Results 1 to 5 of 5

Thread: Identifying network shares

  1. #1
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default Identifying network shares

    I wanted to get feedback on methods to identify network shares. I'm performing a pen-test for a health care organization. One of their main concerns is open shares with PHI. I've been using the following tools to identify Windows shares:
    Shareenum
    Legion

    Shareenum uses administrative credentials to scan active directory for open shares. Legion scans IP addresses, and requires no creds. However, I need a comprehensive account of all their shares, with ntfs permissions too. Any suggestions?

    On the *nix side, I've been running port scans for NFS (2049) and then created a script to showmount -e %i. I then parse through the results looking for "everyone". Any other approaches you can recommend? Thanks

    For FTP, I port scan for port 21. Then, I put the IP list through nsat with the option to locate "anonymous".

    Any help is appreciated!

    William

  2. #2
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default

    Hope this will help. It's the Windows Server 2003 Access-based enumeration tool. From what I've read it will identify shares and grab permissions aswell across a domain.

    Download details: Windows Server 2003 Access-based Enumeration

  3. #3
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by williamc View Post
    I wanted to get feedback on methods to identify network shares. I'm performing a pen-test for a health care organization. One of their main concerns is open shares with PHI. I've been using the following tools to identify Windows shares:
    Shareenum
    Legion

    Shareenum uses administrative credentials to scan active directory for open shares. Legion scans IP addresses, and requires no creds. However, I need a comprehensive account of all their shares, with ntfs permissions too. Any suggestions?

    On the *nix side, I've been running port scans for NFS (2049) and then created a script to showmount -e %i. I then parse through the results looking for "everyone". Any other approaches you can recommend? Thanks

    For FTP, I port scan for port 21. Then, I put the IP list through nsat with the option to locate "anonymous".

    Any help is appreciated!

    William
    Windows file sharing uses ports 445, 135, 138, 139.

    I like the Xsharez application. It will find all the PCs with shares, but will report as "error" those that are closed to access other than 'everyone'. For those that do allow access to everyone, it will report the shared drive names. You can also use different creditials if you have them.

    Finally, it also exports to CVS and HTML, so it's easy to integrate it into the client report. You can download the v3 demo on Tucows, to see if it does what you want and need.
    Thorn
    Stop the TSA now! Boycott the airlines.

  4. #4
    Junior Member g1ic7h's Avatar
    Join Date
    Jul 2007
    Posts
    73

    Default

    Hope this will help, No install needed, works well...its win based but so are the other tools mentioned.
    I prefer it to ShareEnum.


    SoftPerfect Network Scanner: fast and free network scanner

    * Pings computers.
    * Does not require administrative privileges.
    * Detects hardware (MAC) addresses even across routers.
    * Detects hidden shared folders (normally invisible on the network) and write accessible shares.
    * Detects your internal and external IP addresses.
    * Scans for listening TCP ports and SNMP services.
    * Retrieves currently logged-on users.
    * You can mount and explore network resources.
    * Can launch external third party applications.
    * Exports results to HTML, XML, CSV and TXT
    * Supports Wake-On-LAN, remote shutdown and sending network messages.
    * Retrieves potentially any information via WMI.
    * Retrieves information from remote registry.
    * It is absolutely free, requires no installation, and does not contain any adware/spyware/malware.
    "A teacher is never a giver of truth; he is a guide, a pointer to the truth that the student must discover for himself." - Bruce Lee

  5. #5
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    Thanks for the recommendations! I'll try and use all of them to see which is the most comprehensive tool.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •