetime.datetime.now().strftime('%Y-%m-%d_%H-%M-%S')
# Путь к временному скрипту PowerShell (используем C:\Temp для избежания ошибок доступа)
temp_dir = "C:\\Temp"
if not os.path.exists(temp_dir):
os.makedirs(temp_dir)
ps_script_path = os.path.join(temp_dir, 'temp_script.ps1')
# Логирование создания скрипта
log_message(log_window, "Creating PowerShell script...")
# Содержимое скрипта PowerShell для сбора данных
ps_script_content = r'''
# Установка культуры на английский для корректной работы
$prevCulture = [System.Threading.Thread]::CurrentThread.CurrentCulture
[System.Threading.Thread]::CurrentThread.CurrentThread.CurrentCulture="en-US"
# получаем IP машины
$ipAddress = (Test-Connection -ComputerName $env:COMPUTERNAME -Count 1).IPV4Address.IPAddressToString
# получаем имя компьютера
$computerName = $env:COMPUTERNAME
# генерируем рандомное число
$randomNumber = Get-Random -Minimum 1 -Maximum 10000
# Создадим локальный файл в Temp
$localFolderPath = "C:\\Temp"
$fileName = "$($randomNumber)_$($ipAddress)_$($computerName)_$(Get-Date -Format 'yyyy-MM-dd_HH-mm-ss').txt"
$localFilePath = "$localFolderPath\$fileName"
# Отладочная информация
Write-Host "File will be created at $localFilePath"
# функция для получения прав доступа и замена на читабельные данные
function Get-AccessRights {
param($path)
$accessRights = & icacls $path | Out-String
$accessRights = $accessRights -replace '\(OI\)', '/Owner' # Owner object
$accessRights = $accessRights -replace '\(CI\)', '/Container' # Container
$accessRights = $accessRights -replace '\(F\)', '/Full access' # Full access
$accessRights = $accessRights -replace '\(RX\)', '/Read and execute' # Read and execute
return $accessRights
}
# Получаем список общих сетевых папок на текущем компьютере
$networkFolders = Get-WmiObject -Class Win32_Share | Where-Object { $_.Path -ne $null -and $_.Type -eq 0 }
# Если есть открытые сетевые папки, записываем информацию в файл
if ($networkFolders) {
$outputData = @()
$outputData += "$ipAddress \ $computerName \ `"Number of open folders:`" $($networkFolders.Count)"
$outputData += "Path to folders:"
foreach ($folder in $networkFolders) {
$folderPath = $folder.Path
$outputData += "$folderPath"
# Получаем информацию о правах доступа и сам процесс для записи в файл
$accessRights = Get-AccessRights -path $folderPath
$outputData += $accessRights
}
$outputData | Out-File -FilePath $localFilePath -Encoding UTF8
} else {
# Если открытых сетевых папок нет, выводим сообщение об этом
"IP Address: $ipAddress `nComputer Name: $computerName `nNetwork folders not found." | Out-File -FilePath $localFilePath -Encoding UTF8
}
# Выводим сообщение об успешном выполнении задачи
Write-Host "Information gathered and saved to $localFilePath."
# Восстановить предыдущую настройку кодировки
[System.Threading.Thread]::CurrentThread.CurrentCulture = $prevCulture
'''
# Запись содержимого PowerShell скрипта во временный файл
with open(ps_script_path, 'w', encoding='utf-8') as f:
f.write(ps_script_content)
log_message(log_window, "PowerShell script created. Executing script...")
# Команда для выполнения скрипта PowerShell
ps_command = f'powershell.exe -ExecutionPolicy Bypass -File "{ps_script_path}"'
result = subprocess.run(ps_command, shell=True, capture_output=True, text=True)
if result.returncode == 0:
log_message(log_window, "PowerShell script executed successfully.")
log_message(log_window, result.stdout)
# Поиск случайного числа в выводе PowerShell
match = re.search(r'(\d+)', result.stdout)
if match:
random_number = int(match.group())
log_message(log_window, f"Random number generated by PowerShell: {random_number}")
# Проверяем, создался ли файл локально
log_message(log_window, "Checking local Temp folder for the created file...")
local_files = os.listdir(temp_dir)
found_file = None
for file_name in local_files:
if file_name.startswith(str(random_number)):
found_file = file_name
break
if found_file:
local_file_path = os.path.join(temp_dir, found_file)
log_message(log_window, f"File created locally: {local_file_path}")
# Копируем файл в сетевую папку
log_message(log_window, f"Copying file to network folder: {network_folder_path}")
shutil.copy(local_file_path, network_folder_path)
# Проверка файла в сетевой папке
log_message(log_window, "Searching for the file in the network folder...")
