Share enumeration maps what SMB exposes and what the current identity can do. We care about readable shares, writable shares, administrative shares, SYSVOL, NETLOGON, and any department share that may contain credentials or operational scripts.
NetExec
nxc smb 10.10.10.200 -u student -p 'student' --shares
nxc smb 10.10.10.0/24 -u student -p 'student' --shares
nxc smb 10.10.10.200 -u student -p 'student' --sessions
nxc smb 10.10.10.200 -u student -p 'student' --loggedon-users
smbclient
smbclient -L //10.10.10.200 -U 'ootw.local\student%student'
smbclient //10.10.10.200/SYSVOL -U 'ootw.local\student%student' -c "ls"
smbclient //10.10.10.200/NETLOGON -U 'ootw.local\student%student' -c "ls"
smbmap
smbmap -H 10.10.10.200 -d ootw.local -u student -p 'student'
smbmap -H 10.10.10.200 -d ootw.local -u student -p 'student' -r
smbmap -H 10.10.10.200 -d ootw.local -u student -p 'student' -R SYSVOL --dir-only
Windows
net view \\dc01.ootw.local /all
net view \\10.10.10.200 /all
dir \\dc01.ootw.local\SYSVOL
dir \\dc01.ootw.local\NETLOGON
PowerShell
Get-SmbConnection
Get-SmbShare
Get-SmbShareAccess -Name SYSVOL
Permission interpretation
READ Browse and download files.
WRITE Upload, overwrite, or delete depending on NTFS ACL.
NO ACCESS Share exists but current identity cannot open it.
ADMIN$ Local admin indicator if accessible.
C$ Local admin indicator if accessible.
IPC$ RPC and named pipe access, not normal file browsing.
Notes
- Share permissions and NTFS permissions both matter.
- A share can look writable but still fail at the filesystem layer, or it can be broadly shared but restricted by NTFS ACLs.