Enumerate Shares with User Account

SMBMap

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.

smbmap -u elena.lopez -p princesa1 -H 192.168.56.10

CrackMapExec

Enumerate the share another time but with a user account.


crackmapexec smb 192.168.56.10-23 -u elena.lopez -p princesa1 -d north.newyork.local --shares

SMB         192.168.56.23   445    SALISBURY        [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:SALISBURY) (domain:north.newyork.local) (signing:False) (SMBv1:True)
SMB         192.168.56.12   445    BALTIMORE        [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BALTIMORE) (domain:north.newyork.local) (signing:True) (SMBv1:True)
SMB         192.168.56.10   445    NYC              [*] Windows 10.0 Build 17763 x64 (name:NYC) (domain:north.newyork.local) (signing:True) (SMBv1:False)
SMB         192.168.56.22   445    YONKERS          [*] Windows 10.0 Build 17763 x64 (name:YONKERS) (domain:north.newyork.local) (signing:False) (SMBv1:False)
SMB         192.168.56.11   445    BRONX            [*] Windows 10.0 Build 17763 x64 (name:BRONX) (domain:north.newyork.local) (signing:True) (SMBv1:False)
SMB         192.168.56.23   445    SALISBURY        [+] north.newyork.local\elena.lopez:princesa1 
SMB         192.168.56.12   445    BALTIMORE        [+] north.newyork.local\elena.lopez:princesa1 
SMB         192.168.56.10   445    NYC              [+] north.newyork.local\elena.lopez:princesa1 
SMB         192.168.56.22   445    YONKERS          [+] north.newyork.local\elena.lopez:princesa1 
SMB         192.168.56.12   445    BALTIMORE        [+] Enumerated shares
SMB         192.168.56.12   445    BALTIMORE        Share           Permissions     Remark
SMB         192.168.56.12   445    BALTIMORE        -----           -----------     ------
SMB         192.168.56.12   445    BALTIMORE        ADMIN$                          Remote Admin
SMB         192.168.56.12   445    BALTIMORE        C$                              Default share
SMB         192.168.56.12   445    BALTIMORE        IPC$                            Remote IPC
SMB         192.168.56.12   445    BALTIMORE        NETLOGON        READ            Logon server share 
SMB         192.168.56.12   445    BALTIMORE        SYSVOL          READ            Logon server share 
SMB         192.168.56.23   445    SALISBURY        [+] Enumerated shares
SMB         192.168.56.23   445    SALISBURY        Share           Permissions     Remark
SMB         192.168.56.23   445    SALISBURY        -----           -----------     ------
SMB         192.168.56.23   445    SALISBURY        ADMIN$                          Remote Admin
SMB         192.168.56.23   445    SALISBURY        all             READ,WRITE      Basic RW share for all
SMB         192.168.56.23   445    SALISBURY        C$                              Default share
SMB         192.168.56.23   445    SALISBURY        CertEnroll      READ            Active Directory Certificate Services share
SMB         192.168.56.23   445    SALISBURY        IPC$                            Remote IPC
SMB         192.168.56.23   445    SALISBURY        public          READ,WRITE      Basic Read share for all domain users
SMB         192.168.56.11   445    BRONX            [+] north.newyork.local\elena.lopez:princesa1 
SMB         192.168.56.10   445    NYC              [+] Enumerated shares
SMB         192.168.56.10   445    NYC              Share           Permissions     Remark
SMB         192.168.56.10   445    NYC              -----           -----------     ------
SMB         192.168.56.10   445    NYC              ADMIN$                          Remote Admin
SMB         192.168.56.10   445    NYC              C$                              Default share
SMB         192.168.56.10   445    NYC              CertEnroll      READ            Active Directory Certificate Services share
SMB         192.168.56.10   445    NYC              IPC$            READ            Remote IPC
SMB         192.168.56.10   445    NYC              NETLOGON        READ            Logon server share 
SMB         192.168.56.10   445    NYC              SYSVOL          READ            Logon server share 
SMB         192.168.56.10   445    NYC              Users           READ            
SMB         192.168.56.22   445    YONKERS          [+] Enumerated shares
SMB         192.168.56.22   445    YONKERS          Share           Permissions     Remark
SMB         192.168.56.22   445    YONKERS          -----           -----------     ------
SMB         192.168.56.22   445    YONKERS          ADMIN$                          Remote Admin
SMB         192.168.56.22   445    YONKERS          all             READ,WRITE      Basic RW share for all
SMB         192.168.56.22   445    YONKERS          C$                              Default share
SMB         192.168.56.22   445    YONKERS          IPC$            READ            Remote IPC
SMB         192.168.56.22   445    YONKERS          public          READ            Basic Read share for all domain users
SMB         192.168.56.11   445    BRONX            [+] Enumerated shares
SMB         192.168.56.11   445    BRONX            Share           Permissions     Remark
SMB         192.168.56.11   445    BRONX            -----           -----------     ------
SMB         192.168.56.11   445    BRONX            ADMIN$                          Remote Admin
SMB         192.168.56.11   445    BRONX            C$                              Default share
SMB         192.168.56.11   445    BRONX            IPC$            READ            Remote IPC
SMB         192.168.56.11   445    BRONX            NETLOGON        READ            Logon server share 
SMB         192.168.56.11   445    BRONX            SYSVOL          READ            Logon server share

PreviousInvoke-PortscanNextExploiting with Users

Last updated