files_in_network_folder = os.listdir(network_folder_path)
network_found_file = None
for file_name in files_in_network_folder:
if file_name.startswith(str(random_number)):
network_found_file = file_name
break
if network_found_file:
full_file_path = os.path.join(network_folder_path, network_found_file)
log_message(log_window, f"Found file: {full_file_path}")
# Чтение файла и анализ содержимого
with open(full_file_path, 'r', encoding='utf-8') as output_file:
output_data = output_file.read()
# Лог содержимого файла для отладки
log_message(log_window, f"File content:\n{output_data}")
# Установка префикса в зависимости от содержимого файла
new_prefix = "Empty_" # По умолчанию "Empty_"
if "Number of open folders:" in output_data:
open_folders_count = int(re.search(r'\d+', output_data).group())
log_message(log_window, f"Open folders count: {open_folders_count}")
if open_folders_count > 0:
# Проверяем наличие прав, связанных с "Everyone", "Все" или "All"
if re.search(r'(Everyone|Все|All)([:/\\])', output_data):
new_prefix = "Нарушение_"
log_message(log_window, "Violation detected based on folder permissions.")
else:
new_prefix = "OpenShareFind_"
log_message(log_window, "Open folders found, but no violations.")
else:
log_message(log_window, "No open folders found, setting prefix to 'Empty_'.")
# Переименование файла
new_filename = f"{new_prefix}{network_found_file}"
new_file_path = os.path.join(network_folder_path, new_filename)
os.rename(full_file_path, new_file_path)
log_message(log_window, f"File renamed to: {new_file_path}")
# Выводим сообщение об успешном создании файла
show_success_message(network_folder_path, new_filename)
else:
raise Exception("File not found in the network folder.")
else:
raise Exception("File not found in local Temp folder.")
else:
raise Exception("Random number not found in PowerShell output.")
else:
raise Exception(f"Error executing PowerShell script: {result.stderr}")
except Exception as e:
show_error_message(str(e))
# Функция для запуска программы с интерфейсом
def run_gui():
root = tk.Tk()
root.title("Network File Creation Tool")
# Окно для вывода лога
log_window = scrolledtext.ScrolledText(root, wrap=tk.WORD, width=100, height=30)
log_window.pack(padx=10, pady=10)
# Запуск программы в отдельном потоке
root.after(100, lambda: main_program(log_window))
root.mainloop()
# Запуск программы
run_gui()This code is made specifically with debugging, so that you can immediately understand where an error occurs during connection or other errors.
The logic of this program:
Connecting to a network folder:
Trying to disconnect previous connections using command
net use /delete.Attempting to connect to a network folder using the specified credentials.
Creating a temporary PowerShell script:
Generate current date and time for file naming.
Creating a temporary directory
C:\Temp(if it does not exist).Write a PowerShell script to a temporary file.
Executing a PowerShell Script:
Checking and working with the file:
Finding a file created by a PowerShell script in a local folder
C:\Temp.Copying a file to a network folder.
Check file contents and rename file based on access rights analysis and presence of open folders.
Termination and error handling:
For this program to work, you also need:
Create an account with administrator rights, which will be embedded in this program (you also need to understand that for this account it is necessary to make restrictions on work, except for those that are performed during the operation of the program).
Create a folder on the server and share access to it for this account. You also need to grant read/write permissions for this folder.
Program code without debugging mechanisms:
import subprocess
import os
import datetime
import shutil
import re
import tkinter as tk
from tkinter import messagebox, scrolledtext
# Функция для обновления лога в текстовом окне
def log_message(log_window, message):
log_window.insert(tk.END, message + '\n')
log_window.see(tk.END)
log_window.update_idletasks()
# Функция для отображения окна с сообщением об ошибке
def show_error_message(error_message):
messagebox.showerror("Error", error_message)
# Функция для отображения окна с успешным сообщением
def show_success_message(file_path, file_name):
messagebox.showinfo("Success", f"File created successfully!\n\nFile name: {file_name}\nNetwork path: {file_path}")
# Основной код программы
#def main_program(log_window):
def main_program():
try:
# Путь к сетевой папке и учетные данные (замените на реальные данные в рабочей среде)
network_folder_path = r'\\DESKTOP-N391HHM\Users\warde\Desktop\test' # Замените на реальный сетевой путь
username="wardeathmor" # Замените на реальное имя пользователя домена
password = '1351' # Замените на реальный пароль
# Логирование подключения к сетевой папке
#log_message(log_window, "Attempting to disconnect old network connection...")
