Most organizations make files available on the internal network for users to access. This is typically done through the use of network shares, which are directories that can be accessed by using a network sharing protocol. These network shares might hold sensitive files or information that is otherwise useful to the pen test.
On most networks, shares can be enumerated on either Microsoft or Linux/Unix (*nix) hosts. The following table compares the two.
Microsoft Hosts | *nix Hosts |
Microsoft File and Print service | Network File System (NFS) daemon |
Server Message Block (SMB) protocol | NFS protocol |
TCP 139 or 445 | TCP and UDP 2049 |
Can support NFS with optional Server for NFS install | Can support SMB with optional Samba service install |
Command to display all file servers on a network is net view | |
Command to display shares on a particular server is net view \\<server> | Command to display shares is showmount -e <target IP> |
Command to connect to a particular share is net use \\server\share /u:<username> <password> | Command to connect to a particular share is mount -t nfs <target IP>:/share/subdirectory /local_directory |
In the following example, showmount is used to discover that 192.168.74.20 is actually sharing its root directory. The mount command is then used to connect that share to a local directory named /root/target_root_share. The cd command navigates into the newly mounted share, and the ls command displays all files and directories in the target's root drive.
Note: To use the showmount command in Kali Linux, install nfs-common with the command apt-get install nfs-common.