In addition to built-in commands, you can use rpcclient, Metasploit, Sysinternals ShareEnum, and other tools to scan for and enumerate network shares.
Here are some examples of enumerating network shares using rpcclient:
- netshareenum
- netshareenumall (This command might return more network shares than the previous command.)
- netsharegetinfo (Supply the share name and the info level to learn more about the share, like associated permissions and SIDs.)
Here are some examples of enumerating network shares using Metasploit:
- auxiliary/scanner/smb/smb_enumshares
- auxiliary/scanner/smb/smb_enumusers (This module attempts to use the SMB service to enumerate user accounts.)
ShareEnum is a GUI tool that can scan a domain, workgroup, or IP address range for shares. If you are not in a domain, you may have to supply credentials to view the shares of each discovered device. Hidden shares have names that end in $.
Note: ShareEnum can be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/shareenum