disconnect_command = f"net use {network_folder_path} /delete"
subprocess.run(disconnect_command, shell=True)
#log_message(log_window, "Attempting to connect to network folder...")
net_use_command = f"net use {network_folder_path} /user:{username} {password}"
result = subprocess.run(net_use_command, shell=True, capture_output=True, text=True, encoding='cp866')
if result.returncode == 0:
#log_message(log_window, f"Successfully connected to the network folder: {network_folder_path}")
pass
else:
error_message = result.stderr
raise Exception(f"Error connecting to the network folder: {error_message}")
# Генерация текущей даты и времени для именования файлов
current_datetime = datetime.datetime.now().strftime('%Y-%m-%d_%H-%M-%S')
# Путь к временному скрипту PowerShell (используем C:\Temp для избежания ошибок доступа)
temp_dir = "C:\\Temp"
if not os.path.exists(temp_dir):
os.makedirs(temp_dir)
ps_script_path = os.path.join(temp_dir, 'temp_script.ps1')
# Логирование создания скрипта
#log_message(log_window, "Creating PowerShell script...")
# Содержимое скрипта PowerShell для сбора данных
ps_script_content = r'''
# Установка культуры на английский для корректной работы
$prevCulture = [System.Threading.Thread]::CurrentThread.CurrentCulture
[System.Threading.Thread]::CurrentThread.CurrentThread.CurrentCulture="en-US"
# получаем IP машины
$ipAddress = (Test-Connection -ComputerName $env:COMPUTERNAME -Count 1).IPV4Address.IPAddressToString
# получаем имя компьютера
$computerName = $env:COMPUTERNAME
# генерируем рандомное число
$randomNumber = Get-Random -Minimum 1 -Maximum 10000
# Создадим локальный файл в Temp
$localFolderPath = "C:\\Temp"
$fileName = "$($randomNumber)_$($ipAddress)_$($computerName)_$(Get-Date -Format 'yyyy-MM-dd_HH-mm-ss').txt"
$localFilePath = "$localFolderPath\$fileName"
# Отладочная информация
Write-Host "File will be created at $localFilePath"
# функция для получения прав доступа и замена на читабельные данные
function Get-AccessRights {
param($path)
$accessRights = & icacls $path | Out-String
$accessRights = $accessRights -replace '\(OI\)', '/Owner' # Owner object
$accessRights = $accessRights -replace '\(CI\)', '/Container' # Container
$accessRights = $accessRights -replace '\(F\)', '/Full access' # Full access
$accessRights = $accessRights -replace '\(RX\)', '/Read and execute' # Read and execute
return $accessRights
}
# Получаем список общих сетевых папок на текущем компьютере
$networkFolders = Get-WmiObject -Class Win32_Share | Where-Object { $_.Path -ne $null -and $_.Type -eq 0 }
# Если есть открытые сетевые папки, записываем информацию в файл
if ($networkFolders) {
$outputData = @()
$outputData += "$ipAddress \ $computerName \ `"Number of open folders:`" $($networkFolders.Count)"
$outputData += "Path to folders:"
foreach ($folder in $networkFolders) {
$folderPath = $folder.Path
$outputData += "$folderPath"
# Получаем информацию о правах доступа и сам процесс для записи в файл
$accessRights = Get-AccessRights -path $folderPath
$outputData += $accessRights
}
$outputData | Out-File -FilePath $localFilePath -Encoding UTF8
} else {
# Если открытых сетевых папок нет, выводим сообщение об этом
"IP Address: $ipAddress `nComputer Name: $computerName `nNetwork folders not found." | Out-File -FilePath $localFilePath -Encoding UTF8
}
# Выводим сообщение об успешном выполнении задачи
Write-Host "Information gathered and saved to $localFilePath."
# Восстановить предыдущую настройку кодировки
[System.Threading.Thread]::CurrentThread.CurrentCulture = $prevCulture
'''
# Запись содержимого PowerShell скрипта во временный файл
with open(ps_script_path, 'w', encoding='utf-8') as f:
f.write(ps_script_content)
#log_message(log_window, "PowerShell script created. Executing script...")
# Команда для выполнения скрипта PowerShell
ps_command = f'powershell.exe -ExecutionPolicy Bypass -File "{ps_script_path}"'
result = subprocess.run(ps_command, shell=True, capture_output=True, text=True)
if result.returncode == 0:
#log_message(log_window, "PowerShell script executed successfully.")
