Most organizations make files available on the internal network for users to access. This is typically done through the use of network shares, which are directories that can be accessed by using a network sharing protocol. These network shares might hold sensitive files or information that is otherwise useful to the pen test.
On most networks, shares can be enumerated on either Microsoft or Linux/Unix (*nix) hosts. The following table compares the two.
Microsoft Hosts |
*nix Hosts |
Microsoft File and Print service |
Network File System (NFS) daemon |
Server Message Block (SMB) protocol |
NFS protocol |
TCP 139 or 445 |
TCP and UDP 2049 |
Can support NFS with optional Server for NFS install |
Can support SMB with optional Samba service install |
Command to display all file servers on a network is net view | |
Command to display shares on a particular server is net view \\<server> |
Command to display shares is showmount -e <target IP> |
Command to connect to a particular share is net use \\server\share /u:<username> <password> |
Command to connect to a particular share is mount -t nfs <target IP>:/share/subdirectory /local_directory |
In the following example, showmount is used to discover that 192.168.74.20 is actually sharing its root directory. The mount command is then used to connect that share to a local directory named /root/target_root_share. The cd command navigates into the newly mounted share, and the ls command displays all files and directories in the target’s root drive.
Note: To use the showmount command in Kali Linux, install nfs-common with the command apt-get install nfs-common.
Network Share Enumeration Options
In addition to built-in commands, you can use rpcclient, Metasploit, Sysinternals ShareEnum, and other tools to scan for and enumerate network shares.
Here are some examples of enumerating network shares using rpcclient:
- netshareenum
- netshareenumall (This command might return more network shares than the previous command.)
- netsharegetinfo (Supply the share name and the info level to learn more about the share, like associated permissions and SIDs.)
Here are some examples of enumerating network shares using Metasploit:
- auxiliary/scanner/smb/smb_enumshares
- auxiliary/scanner/smb/smb_enumusers (This module attempts to use the SMB service to enumerate user accounts.)
ShareEnum is a GUI tool that can scan a domain, workgroup, or IP address range for shares. If you are not in a domain, you may have to supply credentials to view the shares of each discovered device. Hidden shares have names that end in $.
Note: ShareEnum can be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/shareenum
Null Sessions
Prior to Windows Server 2003, Microsoft hosts automatically supported a type of connection called the null session. This allowed any client to make an unauthenticated connection to the IPC$ (inter-process communication) share on the host. From there, it was possible to enumerate information via the SMB protocol. Older Unix and Linux hosts with the Samba service installed also permit null sessions. The syntax for connecting via a null session is: net use \\<server-name-or-IP\ipc$ /u:”” “”.
The following example uses a null session to connect to a Linux Samba server, and then uses the net view command to see the SMB shares.
Note: Most modern systems, both Windows and *nix, are configured to disallow null sessions. You might, however, find the occasional older machine that still permits their creation. It is also possible to enable null sessions in the host’s security policy.
Thank you for sharing excellent informations. Your web-site is very cool. I’m impressed by the details that you?¦ve on this web site. It reveals how nicely you perceive this subject. Bookmarked this web page, will come back for extra articles. You, my friend, ROCK! I found just the info I already searched all over the place and simply could not come across. What an ideal site.
Thank you so much for the kind words!! It is great to hear that someone is getting use out of these notes.
Best of luck to you! ۜ(òÓ,)_\,,/
you are truly a excellent webmaster. The site loading pace is amazing. It sort of feels that you are doing any unique trick. Also, The contents are masterpiece. you have done a excellent job on this topic!
Magnificent web site. A lot of useful information here. I am sending it to some buddies ans additionally sharing in delicious. And certainly, thanks in your effort!