PowerHuntShares is a PowerShell auditing script designed for cybersecurity professionals and penetration testers to identify, analyze, and report on excessive privileges associated with SMB shares in Active Directory environments. It automates the discovery of accessible systems, enumerates SMB share ACLs, and analyzes them for excessive permissions, providing detailed HTML and CSV reports.

How It Works

The tool leverages PowerShell to interact with Active Directory and SMB shares. It begins by discovering domain-joined computers, filtering them based on network accessibility (ping and open SMB port 445). For each accessible system, it enumerates SMB shares and their Access Control Lists (ACLs). The script then analyzes these ACLs to identify "excessive privileges," defined by explicit ACEs for groups like "Everyone," "Authenticated Users," "Domain Users," and "Domain Computers," as well as "high risk" shares like wwwroot or admin$.

Quick Start & Requirements

• Install/Run: Load the PowerHuntShares.psm1 module into your PowerShell session using Import-Module or IEX (New-Object System.Net.WebClient).DownloadString(...).
• Prerequisites: PowerShell, an Active Directory domain environment. Commands should be run as an unprivileged domain user.
• Setup Time: Can take hours to run in large environments.
• Resources: Official v2 Blog: https://www.netspi.com/blog/technical-blog/network-pentesting/powerhuntshares-2-0-release/

Highlighted Details

• Automates discovery of domain computers and filters for SMB accessibility.
• Identifies shares with explicit ACEs for common privileged groups.
• Generates comprehensive HTML and CSV reports detailing findings.
• Includes bonus scripts for share fingerprinting and password parsing.
• Supports authentication via current context, credentials, or clear text.

Maintenance & Community

The project is maintained by NetSPI. Key contributors include Scott Sutherland (@_nullbind). The project utilizes open-source code from PowerSploit and Invoke-Parallel.

Licensing & Compatibility

• License: BSD 3-Clause.
• Compatibility: Suitable for commercial use and integration with closed-source security assessments.

Limitations & Caveats

• Some ACLs for BUILTIN\Users may incorrectly appear as LocalSystem and be excluded from excessive privilege exports.
• Defender evasion and password extraction logic require updates.
• Certain default exclusions (e.g., print$, sysvol) may need configuration adjustments for specific environments.