#log_message(log_window, result.stdout)
# Поиск случайного числа в выводе PowerShell
match = re.search(r'(\d+)', result.stdout)
if match:
random_number = int(match.group())
#log_message(log_window, f"Random number generated by PowerShell: {random_number}")
# Проверяем, создался ли файл локально
#log_message(log_window, "Checking local Temp folder for the created file...")
local_files = os.listdir(temp_dir)
found_file = None
for file_name in local_files:
if file_name.startswith(str(random_number)):
found_file = file_name
break
if found_file:
local_file_path = os.path.join(temp_dir, found_file)
#log_message(log_window, f"File created locally: {local_file_path}")
# Копируем файл в сетевую папку
#log_message(log_window, f"Copying file to network folder: {network_folder_path}")
shutil.copy(local_file_path, network_folder_path)
# Проверка файла в сетевой папке
#log_message(log_window, "Searching for the file in the network folder...")
files_in_network_folder = os.listdir(network_folder_path)
network_found_file = None
for file_name in files_in_network_folder:
if file_name.startswith(str(random_number)):
network_found_file = file_name
break
if network_found_file:
full_file_path = os.path.join(network_folder_path, network_found_file)
#log_message(log_window, f"Found file: {full_file_path}")
# Чтение файла и анализ содержимого
with open(full_file_path, 'r', encoding='utf-8') as output_file:
output_data = output_file.read()
# Лог содержимого файла для отладки
#log_message(log_window, f"File content:\n{output_data}")
# Установка префикса в зависимости от содержимого файла
new_prefix = "Empty_" # По умолчанию "Empty_"
if "Number of open folders:" in output_data:
open_folders_count = int(re.search(r'\d+', output_data).group())
#log_message(log_window, f"Open folders count: {open_folders_count}")
if open_folders_count > 0:
# Проверяем наличие прав, связанных с "Everyone", "Все" или "All"
if re.search(r'(Everyone|Все|All)([:/\\])', output_data):
new_prefix = "Нарушение_"
#log_message(log_window, "Violation detected based on folder permissions.")
else:
new_prefix = "OpenShareFind_"
#log_message(log_window, "Open folders found, but no violations.")
else:
#log_message(log_window, "No open folders found, setting prefix to 'Empty_'.")
pass
# Переименование файла
new_filename = f"{new_prefix}{network_found_file}"
new_file_path = os.path.join(network_folder_path, new_filename)
os.rename(full_file_path, new_file_path)
#log_message(log_window, f"File renamed to: {new_file_path}")
# Выводим сообщение об успешном создании файла
#show_success_message(network_folder_path, new_filename)
else:
raise Exception("File not found in the network folder.")
else:
raise Exception("File not found in local Temp folder.")
else:
raise Exception("Random number not found in PowerShell output.")
else:
raise Exception(f"Error executing PowerShell script: {result.stderr}")
except Exception as e:
show_error_message(str(e))
# Функция для запуска программы с интерфейсом
#def run_gui():
#root = tk.Tk()
#root.title("Network File Creation Tool")
# Окно для вывода лога
#log_window = scrolledtext.ScrolledText(root, wrap=tk.WORD, width=100, height=30)
#log_window.pack(padx=10, pady=10)
# Запуск программы в отдельном потоке
#root.after(100, lambda: main_program(log_window))
#root.after(100, lambda: main_program())
#root.mainloop()
# Запуск программы
#run_gui()
main_program()The logic of additional complication
Why look through each file with information when you don't have to? That's why I implemented a mechanism for renaming files depending on their content. This is all regulated in this block and you can edit it if you want:
# Установка префикса в зависимости от содержимого файла
new_prefix = "Empty_" # По умолчанию "Empty_"
if "Number of open folders:" in output_data:
open_folders_count = int(re.search(r'\d+', output_data).group())
#log_message(log_window, f"Open folders count: {open_folders_count}")
if open_folders_count > 0:
# Проверяем наличие прав, связанных с "Everyone", "Все" или "All"
if re.search(r'(Everyone|Все|All)([:/\\])', output_data):
new_prefix = "Нарушение_"
#log_message(log_window, "Violation detected based on folder permissions.")
else:
new_prefix = "OpenShareFind_"
#log_message(log_window, "Open folders found, but no violations.")In this case, there are three options: Violation, open share found and empty. Violation is set if an open share is found and there is access for everyone.
On the question of why a random number is generated: For the file renaming function, the program must find the file to work with, so this mechanism is like an identifier for further work.
For direct remote launch, you can use both the built-in tools in AD and Kaspersky Endpoint Security.
Conclusion
This program allows you to centrally collect data on open network resources in a company. Yes, there are programs that are much better, much more functional, but in this case I wanted to try to do something similar with a different approach, to make a centralized collection of information, instead of sitting and scanning a pool of IP addresses and waiting.
I hope someone will find these developments useful in their work.
